Third-Party Risk Management for Mergers, Acquisitions, and Divestitures

Recommendations for a Successful TPRM Mergers, Acquisitions, and Divestitures (MAD) Program

Before diving into the TPRM process tailored to your team’s needs, there are three universal best practices to consider. These recommendations serve as the foundation for managing and mitigating potential risks during all types of business transitions.

1. Establish Key Stakeholder Relationships

To effectively manage business transitions and anticipate changes, it’s important to maintain strong relationships with key stakeholders within your organization. Build trust and collaboration with the board of directors, senior management, and key departments such as IT Security, Legal, Procurement, Compliance, Privacy, Finance, and Supply Chain partners.

Strengthening these stakeholder relationships aligns your third-party risk management strategies with broader business objectives and informs you about impending organizational changes. This alignment and awareness facilitate swift and informed decision-making when changes occur, enhancing your ability to manage risks effectively.

2. Maintain a Holistic View of Third-Party Risk

Once you have determined the criticality of third-party services, evaluate the broader operational risks these relationships may pose to your organization:

• Financial: Assess the third party’s financial health by examining trends in revenue and expenses, solvency or bankruptcy risks, credit ratings, and liquidity levels. These factors are crucial for understanding their financial stability and reliability.
• Operations: Evaluate their operational resilience, resource management, staff turnover rates, experience with mergers and divestitures, and the capacity of their infrastructure. This helps gauge their ability to meet contractual obligations under changing conditions.
• Geopolitical/Concentration: Consider how the third party manages risks related to geopolitical issues, natural disasters, and location-specific challenges such as offshoring and concentration risks. Understanding these aspects is vital for planning risk mitigation in diverse environments.
• Cybersecurity and Data Privacy: Determine the effectiveness of their cybersecurity measures. Are they adequately protected against cyberattacks, data breaches, data loss, and ransomware? Evaluate their threat and vulnerability management practices and preparedness against emerging cyber risks.
• Environmental, Social, and Governance (ESG): Analyze how third parties handle their ESG obligations. Are their environmental policies robust? Do they adhere to social and governance standards that align with your company’s values?
• Compliance and Sanctions: Ensure the third party complies with relevant laws and regulations that may affect your business. Non-compliance could expose your organization to legal and regulatory risks.
• Reputation: Assess the public and industry perception of the third party, including any negative news coverage.

3. Build an Extended Supply Chain Inventory

Once you have a holistic view of your operational risks, thoroughly assess the status of your entire supply chain. Identifying all vendors and their dependencies upfront is essential. This proactive approach helps spot potential risks and facilitates more effective management of future business transitions.

Systematically catalog these vendors and evaluate their roles, dependencies, and potential vulnerabilities. This creates a more resilient supply chain capable of adapting to new business scenarios, ensuring your supply chain supports rather than hinders your strategic goals.

Third-Party Risk Management During M&A

With a solid foundation established, let’s explore some TPRM best practices for mergers and acquisitions. A strong onboarding and assessment process is crucial in this scenario. Key steps include:

1. Assess Third-Party Needs: Determine if your business needs another third party to provide a similar product or service. Refer to the supply chain inventories for your company and the acquired entity. Compare these inventories, and be prepared to evaluate, offboard overlapping services, and terminate contracts accordingly.
2. Contract Review: Review the acquired company’s third-party contracts to ensure their audit requirements align with those of the acquiring company. Verify that the third party meets its contractual service levels and key performance indicators (KPIs).
3. Conduct an Inherent Risk Assessment: When selecting a new third party associated with an acquired entity for onboarding, identify the baseline risks it poses to your organization. Use this information to guide the due diligence process, leveraging the criticality criteria noted in the previous section.
4. Risk Assessment Validation: Determine if the third party has an independent risk assessment or certification, such as a SOC 2 or ISO Statement of Applicability (SOA), completed in the past 12 months that they can share with your organization.
5. Due Diligence for Insufficient Assessments: Conduct further due diligence if the third party’s risk assessment does not meet your organization’s standards. This should include a detailed third-party risk assessment based on a standardized framework such as NIST or ISO.
6. Continuous Monitoring: Use continuous monitoring tools and processes to validate risk assessment responses and identify new risks that may emerge after initial assessments.
7. Review Business Unit Expansions: Evaluate any expansions of existing third-party relationships for additional risks to your organization.

Additional due diligence activities to consider during acquisitions:

• Extended Relationships: Evaluate 4th-party and Nth-party relationships to avoid security risks and unnecessary duplication that can impact profitability.
• Acquisition Integration: Develop a structured process for incorporating acquisitions into your technology infrastructure. This will reduce organizational risk and build operational resilience.
• Contract Gaps: Address security risks within contracts by including audit rights, breach notification, and third-party obligations. Extend data security requirements to subcontractors and clearly define information security expectations.
• Risk Exceptions: Problems arise when business units fail to mitigate third-party risks. At a minimum, business units should use risk exceptions that acknowledge and implement controls for risks that cannot be mitigated.

TPRM During Divestiture

If your team is managing a business divestiture, it’s important to have an established process for offboarding third-party vendors as well as internal functions or departments.

Establish a transition service agreement if functions or business units are offboarded and will continue their business relationship with your organization as a third party. Consider who will manage the process and when the acquirer can be granted access once the divestiture is completed. Review if the divested entity will have access to your infrastructure, retain sensitive information, or perform critical internal processes. Once completed, segregate the divested entity to restrict access until controls are implemented. This will help ensure that business or operations are not disrupted during offboarding.

Best Practices for Offboarding Third-Party Vendors During Divestiture

• Keep the Communication Open: Manage potential risks by communicating regularly with the vendor during offboarding. Inform vendors of the offboarding timeframe, address questions, and be transparent about what to expect.
• Deauthorize Access to Physical Buildings, Data, and IT Infrastructure: Terminate a vendor’s access to sensitive data and intellectual property. Delete their login credentials, request the return of company property, change logins, cancel access to all applications, and deny any access via APIs.
• Conduct a Final Review of the Contract: Review the contract’s clauses and provisions for termination to ensure you have the right to terminate the vendor relationship or transition it to a successor entity. Conduct a final review with legal and procurement teams to identify scope creep and ensure the vendor has fulfilled all contractual obligations.
• Pay Outstanding Invoices: Schedule final payments once you receive the final deliverables from the vendor after reviewing the contract terms and clarifying any remaining obligations from both sides.
• Assess Information Security Compliance and Data Privacy: Ensure termination procedures align with your legal obligations. Discuss all outstanding commitments with the vendor, including non-disclosure agreements, non-compete agreements, and confidentiality.
• Update Your Vendor Management Database: Document the vendor’s history with your organization, providing evidence that explains the reasons for terminating the relationship and recording the termination process. Keep records to resolve issues quickly and avoid legal risks.
• Continuously Monitor Vendors for Potential Future Risks: Risks don’t always end when offboarding tasks are done and the contract is terminated. Monitor potential risk areas for a period after offboarding to manage future risks, such as user credentials available for sale on the dark web.

TPRM for Joint Ventures

Joint ventures (JVs) pose unique challenges for managing third-party risk, especially when your organization shares ownership of what could be a temporary arrangement. In such cases, you may need to treat the business partner as a third party.

Critical Actions for Managing Risk in Joint Ventures

• Conduct Comprehensive Risk Assessments: Conduct thorough risk assessments to identify potential risks to your organization’s infrastructure and information. This foundational step is critical for identifying vulnerabilities and planning effective risk mitigation strategies.

• Control Applications and Segregation: Implement and maintain appropriate controls, ensuring clear segregation to address the specific challenges posed by the JV. As the JV evolves, evaluate whether additional measures are required to safeguard your organization’s interests.

• Collaborate on Risk Management: Consolidate all third-party expertise to ensure the joint venture’s success. Facilitate sessions to help all parties understand the identified risks, the strategies in place to manage these risks, and the methods for communicating these risks to all partners. This collaborative approach promotes transparency and mutual understanding, which are vital for effectively managing joint venture risks.

• Manage Vendors Throughout the Relationship Lifecycle: Consistently review and assess the third-party vendors that serve the JV. Regularly monitor their performance, enforce relevant contract provisions, and offboard vendors appropriately when they no longer meet the JV’s standards or their services are no longer required.

Focusing on these areas can enhance the management of third-party risks in joint ventures and contribute to the venture’s overall success. Periodically revisit each step to ensure the risk management strategies remain effective and responsive to the joint venture's evolving nature.

Next Steps

Gain more insight into managing third-party risks during business transition with our white paper, Strategic Guide to Third-Party Risk Management During M&A. Integrate TPRM into your MAD processes by downloading our onboarding and offboarding guide. Then, schedule a demo to learn how Prevalent can help you automate and accelerate your TPRM program during business transitions.