Rapule Kgalaki, manager of governance, performance and IT audits at the Department of International Relations and Co-operation (Dirco), says companies should develop an enterprise-wide risk management policy, strategy and framework that will incorporate third-party risk management and other essential risk management components.
"Businesses should also develop a risk framework that clearly stipulates the organisational risk tolerance and appetite from the third-party point of view, and must create clear and concise third-party risk profiles."
Kgalaki says risk managers should also regularly assess the controls within the organisation, to ensure they are relevant.
In addition, proper mechanisms should be in place to vet third-parties and the resources they bring on board. "Due care should be exercised at all times, in particular when choosing a third-party partner, and businesses should continually assess the effectiveness of the relationship with the third-party throughout the contract period."
It's also important to establish clear communication channels, he adds. "And any changes during the engagement should be tabled, and minutes should be kept for audit trails and proper record management. This method of communication should be clearly stipulated in the contract and SLAs."
Next, he says businesses should formulate clear succession and skills transfer plans, so that should anything happen to a third-party, the client will be able to take over either permanently, or until the next service provider is appointed.
To learn more about effective risk management, attend Kgalaki's presentation on "Outsourcing: governing and managing third-parties", at ITWeb Governance, Risk and Compliance 2019, to be held on 20 and 21 February at The Forum in Bryanston.