Mitigating Potential Risk Arising From Third-Party Outsourcing

Like many organizations, insurance carriers are increasingly outsourcing core and non-core systems, business processes and data processing to third-party service providers.

The trend makes sense; such shifts can significantly increase focus on core competencies, reduce costs and improve speed-to-market. But without proper due diligence and ongoing management, such relationships can carry with them an extensive element of risk. Seventy-five percent of participants in a CFO Magazine/Crowe Horwath survey had experienced some type of harm from the action or inaction of a third party. The negative effects included financial loss, customer loss, breached data systems and increased regulatory exposure and risk.


That is a scary statistic for life insurance executives. Fortunately, through adequate planning and due diligence, it is possible to mitigate the risk of negative repercussions arising from third-party relationships.

How can carriers protect themselves from third-party risk?


The first step in mitigating third-party risk is the development of an effective, sustainable “strategic sourcing” plan. In the past, choosing outsourced vendors was akin to a traditional, reactive “purchasing” model. The carrier was focused on getting the best price and the best terms in a one-time purchase. Far more effective is a proactive procurement/strategic sourcing model, aligning preferred sources around terms and conditions that work for both parties. Such a strategy allows carriers to effectively identify potential strategic partners, rather than simply “vendors.” These partners typically provide competitive pricing, technical assistance and professional expertise, identify cost-saving opportunities, and engage in ethical business practices. Of course, true mitigation of third-party risk can only be accomplished by developing a plan that addresses all aspects of the risk management life cycle.


SSAE 16 Necessary Attestation

It is highly recommended that life insurance carriers require potential third-party partners to provide an SSAE 16 report. SSAE 16 reports provide organizations with valuable information regarding the partner’s controls (and the effectiveness of those controls), in addition to an independent assessment of whether the controls are suitably designed and operating effectively. Such reports can also save carriers significant cost; without them, additional independent auditing is necessary.


Strategic sourcing is only part of third-party risk management. A holistic risk management strategy must address all five steps in the risk management life cycle: planning, due diligence/third-party selection, contract negotiation, ongoing monitoring and termination.


  1. Planning

    During the planning phase, carriers must determine whether
    outsourcing a specific function is consistent with corporate
    policies, develop strategic sourcing procedures for partner
    selection, and assign responsibility for program activities. Audit
    and reporting requirements, risks and costs, and information
    security and compliance implications must also be addressed.

  2. Due Diligence and Third-Party Partner Selection

    The due diligence process should address fundamental questions
    about identified partners. Do they have the capabilities and
    adequate staff to support your needs? What will the partner’s role
    be in the process? Do they conduct themselves ethically and with
    transparency? Are they stable, or have they recently undergone
    significant turnover?

  3. Contract Negotiation

    Any contract should clearly specify the rights and responsibilities
    of each partner.
    Topics to be covered include the nature and scope of services,
    ownership and licensing, performance benchmarking, reporting and
    data governance, term, termination, audit rights, and disaster recovery

  4. Ongoing Monitoring

    Once a contract is executed, it is incumbent on the carrier to monitor
    both the partner and the relationship on an ongoing basis. Critical
    vendors require full scope reviews; low-risk vendors may require only
    reduced reviews. Consider this phase a series of ongoing due diligence
    processes, covering the financial stability of the partner, performance
    against SLAs, key personnel turnover, disaster recovery, and protection
    of organization information.

  5. Termination

    Service provider contracts should include appropriate posttermination
    transition provisions, addressing issues like capabilities,
    resources, timeframes, data retention and destruction, information
    systems connections, intellectual property and reputation risks.

What partner risks should a carrier look for?

  • Strength of their financial condition and management/employee turnover.
  • Ability to provide accurate, relevant and timely systems.
  • Experience with the function outsourced.
  • Reliance on subcontractors.
  • Dependable communication, dedicated account manager.
  • Values and goals of the organization and management team.

Download the PDF version of Third Party Risk Tool

paper airplane graphic


Andesa Successfully Completes SOC 1®, SOC 2®, and SOC 3® Examinations