Understanding Third Party Service Providers and effectively managing them

Being a tech guy, I frequently come across terminologies that we use in the tech context, in a different one and it remains relevant. Now look at the term ‘Third Party Service Provider’. A SaaS service is also a third-party service (Ex. Cisco webex, Salesforce) and so is a catering company that provides meals on an airline. What is common is the service outsourced to an external vendor by a company to serve their customers better. Now an airline has no business in catering, generally speaking. So it outsources food to another company to serve to its customers. The agreement here is not between the airline and the flier but between the airline and the catering company with an objective to serve the flier!

Few years ago, I had a very fortunate experience of working for one of the reputed clients. In that role, I was seconding them. Of the many hats that I wore in that role, vendor management was the most challenging and a definite learning experience. The outsourced work was distributed among over five vendors. It was therefore paramount on how they would be managed, governed, and measured.

The unique nature of business often intrigues because it is a tricky terrain to manage multiple third-party service providers to run a business efficiently. It takes significant amount of coordination, tons of paperwork, monitoring and reporting to seamlessly manage the services. But once streamlined, third party service providers come as a boon for businesses today.

Generally there are three types of service providers-

  • Internal Service Providers (Type I )
  • Shared Service Providers (Type II)
  • External Service Providers (Type III)

It isn’t easy to choose the right service provider for your business. One needs some amount of work before signing on the dotted line. What would you typically look at?

  1. Thorough research– what is it that you want from the service provider? Is the company able to meet all your stringent standards? How have they fared with the other clients? Can they provide testimonials? Do you have anyone referring them or recommending them?
  2. Transparent agreement– enter into an agreement with the third-party service provider only when you’re comfortable with the offerings and terms and conditions. Since this company comes in between you and your customer, it needs to satisfy needs of both the parties. Be clear about your expectations and their deliverables, with all details put in into the agreement so as to avoid later confusion, misunderstanding and heartburn. It also keeps both parties clear about their roles.
  3. Establish a relationship– develop a strong relationship with the service provider. Trust, compatibility, aligning with your vision and way of working is crucial for both parties.
  4. Enhance the bandwidth of offerings– it helps in most cases to have a single service provider for a wide bandwidth of similar services. That enables both the parties to develop long term relationships as also reduces the work of dealing with multiple partners for similar offerings. Ex. If a company ‘X’ provides you cloud storage and SaaS services, you could also contact them for any
  5. Scalability is the key– as you grow, your service provider must also match your scale. It helps when both benefit from a deal. Look at how agile your service provider is to cope with your growing demands. In case not, look for someone who can keep pace or you will be left with finding new partners every few years.

Are Third Party Service Providers always a safe bet?

Well, not always, if you ask me. There are several risks associated with having them on board. In the current business scenario where several businesses are focused on niches, it becomes pertinent to stay focused on doing your core businesses and outsource everything else. Operations like accounting, payroll, recruitment, IT services and maintenance, housekeeping, etc. are completely outsourced because the promoters/management does not want to be distracted by these seemingly complicated tasks. However, managing all these third-party service providers is a full-time task in itself and in the absence of a right person who can cohesively handle the same, it will remain a bunch of disconnected threads.

In the current scenario when several companies are opting for work-from-home policies, either the company or its service provider having its employees working from home, can derail the control mechanisms associated with providing quality service. If it has an impact on the service to your customer, you lose twice.

Regulators keep a watchful eye on companies that outsource a large part of their functions to their party service providers. That adds some more work of being vigilant about the quality and service offerings. Any system failure on part of the third party affects not just the company but also its customers. And when more such companies are involved across several countries, one glitch can hugely impact global operations of several companies. When such a company is called out by regulators with Matters Requiring Attention (MRA), the reputation of the companies associated with it is also at stake.

How to mitigate risks of Third Party Service Providers

Being alert even before signing on the dotted line is the key. However, things can go wrong at any time during the course of honoring the contract. At such times, most companies observed a silo approach where teams monitor risks of a particular service provider. Ex. In case of finance companies, the whole burden is on the technology and IT service provider. In such cases, not just the service but also data security and breach issues are at stake. When it comes to manufacturing industries, there could be multiple service providers, monitoring all of whom would be a huge task. Risk mitigation involves largely incorporating checks and balances within the system in a continuous manner. Identifying, preempting, setting accountability standards and mitigating risks is the only way to ensure seamless flow of services from one company to its customers through the contribution of third party service providers.

Abiding by the COSO control framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO), in 1992, developed an assessment and evaluation model for internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control. As per the  COSO model, internal control means “a process effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance of the achievement of objectives in the following categories:

  • Operational Effectiveness and Efficiency
  • Financial Reporting Reliability
  • Applicable Laws and Regulations Compliance

For a company’s internal controls to function effectively, certain components must function seamlessly and effectively towards attaining its business objectives. These include having a watertight control system in place, exercising utmost integrity and ethical standards, a perpetual commitment towards highest competence, delegation of responsibilities and a robust monitoring system. This way, company executives are better equipped to handle any risks involving third party service providers also which come under the purview.

In a global business environment, services often involve making use of third parties who have the competence and ability towards a certain task. If that is not your core function, it is wise to outsource that task to a third company. However, since it is incorporated into your own offering to the end customer, it’s your responsibility to ensure things run smoothly. In the absence of any such controls, third party services and their glitches could literally mar your reputation and business.

Did you notice any corrections to be made on this page? Submit your feedback here. We will take the necessary action.