Article
Senior finance and human resources leaders need to be fully informed about who their employee benefit plans rely on for services because many third-party vendors now delegate primary functions to other contractors. These 4th (and nth) party “subservice” vendors often escape the monitoring required of operations managers and plan committees by federal retirement and health plan laws.
“Hidden” vendors can account for a significant volume of day-to-day transactions, accessing and storing vast amounts of plan participants’ personally identifiable information(“PII”) and personal health information (“PHI”). The delegation tactics used by employee benefit plan service providers place a premium on third-party risk management (“TPRM”) as a strategy.
Senior leaders need to be confident in their employee benefit plans’ service providers.
Multiple Players Populate Many Vendors’ Servicing Models
Managing the risks related to retirement, pension, health, welfare, and payroll systems is too complex without an integrated plan incorporating people, processes, and technology. Many recordkeeping and payroll vendors have adopted siloed business models that depend on subservice relationships, a significant cause in the growth of the complexity of TPRM methods.
Regulators may mandate subcontractor management in some sectors, such as banking. In those instances where subcontractor oversight is not spelled out specifically in regulations, such as in the retirement plan sector, in order to manage risk effectively, C-level executives, operations managers, and plan committees must be aware of whether products and services will be provided directly by a third party or via a vendor’s subcontractor.
The Value of a TPRM Framework
A systematic approach can catch vendor irregularities and detect hazardous situations for plan fiduciaries. For instance, our TPRM system helped one of our clients discover that a critical third-party service provider was working with a subservice vendor whose data security status could not be easily determined. As a result, our client raised the vendor’s risk rating, implemented more controls, and identified a new source.
That example demonstrates how to build a capability to see the entire vendor landscape and real-time data on internal and external events that could alter risk profiles, affect performance, and lead to a vendor change if not corrected.
Three principles are critical in a TPRM framework.
Identify all Employee Benefit Plan Service Providers
Create and maintain a roster of each external provider of services to your employee benefit plans that define their roles, legal arrangements, domicile, PII and PHI access, key performance indicators (“KPI”), and incident history.
Persistently Assess Risks and Quantify their Potential Impacts
Establish requirements by service category and use a third-party management advisor to rank each vendor for risk in areas of concern.
Establish Notification Mechanisms and Track Follow-ups
Use automated notifications for all essential internal and external stakeholders when new information is available or a review is requested—Automate risk assessment updates when practical and appropriate.
Roland|Criss serves employers in multiple commercial and non-profit sectors as a risk advisor to their boards of directors and plan committees as an administrative fiduciary.
Our AI-enabled TPRM framework meets the challenges inherent in outsourced relationships found in employee benefit plan operations.