BCBS of Michigan: Third Parties Are Not Tertiary Business

Your third parties are an extension of your business and as you know, are essential to your brand reputation and overall stakeholder trust. Even if a company delegates responsibility for a task or function, your organization ultimately remains accountable. Effective oversight practices are expected and assumed.

For us in the healthcare industry and specifically the data privacy world, some expectations are set by HIPAA. Rules and regulations also govern Medicare Advantage, Marketplace business, state provisions including Medicaid programs, and federal employee products. All emphasize expectations around safeguards and compliance which extend to vendors. These rules aim to protect the consumers of healthcare and usually explicitly require third party oversight programs.

Contracts or agreements are merely the beginning of the oversight process, and there must be ongoing mechanisms for monitoring and improvement. No matter what industry, companies relying on third parties need to have corporate practices that enable insight into the effectiveness and compliance of third party work.

More and more, we see companies rely on vendors or other parties for services so they can focus on their core competencies.  Although a third party’s process rigor may not be part of the “make or buy decision,” it is key for the arrangement to be successful.

So, what practices should a company contemplate to bolster their oversight programs and sustain success? The task may be daunting when considered in full, particularly if you have limited resources. Emerging risks or even your own experiences may help make the case to prioritize maturing your third party controls. For example, the importance of business continuity in the face of an uptick in ransomware episodes is one compelling, growing risk. In their report on global ransomware damage costs, Cybersecurity Ventures predicts that ransomware attacks target businesses every 11 seconds, and their frequency is increasing. Not only is your company targeted by cybercriminals, so are any strategic partners that have your data. You and your vendors must be prepared to work together to avert a crisis by investing in your third party risk management (TPRM) capabilities.

So where to begin? There may be more of an appetite for smaller, calculated improvements over time versus a large, immediate investment. As you roll up your sleeves, here are some points to consider:

1. Inject Compliance Office into Due Diligence, or the “Courting Period” – Be sure your compliance office and other key internal control partners like information security, internal audit and business continuity are engaged early with new third parties. Particularly when the vendor is in a strategic role, look to review methods beyond questionnaires. Having conversations and doing some effectiveness testing can provide insight you may not otherwise obtain. Most importantly, make sure the outcomes are shared with key leaders involved in the arrangement. Use the information to trigger next-step decisions and enhance understanding of your own program to ensure that time spent understanding your vendor efficacy is worthwhile.
2. Collaborate on Contracts and Supporting Process – Partner with your procurement team on contract reviews, if you aren’t already. When significant updates to contracts occur, they should be vetted across key partners or subject matter experts in your company, above and beyond the contract administrator and you legal partners. Improve clarity around the expectations of fourth and fifth parties that may enter the equation. Require transparency into those arrangements. Ongoing success measures in the statement of work should be set and revisited at minimum each year. As part of the SLA, consider if there have been issues, how your vendor partner informed you and if it was timely, and how they collaborated with you, during peacetime and in crisis.
3. Set Clear Responsibility and Accountability – Be clear not just through contractual language, but ongoing dialogue with the contract administrator. Encourage avenues for exchange with infosec and the compliance function, outside of the contract, a vendor virtual summit perhaps with a set of emerging compliance risks and common mitigation strategies. We have implemented a vendor summit that brings our strategic partners together for a more informal exchange on key privacy, security and compliance topics, which has been extremely well-received.
4. Elevate Contract Administrators as the First Line of Defense – Elevate the importance of your contract admins in the business through corporate communications and education. This is not a purely administrative role. It requires someone with strong skills for outreach, organizing, project management, tracking and driving conversations. Empower your appointed contract admins with information on how to navigate through the abundance of information. They should have a handy guide on who to reach to for help across the company. The ultimate owner of a relationship is a critical role where knowledge is key. Executives need to understand the importance of the role and assign the right people. Consider an annual compliance training module on their responsibilities, and track areas where clarity is lacking. Further, consider internal panels or roundtables to bring employees in the contract admin role together to share practices and to discuss opportunities.
5. Consider a User-Friendly Risk Playbook – Document the risk appetite and roadmap for the workforce to follow. The playbook should make it clear to the workforce what the organization’s risk appetite is and as risk rises, what the appropriate mechanisms are to manage it. It should provide examples, just as your code of conduct does, to help users navigate risk. There should be clear escalation mechanisms and specified roles in the TPRM strategy. It should answer what sorts of problems go to the Board, executives, other key risk committees, and individuals in the company.
6. Inventory, Risk Assess and De-Risk – Optimize resources in your strategy. Critical components include defining who is in scope for your program, and what criteria you will use to evaluate their risk to your organization; keeping the strategy up to date by revisiting it periodically; and staying on top of what business uses are in place. Make sure there are agreed-upon criteria spanning the gamut of factors such as relationship health, support complexity, support necessity, regulatory requirements, data volume, and customer reach or impact.
7. Set Expectations for Fourth Party Management – Know your fourth or even fifth parties in play. Do your vendors know what your expectations are for their own vendor management programs? My guess is that many do not. At minimum, clearly define expectations, particularly if the relationship involves data sharing. Require that third parties disclose downstream parties that impact your work. This transparency is key to any next steps your company may take.
8. Automate and Leverage Workflow Tools – Use technology to assist resource optimization. Consider a Governance, Risk and Compliance application, to promote information sharing among those most involved in your TPRM strategy. For example, create a hub for with those who perform vendor reviews and contract admins who keep service-level agreement (SLA) scores, and will enable ongoing third-party decision making based upon experience. All too often, companies have the information, but due to decentralized management, it can’t enable smart, calculated, risk-based decisions.
9. Set Governance Standards – Establish a mechanism for setting the bar. Even if there is not a corporate appetite for a single TPRM owner, consider a cross-functional governing body that shares information on vendors, discusses ongoing risks, and acts as a policy-setting group so there are repeatable and consistent methods. Solicit feedback from your contract admins and your vendors on what is needed and why. Don’t set standards in a vacuum but seek to understand where clarity is lacking.
10. Select a Security Framework, and Know the Score – Set expectations in line with your own requirements, particularly for strategic vendors. Put these requirements on the table during vendor selection and confirm the practices through due diligence. Consider information security must-haves such as workforce education on social engineering, particularly in the age of cyber threats. For smaller-scale vendors, focus on right-sizing expectations for the work that they do for you. They may have shared roles, for example, or less automated controls that still do the job. You just need to be fully aware of the maturity of your vendor when setting up arrangements and be mindful of their role so controls match the function. Check-ins on responsibilities and key safeguards involved are essential to right-size your program. Build the control outcomes into SLAs so there is accountability. Also begin data breach or crisis conversations upfront – what role would each party play? Does the vendor have a detection and response program? It’s better to know upfront than learn during a crisis event.
11. Tighten Up the Vendor Off-Boarding Process – Be clear at on-boarding about what must happen when the engagement ends. Even if you have a process, there is likely opportunity to be clearer on controls at disengagement, including data controls and record retention. Ask who is storing what, for how long, if they are required to store your data ongoing, and know what safeguards are at play such as archives and encryption. If data is to be destroyed/removed from a vendor, be sure to have a protocol to verify.
12. Understand and Offer Guidance on Effective Remote Work Controls – Have conversations surrounding remote work at on-boarding, and keep checking in. For example, if sensitive data is part of a third party arrangement, focus on data safeguards they have in place wherever their employees work. Make this sort of dialogue part of your checkpoints. For example, if something goes off-course with one of their offsite employees, do they have an HR discipline policy to appropriately and consistently manage issues? If off-site printing is allowed at all, be sure to ask how they manage appropriate disposal safeguards. Reinforce safeguards around workforce camera use, the need for private space to protect conversations, and locking equipment. Inquire if they have a social media policy. Understand offshore components of work and know how risk is mitigated in this space. Ask for their vendor management program and make specific inquiries into off-site vendor controls.
13. Know the Continuity and Disaster Recovery Plan – Ask the right questions about continuity, and understand the back-up plans your vendors have in place. Periodically revisit the conversation, especially if the vendor’s scope of work has expanded, which can sometimes be overlooked if more than one contract admin or business unit is involved. Be sure you know all that they do for your organization so that you can be prepared. Offer contract admins access to subject matter expertise. Encourage IT and process specialists to engage in review of the continuity plan shared by the vendor. Be sure there is a back-up plan should things still go awry. The back-up plan should consider bringing work in-house, or provide for a quick on-boarding of an alternate third party that meets the business turnaround times. Be sure your continuity plan can realistically be stood up in time to meet requirements and is not just good “on paper.”
14. Engage Your Third Party in Crisis Response Practice – Engage your third parties in cyber breach or other crisis management exercises. Know who would take on what role and reinforce contractual expectations. Make sure your third parties understand that time is of the essence and have an avenue to anonymously report. At minimum, this requirement should be in your contracts. If they can’t reach their business contact in your organization, provide them ways to reach your compliance office directly. Both how and what to report should be emphasized. There should be a reporting mechanism that enables notice receipt, even if the contract admin is out of the office. A general mailbox or hotline should be made available, and embed hotlines in reminders throughout the year so they stay top of mind. Give examples of situations that should be reported, emphasizing that compliance is nuanced. For example, operational issues oftentimes present themselves as purely operational, but have downstream regulatory impacts that reach customers. If a website goes down and information is required to be available on some timeframe, for example, this can present itself as a compliance issue. If access to your product or service experiences downtime, this can have compliance implications. Examples help to drive this understanding.
15. Learn from Experiences – Use your governance forums for sharing lessons learned. Benchmark against yourself and make small improvements along the way. Let’s face it, mistakes happen in all aspects of life. The important part of the mistake is what you do about it. Use these experiences as your case studies to catalyze change. As the Department of Justice has published, “Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction. Prosecutors should therefore consider, as an indicator of risk-tailoring, ‘revisions to corporate compliance programs in light of lessons learned.’ There is not a perfect compliance program, but one must demonstrate learning and improvements in their journey.

To close, as companies increasingly rely on third parties to carry out their business and focus on core competencies, it is increasingly important to elevate third party oversight programs. One could argue that effective management strategies that elevate partnerships create a competitive advantage. The task does not need to be monumental and could start with incremental changes to existing processes. There are small-scale enhancements that can make a great difference in your overall program. Steps can be taken towards risk-based, incremental improvements over time. Best of luck on your journey.

About the Expert:

Kelly Lange is the Vice President for Compliance and is the Privacy Official for Blue Cross Blue Shield of Michigan and Blue Care Network. Lange oversees enterprise compliance office responsibilities including helping the organization sustain audit readiness for regulated products, maintaining key corporate policies such as ethics and code of conduct, facilitating annual compliance training, coordinating privacy and regulatory audits, acting as enterprise HIPAA breach response commander, and providing reports to the Blue Cross, Blue Care Network, and subsidiary compliance and audit committees. She is responsible for the vendor compliance oversight office and is also named the Civil Rights Coordinator for non-discrimination requirements under health reform.