We are very fortunate as a firm to offer a diverse set of Information Assurance services to a reasonably diverse set of industries (e.g., legal, SaaS, Data Center Services, technology service providers, eDiscovery, financial services, etc.). I’m always amazed at how something we “learn” or “realize” in one service or in one industry has an analog in another.
Conflicts of Interest and TPRM
In our role as Virtual Chief Information Security Officer (vCISO) for a midsize law firm, we were looking at their approach to client onboarding. As in every law firm, this process includes extensive conflict of interest checks. A conflict of interest check is meant to ensure that a lawyer does not provide legal advice to a client whose interests overlap with the attorney’s own interests.
Sitting there it occurred to me that conflict of interest checking is something under-considered in Third-Party Risk Management (TPRM).
Examples of conflict of interest in vendor risk management could include:
- The vendor relationship owner having a close or familiar relationship with a key vendor employee.
- The vendor relationship owner having direct or indirect ownership of financial interests in companies or other organizations that compete with or do business with the vendor (may include stock ownership).
- The vendor may be providing services to another business that is an actual or potential competitor.
- The vendor may have an interest in another company that is an actual or potential competitor.
This is an interesting area, as conflicts like the first two above are often addressed by anti-fraud measures and practices by procurement. However, the second two are not likely to be addressed by procurement and should be considered for your TPRM Policy. Further, procurement policies often only govern an initial procurement, so any change in the relationship happening after that point is unlikely to be discovered. Because TPRM practices usually include annual review for most of the higher-value/-risk vendors, it arguably makes sense to have the TPRM policy consider conflict of interest.
Does Your Vendor Risk Management Program Include Conflict of Interest Checking?
For the record, we have begun the process of integrating conflict of interest checking at that law firm. It’s definitely challenging, largely manual, and mostly self-attestation based. At this point, we have just included conflict of interest checks on the information we request from the vendor relationship owner as well as from the Vendor. As an ISO 27001 certified firm, we will look to ensure continuous improvement in this area moving forward.