- Aravo for
- Aravo Ecosystem
- About Us
- Request Demo
Our latest industry benchmarking research found that only 52% of third-party risk programs are factoring in operational risk as they assess their third parties. As third parties, particularly those that are critical to business operations, can be a source of operational risk, there is clearly an opportunity for improvement here in programs.
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.
Many organizations have shifted a significant part of their operations to outsourcing. This means third-party relationships can expose an organization to increased operational risks because they so often support the processes, people, and systems within that organization. Suppliers with a high probability of an operational risk occurring can also impact the revenues of organizations that rely on their products.
This makes it important to ensure that you are evaluating the operational risks associated with your third-party and supplier base – particularly those that are critical to your business operations.
The regulators have recognized this:
“Third–party relationships may increase a bank’s exposure to operational risk because the bank may not have direct control of the activity performed by the third party. Operational risk can increase significantly when third–party relationships result in concentrations.”
OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance
The definition of operational risk is pretty broad, but drill down a bit more and there is a huge variety of specific operational risks. The type of risks attached to operational risk can include:
You’ll note that the OCC also calls out concentrations (concentration risk) that can exacerbate operational risk. Just to further complicate matters, there can also be different types of concentration risk too:
Critical services concentrations. This occurs when you rely on too few suppliers for critical parts of your business operations. If they fail, there will be serious consequences on your ability to operate and no alternative suppliers able to pick up the slack.
Industry concentrations. There can be an industry concentration risk associated with many organizations in an industry relying on a single sub-contractor.
Geographic concentrations. This can occur if too many critical suppliers are located in a specific geography (especially those more natural disaster-prone regions).
And finally – you may be the risk – in reverse concentration risk which is when your organization represents too large a proportion of your supplier’s business.
Operational risks are generally within the control of the organization through risk assessments, due diligence and good risk management practices, including internal control and insurance.
When considering third parties:
Download our White Paper: Third Party Risk: A Unique Kind of Operational Risk
 Mind the Gap – Where Third-party Risk Management Programs Fall Short. Results of the 2020 TPRM Benchmarking Survey