Hello all! I'm reaching out to this group to solicit feedback, best practices, or lessons learned related to potential risk exposure associated with ever expanding relationships with third parties and how other organizations may address aspects of this exposure in terms of their agreements. I've provided a hypothetical example below:
The Really Great Co. (TRGC) is a third party to our organization and over time our relationship with them has expanded to include additional services. Each new service adds a new Statement of Work to the existing Master Services Agreement. The Master Services Agreement was negotiated when there was one service with TRGC meaning that some areas such as insurance requirements, as an example, were designed in consideration of just one service. Other contractual considerations may be in areas of indemnification, limitation of liability, etc. where the agreement may have not considered future engagements.
As we consider this scenario and any potential adjustments to our process we would like to understand if any other organization has addressed similar circumstances and if so, what was done? Should areas such as insurance, indemnification, limitation of liability, etc. be revisited or renegotiated with every new SOW, when certain triggers are met (number of services, dollars spent), or only at MSA expiration or renewal? Are there situations or considerations that I may be overlooking? I appreciate any info!
We periodically add new products or services that are provided by our existing vendors. If we haven't vetted the vendor in recent months (depending on their risk level), or if there are separate documents for the new product or service, such as a separate SOC report, we will obtain the new documents and then vet the product and vendor. We run the new product/vendor through our Enterprise Change Management Committee, that is made up of members of IS, IT, Compliance, Audit, ERM, Legal and Vendor Management We review the documentation applicable to each of us and determine if we want to move forward. If yes, resources and priority levels are assigned to get it on the project list.
I hope this helps.