Hello Darren,
Regarding intercompany ongoing monitoring, you may have an opportunity to engage the third line of defense (Audit department) and monitor any audit findings owned by the affiliated companies that have an impact on your operation. I had monitored for finding level (high, medium, did very little with low's), time to resolve, impact on my intercompany area of responsibility, associated category such as IT or Compliance, and whether findings exceeded their estimated completion dates.
Considering getting SOC reports from affiliates for example was a challenge, continuous monitoring of findings by the independent third line was helpful. Also, depending how extensive you would want to go, certain critical services provided by the affiliate may benefit from documented service level agreements, with someone assigned to monitoring SLAs/KP and KRIs).
Good luck
Original Message:
Sent: 05-31-2024 12:04 PM
From: Mike Esqueda
Subject: Intercompany/2nd Party/Affiliated Service Provider Monitoring Programs & Exit Planning
Hello Darren,
We will be going down a similar route starting in 2025 and would love to connect to connect to share lessons learned!
Original Message:
Sent: 05-31-2024 11:37 AM
From: Darren Cartwright
Subject: Intercompany/2nd Party/Affiliated Service Provider Monitoring Programs & Exit Planning
Currently in the process of standing up an ongoing monitoring program & exit strategy planning for Intercompany Service Providers, covering a range of services supported globally throughout our firm (including corporate shared services like HR & Legal).
While Intercompany relationships are not viewed as any less risky than external third-party arrangements from a regulatory perspective, we have certainly seen differences in treatment and application as we have progressed through the initial lifecycle stages of onboarding, risk assessment & due diligence. We now need to stand up a program of activity in BAU - in some cases this means initiating discussions on provision of metrics/KPIs/reporting and standing up service reviews which can be challenging for non-operational service providers.
Eager to hear any experiences or insights people can share in relation to how they have approached ongoing monitoring and exit strategy planning for intercompany vs third party providers to date, thanks!