Federally-funded nonprofits perform important work on behalf of, and in collaboration with, the federal government. In many cases they rely on third party Contractors and Subrecipients to provide important services, software and materials to successfully carry out that work. Such reliance on third parties presents a lot of risk that needs to be properly managed.
Risk management has become a major focus throughout the federal government. In July 2016, the Office of Management and Budget (OMB) issued an updated circular requiring federal agencies to implement enterprise risk management (ERM) to ensure federal managers are effectively managing risks that could affect the achievement of agency strategic objectives. Third-party risk is referenced throughout that circular.
Unfortunately, the federal government has provided little guidance to nonprofits on what they should be doing to manage risk with third parties who are paid with federal funds. The Uniform Guidance briefly mentions risk in both sections pertaining to third parties; specifically, the procurement standards found in sections 200.317 - 200.326 and the subrecipient standards found in sections 200.330 - 200.332. However, guidance is vague at best.
Regardless of the lack of guidance from the Uniform Guidance, it’s prudent and financially responsible for any federally-funded nonprofit organization to have a formal third-party risk management program. Otherwise, your organization is assuming unknown and unmanaged risks with third parties that may not only present challenges to your ability to deliver on your contractual responsibilities, but may also lead to problems with future funding should something go horribly wrong with a third party. So it’s important to have some fundamentals in place.
Let’s take a look at two stages of the third-party management lifecycle that are critically important to managing risk: pre-contract due diligence and post-contract monitoring.
Pre-contract risk assessments and risk-based due diligence
Third parties present varying degrees of risk. Whenever you contemplate entering into an agreement with a third party, it’s important to understand the potential risks of the relationship and perform an appropriate level of due diligence. That goes for both your Contractors and your Subrecipients.
Let’s take a look at how the Uniform Guidance addresses risk and due diligence for both Contractors and Subrecipients.
Section 200.318(h) of the procurement standards states, “The non-Federal entity must award contracts only to responsible contractors possessing the ability to perform successfully under the terms and conditions of a proposed procurement. Consideration will be given to such matters as contractor integrity, compliance with public policy, record of past performance, and financial and technical resources.”
Section 200.331(b) of the subrecipient standards says that pass-through entities must “Evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring…” The section also goes on to list some factors that can be used in the risk assessment process such as:
Prior experience with the same or similar subawards
Results of previous audits
Whether the subrecipient has new personnel or new or substantially changed systems; and
The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
While both sections offer some guidance regarding risk factors to look for, neither are too prescriptive. Further, there is little talk about the type of due diligence that should be performed on third-parties. Here are some examples of the types of risks you should be assessing on the front end of your third-party relationships, as well as the type of due diligence you should be performing:
Risks to Assess:
Strategic Risk - risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent your organization’s stated strategic goals.
Reputation Risk - risk arising from negative public opinion.
Operational Risk - risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
Transaction Risk - risk arising from problems with service or product delivery.
Compliance Risk - risk arising when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies or ethical standards.
Information/Data Security Risk – risk arising from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take.
Types of Due Diligence to Perform:
General Screening – Capture basic information about your third party, verify business registration and any applicable licensing requirements, check for negative news, screen for sanctions and check for potential conflicts of interests.
Corporate Health – Evaluate the general corporate health of your third party through due diligence on financials, credit, bankruptcy info and litigation.
Operations Management – Evaluate the quality systems and controls specific to any services your organization is outsourcing to the third party.
Employment Practices – Evaluate employment practices relevant to personnel who may interact with your employees, donors or members and/or have access to nonpublic information.
Fourth Parties – Evaluate your third party’s oversight practices relevant to subcontractors or downstream vendors (i.e. your “fourth parties”) who have a material role in the delivery of products or services to your organization and/or who may have access to nonpublic information.
Information Security – Evaluate your third party’s policies and procedures around information security, and any other applicable documentation (such as SOC reports or disaster recovery plans), to understand how they may store, process or otherwise access your nonpublic information.
Often times, once the contract/award is signed with a third party, the ongoing monitoring of the relationship is overlooked. Uniform Guidance addresses ongoing monitoring in both the procurement and subrecipient sections, but places more structure around the process organizations should follow with subrecipients.
Section 200.318(b) of the General Procurement Standards states, “Non-Federal entities must maintain oversight to ensure that contractors perform in accordance with the terms, conditions, and specifications of their contracts or purchase orders.”
Section 200.331(d) of the Subrecipient Monitoring and Management section states that passthrough entities must “Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward…” and that “Pass-through entity monitoring of the subrecipient must include” items such as:
Reviewing financial and performance reports
Performing audits, on-site reviews and other due diligence, and ensuring the subrecipient takes timely action on any identified deficiencies; and,
Issuing a management decision for audit findings pertaining to a Federal award.
While written in slightly different ways, the procurement standard and the subrecipient standard address the same idea; Don’t lose sight of your third-parties once the agreement has been signed.
Make sure to continually monitor your third-parties not only for contract/subaward performance, but also for areas of risk that you could end up becoming exposed to. Things like monitoring deliverables and performing invoice reviews are always important, but it’s also important to be aware of any changes to the vendor’s policies, operations, controls or management that could expose you to unwanted risk. This is especially true for third parties you have long-term agreements with.
In keeping with the “spirit” of the Uniform Guidance (reducing fraud, waste and abuse), it makes a lot of sense for Federally-funded nonprofits to have a formal approach to managing third-party risk. Risk management shouldn’t be a compliance issue – it’s a risk issue. Just because the UG doesn’t directly address third-party risk doesn’t mean that nonprofits should glance over it.