September 14th, 2020 • Hannah Tichansky • Reading Time: 3 minutes

Our latest industry benchmarking research found that only 52% of third-party risk programs are factoring in operational risk as they assess their third parties[1].  As third parties, particularly those that are critical to business operations, can be a source of operational risk, there is clearly an opportunity for improvement here in programs.

What is Operational Risk?

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.

How does Operational Risk Intersect with Third Party Risk?

Many organizations have shifted a significant part of their operations to outsourcing. This means third-party relationships can expose an organization to increased operational risks because they so often support the processes, people, and systems within that organization. Suppliers with a high probability of an operational risk occurring can also impact the revenues of organizations that rely on their products.

This makes it important to ensure that you are evaluating the operational risks associated with your third-party and supplier base – particularly those that are critical to your business operations.

The regulators have recognized this:

“Third–party relationships may increase a bank’s exposure to operational risk because the bank may not have direct control of the activity performed by the third party. Operational risk can increase significantly when third–party relationships result in concentrations.”
OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance

The definition of operational risk is pretty broad, but drill down a bit more and there is a huge variety of specific operational risks.  The type of risks attached to operational risk can include:

• Business interruption (e.g. your retail POS system goes down and you are unable to transact)
• Human error (e.g. your outsourced billing specialists miss-key data leading to revenue losses)
• Product failure (e.g. a critical component in your product that is supplied by a third party, has a serious design flaw that leads to the recall of your product)
• Health and safety (e.g. your contracted janitorial services fail to follow correct COVID protocols and staff are exposed to the virus)
• IT system failure (e.g. your server, hosted by a third-party provider, goes down and you are unable to conduct e-commerce transactions)
• Fraud (e.g. your frozen meats supplier provides horsemeat labeled as beef)
• Loss of suppliers (e.g. three of your critical shipping suppliers go out of business due to an economic downturn, and you are unable to deliver your product to market)
• Risks arising from catastrophic events such as earthquakes, extreme weather events or pandemics (e.g. an earthquake, followed by a tsunami, mean your suppliers in Japan are unable to produce vital electronic components for your product).

Operational risk and concentration risk

You’ll note that the OCC also calls out concentrations (concentration risk) that can exacerbate operational risk. Just to further complicate matters, there can also be different types of concentration risk too:

Critical services concentrations. This occurs when you rely on too few suppliers for critical parts of your business operations. If they fail, there will be serious consequences on your ability to operate and no alternative suppliers able to pick up the slack.

Industry concentrations. There can be an industry concentration risk associated with many organizations in an industry relying on a single sub-contractor.

Geographic concentrations. This can occur if too many critical suppliers are located in a specific geography (especially those more natural disaster-prone regions).

And finally – you may be the risk – in reverse concentration risk which is when your organization represents too large a proportion of your supplier’s business.

Best practices for mitigating the operational risks your third parties may expose you to

Operational risks are generally within the control of the organization through risk assessments, due diligence and good risk management practices, including internal control and insurance.

When considering third parties:

1. Understand what their strategic alignment to the business is. Why is the third party or supplier necessary to the business? How necessary to the business are they? Do you already have an existing third-party relationship that provides the same products or services?
2. Understand their criticality. Are they critical? What would happen to your operations if they failed? Are there other third-parties in your portfolio who you could leverage if they failed?
3. Conduct risk assessments on these third parties. Understand what types of operational risks (and other risks) and the levels of risk they bring to your business.
4. Ensure you do due diligence. Especially on those third parties critical to your operations. Ensure they have the right internal controls in place, as you would have in your own operations.
5. Watch out for concentrations. Ensure you have a 360 degree view of all your third parties. Are you over reliant on a single provider for critical operations? What would you do if they failed?
6. Continuously monitor your third-party relationships. Your relationship and their risk profile change over time.

Download our White Paper: Third Party Risk: A Unique Kind of Operational Risk

[1] Mind the Gap – Where Third-party Risk Management Programs Fall Short. Results of the 2020 TPRM Benchmarking Survey

Share with Your Friends:

Related