Third-Party Risk Management: Opportunity or Threat?

While the COVID pandemic has forced us to maintain physical distance as individuals, our reliance on working together as organizations—and the networks that support them— has only increased in importance. And organizations in every sector recognize the necessity of expanding this network by contracting with third-party providers and vendors to access expertise and reduce costs. From facilities management to legal representation and physical security to tech support, third parties touch every part of an organization, providing operational flexibility and allowing firms to procure capabilities, specialized skills, and expert knowledge more quickly and cost-effectively than developing them in-house. 

Although entrusting the fulfillment of services and processes to third parties is an essential part of doing business, these relationships can generate costly vulnerabilities. According to Willis Towers Watson, suppliers who store client or employee data, are responsible for 38% of data breach losses. According to Deloitte’s Third-Party Risk Management Global Survey Report 2020, 84% of more than 1,100 global CFOs said their organization had experienced a third-party incident over the prior three years. Although most of those incidents had limited impact, over 50% of those respondents believe the potential financial costs of a major third-party incident could range from $25 million to $1 billion. 

Entrusting firms with key aspects of your business comes at a potentially high cost. A third-party failure, breach, or inability to act could result in monetary costs for your company while also having potential implications for operational resiliency and reputation. Given these critical dependencies, capably balancing the commercial benefits and opportunity that come from working with third parties with the potential risks they incur requires a consistent approach to ensure that their added value outweighs the risk. Below we outline six steps to establish a holistic approach to third-party risk management. 

Six Steps for Effective Third-Party Risk Management

1. Establish Ownership – Balancing the critical role of third parties in supporting operations and business continuity while protecting your company from outsized risk requires a strong governance framework. This starts with assigning clear ownership of third-party risk management. Begin with the Board and senior executive level, and filter down through the organization based on function and geography.
   A top-down approach will ensure that third-party contracts align with the company’s broader strategy and enterprise risk management practices, bringing a consistent approach to risk policy, standards, and measurement throughout the organization.
2. Design a Risk Framework – A consistent company wide methodology for assessing, quantifying, and measuring risk is key to effective enterprise risk management. A risk scoring methodology, along with a shared understanding of risk language and consistent approach to risk management will ensure internal stakeholders align on risk appetite and make consistent decisions about potential third parties.
3. Implement a Selection Process – Standardize workflows for onboarding and financial and operational due diligence. This assessment should include an analysis of third-party capabilities, operations, data management, and security practices in order to identify and mitigate vulnerabilities. Misaligned security or technology standards between an organization and a third party should be proactively addressed.
   Assigning responsibility for onboarding to a cross-functional team including members from business units, operations, IT, and GRC will ensure that vulnerabilities are adequately identified and decision-making is aligned.
4. Aggregate Data – Given the multitude of operations being outsourced to third parties and vendors, maintaining a comprehensive inventory of these relationships is critical to protect your firm from potential third-party risks. This ecosystem includes any suppliers, vendors, outsourcing partners, and a third party’s own sub-contractors that could impact your operational capabilities to be incorporated in a database along with their risk profiles, assessments, and interactions.
5. Establish Controls – A control framework can proactively identify areas of concern, risk incidents, steps for escalation, and remediation status. Effective controls will also log access by third parties to critical company data, intellectual property, or processes.
6. Monitor Continuously – Organizations devote vastly more resources to onboarding than ongoing monitoring. This can lead to blind spots and unanticipated exposure to third parties due to material changes or declining performance. A segmented approach with differentiated monitoring requirements by potential vendor risk exposure or criticality will allow for more efficient resource allocation and management.

Balancing the commercial benefits and opportunity that comes from working with third parties with the potential risks they incur requires a consistent framework and tools for risk management. A GRC platform is a powerful enabler for  logging third-party engagement, facilitating workflows company wide, tracking relationships, and supporting dynamic risk measurement and management.