Five Steps to Effectively Managing Third-Party Service Provider Risk
Hedge fund outsourcing is not a new trend, as buy-side firms have long dispersed the responsibility of many functions to third-party service providers more adept and accomplished at said functions. Technology, for example, is an area where many firms choose to leverage outsourced providers to manage complete or partial infrastructures, support projects or supplement on-site IT staffs. The benefits to outsourcing are numerous, but the true measure of a successful service provider relationship comes when an investment firm’s level of risk in using that provider is low.
Risks are everywhere, particularly in today’s cyber-focused environment. But the risk a hedge fund undertakes when outsourcing a function of its business to a third party is enormous. Not only is the firm relinquishing control to an outside company, it also takes on the added burden of managing that company, in addition to its own.
It’s one thing to put faith in your service providers to do their jobs effectively. It’s another to ignore your own firm’s responsibility to manage that third-party as a means of protecting your own firm. Successfully managing risk associated with third-party service provider relationships is a full-time job, especially for financial services firms working with dozens of various parties. Here are a few tips to help your firm properly manage third-party service provider risk:
1. Understand the breadth/depth of the relationships your firm has established. Smaller firms may only deal with a few outsourced parties, but larger, more established investment firms are likely involved with a host of service providers that are managing needs across the operations, finance, and technology departments. Before you can effectively manage these relationships, you need a comprehensive understanding of who your outsourced providers are, what services/functions they provide and what level of access they have to your firm’s data/systems. Here is a quick list of possible third parties your firm may be engaged with today:
IT infrastructure/cloud provider/managed security service
Outsourced fund administrator
Application vendors: order management, portfolio accounting, etc.
2. Calculate potential risks and vulnerabilities. We already know this is an important step on the cybersecurity front, but understanding your firm’s risks and exposures is critical regardless of the service provider benefits you’re leveraging. If the provider has access to your hedge fund’s data, systems, financials or other proprietary data, your risk is inherently high. Completing a service provider risk assessment for each third party engagement will provide insight into the level of access each provider has and hence, any potential vulnerabilities that may arise.
3. Conduct thorough due diligence before the relationship commences. The best time to conduct service provider assessments is during the initial evaluation period, but of course, for firms already operating, that time has come and gone for many of your providers. The initial vetting process is the first opportunity for your firm to ask pointed questions and understand the intricacies of the relationship you are undertaking. Firms should consider sending requests for proposals (RFPs) and assessment documentation to any third parties they are evaluating as a means of gathering as much information as possible.
4. Continue conducting proper due diligence throughout the course of the relationship. Service provider risk is not a one-time threat or possibility. As with any relationship, it should be continuously evaluated and monitored to ensure both parties are achieving their end goals and meeting expectations. General monitoring of service provider practices and performance is recommended, though frequency may vary. For example, services with higher risk levels (e.g. technology, security, etc.) may warrant more frequent evaluations or thorough risk assessments. Due diligence questionnaires are evolving dramatically to foster firms’ needs for greater transparency regarding service providers, and many investment firms are now engaging with compliance consultants and auditing firms to conduct independent service provider evaluations and assessments. As investors become savvier and inquire about firms’ technologies, operations and strategies, so too should firms as they evaluate the abilities of their third-party providers.
5. Employ contingency plans for terminating vendor contracts. One often overlooked contributor to service provider risk is contract termination. Investment firms should be careful to thoroughly read and review contracts with third-party providers and vendors and have a clear understanding of the termination process. Risks may vary depending on the level of access the service provider has to your firm’s data. Be sure to look for any contractual loopholes and operational practices that may affect migration plans or your firm’s security standing.
You may also find these articles interesting:
Editor's Note: This article has been updated and was originally published in July 2015.
Photo Credit: Shutterstock