Q&A: Ensuring Compliance Among Third Parties

Emily Holbrook


May 1, 2011

As the U.S. economy continues its uphill climb to recovery, corporate boards are looking to improve their enterprise risk management framework. With executives also shifting their focus from survival to stability, enhancing corporate risk management and governance strategies should become easier. But what are the trends in this area for the remainder of 2011? For some insight, we spoke with Steve McGraw, president and CEO of Compliance 360, a software provider for governance, risk management and compliance (GRC). His predictions tell of continued ERM progress, but also warn against the rocky road ahead.

RM: Do you predict a greater focus on third party risk management in 2011?

Steve McGraw: Yes. If you think about, say, the last 20 years, more and more businesses have outsourced key components of their operations. And today, particularly with the advancement of cloud computing, people are outsourcing key business functions that house private health information and private financial info. People are outsourcing key functions where third party employees are going into your customer?s homes and businesses and creating an inherent risk.

The way we see the trend is that people have done a fairly good job of selecting the third parties, but there [needs to be a] review of third parties on a more continual basis to make sure they are keeping up with standards, company requirements, and local and federal statutes.

RM: Does this third party trend pose a potential for increased risk?

McGraw: Yes, especially legal and regulatory risk such as the banking reform and other financial acts that have imposed strict audits on third parties that are outsourcing certain tasks. There?s increased regulatory risk around acts, such as the HITECH Act, which deals with data breaches.

Mattel is probably the greatest, most-public example of this. They had third parties producing toys that were contaminated with lead. So third parties? involvement can clearly increase risk if not properly monitored and managed.

RM: What GRC trend do you see with regard to the board of directors and their acceptance of risk management? Do you see them revisiting ERM?

McGraw: We see this as a more dramatic pick up, a more dramatic trend line this year. The last couple of years, many boards were just thinking about survival, but now that the economy is improving, they can clearly see there is light at the end of the tunnel, and they're picking up where they left off in 2007. So, many boards are beginning to think about how the management team manages risk and they?re also looking for more proof and more data from the management team that they have identified and are effectively managing risk across the enterprise. The adage we use a lot is "in God we trust, but all of us bring data."

RM: How has the regulatory scrutiny of compliance programs changed?

McGraw: The regulatory scrutiny has changed a lot in the last 12 to 18 months. For example, health care, which receives more than 50% of its revenue from U.S. government, is basically imposing a standard that says that each health care provider not only needs to have a compliance program in place, but needs to monitor and demonstrate [its] effectiveness. So there are certain standards being rolled out right now that will force hospitals monitor compliance.

What will happen long term is that the program will cascade to other federal agencies such as the Department of Defense, which is looking to monitor the compliance program or the risk management program -- though there is not a single standard out there by either the Federal Reserve or the [Office of the Comptroller of the Currency] yet. So we do see this on a long trend line where most organizations will be held accountable, not only for having a compliance program in place, but for providing periodic and robust self-assessments.

RM: Cloud computing and its inherent risks have become a hot topic lately. How does GRC play into this emerging technological risk?

McGraw: We think GRC is uniquely positioned to take advantage of cloud computing. The reason why is that if you are looking for an effective compliance and risk management program, there is information that is required by a wide variety of third parties.

For example, laws and regulations, and updates to laws and regulations, are provided by content providers. They want to look at certain risk standards and certain third party standards from the shared assessments of the program.

So there's a wide variety of third parties who provide content that is integral and crucial to a risk and compliance program. Software vendors provide software to help you manage the process of compliance and risk. The customer really wants to see a holistic view of risk and compliance in concert with the laws and regulations that matter. So cloud computing gives us the ability to customize the view of software functionality as well as news and regulatory content.

Ten years ago, people were really concerned about putting very sensitive information out on someone else's website. But people have moved beyond that because there is a certain set of standards that, basically, once you comply with them, [provide] some assurance to buyers that your data is protected.

So I think most companies have gotten over the idea that they cannot take private, sensitive information and house it with a third party. The times have changed in that regard.
Emily Holbrook is the founder of Red Label Writing, LLC, a writing, editing and content strategy firm catering to insurance and risk management businesses and publications, and a former editor of Risk Management.