Third party risk management is currently an important topic for most corporate entities. Most corporate entities are carefully scrutinising their third party suppliers in order to minimise the risk exposure inherent in such relationships. This also applies to professional service providers like law firms, accounting firms, IT firms etc.
As a result of the current economic climate corporate entities are also exploring innovative ways of saving costs without compromising the quality of services required from third party suppliers. This simply means a professional services provider with effective governance, controls, suitably qualified personnel and a flexible fee structure will be most attractive to corporate entities.
This definitely creates an opportunity for small to medium professional service providers. The operating model of small to medium firms is inherently flexible and makes it possible for such firms to negotiate alternative fee arrangements with their clients. This fee model coupled with effective governance, controls and suitably qualified personnel enhances the stature of the small to medium professional services firm without necessarily increasing in size.
Most corporate entities have a Procurement of Goods and Services Policy, which requires that a formal transparent process be followed when selecting suppliers. This involves a formal, transparent process in which suppliers are invited to bid for the provision of the required services. In most cases an independent cross-functional sourcing team is selected to assess the bids presented by the various suppliers using specified criteria and select the most suitable supplier. The following generic criteria are generally used to assess and select suppliers:
- Preferential procurement (the service provider’s Black Economic Empowerment (BEE) status).
- Operational and technical capability.
- Assessment of service provider’s liquidity and solvency.
- Commercial assessment (charge out rates, pricing structures, cost benefit analysis).
- Risk and compliance management controls (information security, business continuity, compliance with laws).
Most corporate entities are rigorously assessing the impact of engagements with service providers on their BEE scorecard. Ownership is one of the elements that is measured on the BEE scorecard for preferential procurement.
Operational and technical capability
Professional service providers have to provide evidence of their technical and operational capability. This can be achieved by demonstrating expertise in a specific area of specialisation, the qualifications, experience and capacity of the resources employed to provide the services. This can also include personnel and technology used to provide the resources.
The firm’s track record or success rate is also an important factor in determining the firm’s competency and capability. The firm also has to demonstrate its case management capabilities, which include providing the necessary reports, updates and alerts to clients on the deliverables.
Assessment of service provider’s liquidity and solvency
This entails an assessment of the firms’ audited financial statements to verify that the firms is financially stable and that its financial position will not result in the inability to continue providing the services.
It is advisable that a firm should – at a minimum – possess the following policies to demonstrate the existence of processes and controls in place for the safe and fair management of information being processed on behalf of the corporate entity:
- Information security policy: Internal mandatory statements that define the minimum requirements for information security, including, strong password standards, data classification, data retention storage and destruction, data loss prevention security standards, namely, patch management, application firewalls, anti-virus, anti-malware tools.
- Access management policy: Sets out the procedures and requirements for applying for, granting, managing and revoking user access to systems, data and physical premises. This includes controls to ensure that only authorised individuals enter your premises, including, a visitor sign in process, secure remote access procedures, encryption technology.
- Acceptable use policy: Contains explicit rules for individuals (employees and contractors) around appropriate use of the firm’s information assets, including networks, devices and good practices to secure such assets.
- Risk management framework and policy: The defined risk management framework as it pertains to people, data, financial risk and the mitigation thereof.
- Compliance policy: The defined compliance management approach or framework to deal with regulatory compliance as it pertains to the organisation. This includes operational, security and human resources compliance requirements.
- Business continuity framework/plan: A process in place to manage and test the business continuity and disaster recovery capability. This includes the availability of business continuity plans, disaster recovery plans and robust backup procedures.
- Security management alignment thereof to ISO2700X, Cobit and King III.
- Incident management processes.
Compliance with relevant laws
It is important for the firm to understand the corporate entity’s legislative universe (regulations, acts of law) which is applicable to the entity or the industry the entity operates in. This will enable the firm to put measures and controls in their operations that will ensure that in providing the services to the corporate entity, the firm does not cause the corporate entity to contravene legislation or regulation applicable to it.
The firm needs to demonstrate that it has measures and controls in place that it will be able to provide the service to the corporate entity without any disruption resulting from factors such as key man dependencies, technology downtime and lack of back up procedures.
The current economic climate has resulted in businesses and individuals minimising or prioritising their procurement initiatives. Corporate entities are embarking on various initiatives to save costs. Professional services will definitely be on the list of services to be procured at a minimal as companies are beginning to scrutinise the necessity of outsourcing such services to external service providers. Innovative firms that address the business need at a reasonable and lower cost compared to existing service providers stand to benefit from this. This will certainly give small to medium firms offering sound business solutions and that have adequate risk and compliance controls and track records the competitive edge.
Do you need assistance with your governance and controls? First-Line Consulting provides specialist legal advisory services to law firms, IT companies, accounting firms etc. Visit http://first-lineconsulting.com/ to view their service offering or send an email to firstname.lastname@example.org to arrange a consultation.