Like many organizations, insurance carriers are increasingly outsourcing core and non-core systems, business processes and data processing to third-party service providers.
The trend makes sense; such shifts can significantly increase focus on core competencies, reduce costs and improve speed-to-market. But without proper due diligence and ongoing management, such relationships can carry with them an extensive element of risk. Seventy-five percent of participants in a CFO Magazine/Crowe Horwath survey had experienced some type of harm from the action or inaction of a third party. The negative effects included financial loss, customer loss, breached data systems and increased regulatory exposure and risk.
That is a scary statistic for life insurance executives. Fortunately, through adequate planning and due diligence, it is possible to mitigate the risk of negative repercussions arising from third-party relationships.
How can carriers protect themselves from third-party risk?
The first step in mitigating third-party risk is the development of an effective, sustainable “strategic sourcing” plan. In the past, choosing outsourced vendors was akin to a traditional, reactive “purchasing” model. The carrier was focused on getting the best price and the best terms in a one-time purchase. Far more effective is a proactive procurement/strategic sourcing model, aligning preferred sources around terms and conditions that work for both parties. Such a strategy allows carriers to effectively identify potential strategic partners, rather than simply “vendors.” These partners typically provide competitive pricing, technical assistance and professional expertise, identify cost-saving opportunities, and engage in ethical business practices. Of course, true mitigation of third-party risk can only be accomplished by developing a plan that addresses all aspects of the risk management life cycle.
SSAE 16 Necessary Attestation
It is highly recommended that life insurance carriers require potential third-party partners to provide an SSAE 16 report. SSAE 16 reports provide organizations with valuable information regarding the partner’s controls (and the effectiveness of those controls), in addition to an independent assessment of whether the controls are suitably designed and operating effectively. Such reports can also save carriers significant cost; without them, additional independent auditing is necessary.
UNDERSTANDING THE RISK MANAGEMENT LIFE CYCLE
Strategic sourcing is only part of third-party risk management. A holistic risk management strategy must address all five steps in the risk management life cycle: planning, due diligence/third-party selection, contract negotiation, ongoing monitoring and termination.
During the planning phase, carriers must determine whether
outsourcing a specific function is consistent with corporate
policies, develop strategic sourcing procedures for partner
selection, and assign responsibility for program activities. Audit
and reporting requirements, risks and costs, and information
security and compliance implications must also be addressed.
Due Diligence and Third-Party Partner Selection
The due diligence process should address fundamental questions
about identified partners. Do they have the capabilities and
adequate staff to support your needs? What will the partner’s role
be in the process? Do they conduct themselves ethically and with
transparency? Are they stable, or have they recently undergone
Any contract should clearly specify the rights and responsibilities
of each partner.
Topics to be covered include the nature and scope of services,
ownership and licensing, performance benchmarking, reporting and
data governance, term, termination, audit rights, and disaster recovery
Once a contract is executed, it is incumbent on the carrier to monitor
both the partner and the relationship on an ongoing basis. Critical
vendors require full scope reviews; low-risk vendors may require only
reduced reviews. Consider this phase a series of ongoing due diligence
processes, covering the financial stability of the partner, performance
against SLAs, key personnel turnover, disaster recovery, and protection
of organization information.
Service provider contracts should include appropriate posttermination
transition provisions, addressing issues like capabilities,
resources, timeframes, data retention and destruction, information
systems connections, intellectual property and reputation risks.
What partner risks should a carrier look for?
- Strength of their financial condition and management/employee turnover.
- Ability to provide accurate, relevant and timely systems.
- Experience with the function outsourced.
- Reliance on subcontractors.
- Dependable communication, dedicated account manager.
- Values and goals of the organization and management team.