Subcontractors (also known as "fourth parties" or "nth parties") are an important factor when it comes to vendor management. Through the vendor management process, you take steps to make sure your vendors are secure and resilient, but what about their third parties? Do your vendors hold their subcontractors to the same standard of excellence? How can you know?
The Problem with Subcontractors
When it comes to subcontractor management, there are two difficult truths that need to be recognized.
- You do not have legal arrangements with your third parties' subcontractors. Even though they might have access to your systems and data, they don't owe you anything. This makes it very difficult (and often, wholly impossible) to perform direct oversight of subcontractors.
- Your third parties should be managing their own third parties. As a vendor manager, your job is to perform effective vendor management, evaluate how your third parties are managing their own relationships, and respond accordingly.
So, where does that leave you? Well, it leaves you with three things you can do.
1. Perform Thorough Due Diligence
Before you begin a vendor relationship, you need to understand the nature of the relationship, the risks you are facing, and the ways you can mitigate those risks. This process is called "due diligence." According to the Interagency Guidance on Third-Party Relationships: Risk Management, this includes understanding the following about your third parties' subcontractors.
- Volume: How much do they subcontract?
- Nature: What types of activities do they subcontract?
- Dependence: How much do they rely on their subcontractors to provide products or services?
- Process: What does their own third-party risk management process look like?
- Geography: Where are their subcontractors located?
- Dependence: Are there any dependencies on a single subcontractor?
Subcontractor risk management can be messy. The good news is the federal banking agencies recognize that. With the messiness in mind, the agencies' due diligence recommendations are focused on things you can ask and learn from your third parties.
I know this is going to sound a little counterintuitive, but go with me here. The best part is that not ONE of these recommendations involves you directly performing due diligence on your vendors' subcontractors. Wherever you look in regulatory guidance for language about due diligence of subcontractors, the bottom line always comes down to this:
Be informed, but hold your vendors accountable for their own third parties.
One way to do that is through the contract.
2. Negotiate Favorable Contracts
Since we do not have legal agreements with our vendors' subcontractors, contracts with our vendors are even more important. According to the guidance, we need to make sure vendor contracts address things like:
- Requiring the vendor to notify you of their use or intent to use a subcontractor.
- Defining the right to audit and remediation for relevant subcontractors.
- Prohibiting the use and disclosure of business or customer information by subcontractors.
- Ensuring your vendor hasn't indemnified themselves in any subcontractor relationships.
- Ensuring your vendor can be held liable for the failures of their subcontractors.
- Defining if there are any prohibited subcontractors.
- Prohibiting subcontracting without your consent.
- Defining subcontractor performance standards.
- Assigning responsibility for managing and monitoring costs.
- Defining your right to terminate the relationship without penalty if you find out that the vendor has skirted any of the other legal requirements.
Negotiating an air-tight contract is an incredibly valuable component of subcontractor risk management.
But what options do you have if you've already signed the contract?
3. Monitor & Make Informed Decisions
There's an adage that says: The best time to plant a tree is 20 years ago. The second best time is now.
The same is true for subcontractor risk management.
The best time to manage the risk of subcontractors is before you get into a relationship with a vendor. You are more likely to get the due diligence information you want and negotiate a favorable contract when the vendor is trying to win your business.
That said, the majority of organizations are already invested in several third-party relationships which use subcontractors, whether you know it or not. So, what can you do?
- Ask good questions. Contact your vendor and ask the same questions about subcontracting that you would ask them if you were in the initial due diligence and selection process.
- Review the contract. Take a look at your agreement and see what it says about subcontracting. Knowing what you know now, would you sign that same contract today? Is there an opportunity to renegotiate to include these subcontractor considerations?
Optimistically, the hope is that you will find all your ducks are in a row.
Realistically, it might be more challenging than that. When you can't get the answers you need and the contract is set in stone, you're faced with two options. Either you continue the relationship, as-is, and accept the risk – or – you start thinking about other options.
Either way, you rely on the information you have learned through the subcontractor risk management process to make an informed decision that ultimately serves the interests of your business.
Let's keep it simple: Subcontractors are not your vendors. Your vendors are your vendors.
Trying to fit subcontractors into your vendor management program can be tedious, time-consuming, and ultimately, unfruitful. Since your organization does not have an agreement directly with the subcontractor, they do not have to provide you with any information, and in many cases, they will not.
Because of this, the vendor management process becomes an increasingly important control. When you perform thorough due diligence, negotiate favorable contracts, and use results of ongoing monitoring to make informed decisions, you set your business on a path to success.
To help you review your vendor's subcontractor due diligence processes, download our Subcontractor Due Diligence Checklist. This checklist is designed to help you assess the vendor's dependence on the subcontractor, as well as the vendor's contract management and due diligence practices. With this information, you can best understand the nature of the vendor's relationships and, by extension, your relationship to the subcontractors.
Managing subcontractors may not be your responsibility, but you might still be held accountable should the subcontractor have an incident that compromises your business or customer data. To help with this kind of incident, check out our Third-Party Incident Response Playbook.
To help you manage all your third-party relationships, including tools and templates for contract management, due diligence, and reviews, check out Tandem Vendor Management. Our web-based application has been created with vendor managers in mind and can streamline your third-party risk management processes, giving you the tools needed to effectively oversee your vendor relationships.