Don't overlook third-party risk

Read time 1min 50sec
Rapule Kgalaki, manager of governance, performance and IT audits at Dirco.
Rapule Kgalaki, manager of governance, performance and IT audits at Dirco.

Managing risk is a daunting task. The reality is that businesses today rely on multiple applications and third-party partners, which add to the complexity of their environments.

ITWeb Governance, Risk and Compliance 2019

Register today for this event, to be held on 20 and 21 February at The Forum in Bryanston. Industry experts, thought leaders and GRC practitioners will advise on how to manage a complex regulatory and risk environment in a technologically-driven world. To find out more, click here.

So, what should South African companies be doing better when it comes to managing third-party risk?

Rapule Kgalaki, manager of governance, performance and IT audits at the Department of International Relations and Co-operation (Dirco), says companies should develop an enterprise-wide risk management policy, strategy and framework that will incorporate third-party risk management and other essential risk management components.

"Businesses should also develop a risk framework that clearly stipulates the organisational risk tolerance and appetite from the third-party point of view, and must create clear and concise third-party risk profiles."

Kgalaki says risk managers should also regularly assess the controls within the organisation, to ensure they are relevant.

In addition, proper mechanisms should be in place to vet third-parties and the resources they bring on board. "Due care should be exercised at all times, in particular when choosing a third-party partner, and businesses should continually assess the effectiveness of the relationship with the third-party throughout the contract period."

It's also important to establish clear communication channels, he adds. "And any changes during the engagement should be tabled, and minutes should be kept for audit trails and proper record management. This method of communication should be clearly stipulated in the contract and SLAs."

Next, he says businesses should formulate clear succession and skills transfer plans, so that should anything happen to a third-party, the client will be able to take over either permanently, or until the next service provider is appointed.

To learn more about effective risk management, attend Kgalaki's presentation on "Outsourcing: governing and managing third-parties", at ITWeb Governance, Risk and Compliance 2019, to be held on 20 and 21 February at The Forum in Bryanston.

Have your say
Facebook icon
Youtube play icon