Main menu

Third-party Risk Management: 101

August 19th, 2020

Most organizations today rely on third parties for improved profitability, competitive advantage, faster time to market, and decreased costs.

Third parties can include not only your traditional suppliers, but also vendors, distributors, resellers, agents, partners, affiliates, contractors, managed service providers, brokers, and even intra-company groups.

What is third-party risk management?

Third-party risk management is a process that allows management to identify, evaluate, monitor and manage the risks associated with an organization’s third-parties and their contracts.

What kinds of third-party risks are there?

With increased strategic and operational reliance on third-parties comes increased risk which must be identified, understood and managed. This can be a complex exercise as an organization may have many thousands of third-parties, and there are many risks that a third-party can present, including:

Reputational Risk: A risk of loss resulting from damages to an organization’s reputation, in lost revenue; increased operating, capital or regulatory costs; or destruction of shareholder value.
Geopolitical Risk: A risk of loss associated with a third-party’s ability to meet contractual arrangements due to political, socioeconomic and cultural factors (events, trends, developments) of a specific country or region.
Financial Risk: The risk of loss should a third-party is unable to meet the terms of the contractual arrangements or to otherwise financially perform as agreed.
Regulatory & Compliance Risk: The risk of exposure to legal penalties, financial sanctions and material loss an organization faces when it (or its third-party) fails to act in accordance with industry laws and regulations, internal policies or standards.
Cyber/Information Security Risk: The risk of financial loss, disruption, or reputational damage from a failure of information technology systems.
Concentration Risk: The risk of loss due to lack of diversification. This includes over-reliance on a single vendor as well as geographical concentration of third-parties and their subcontractors in a single place.
Strategic Risk: The risk of loss arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the organization’s strategic goals.
Business Continuity and Resiliency Risk: The risk of loss arising from a third-party’s ability (or lack thereof) to overcome serious incidents or disasters and resume its normal operations within a reasonably short period.
Operational Risk: The risk loss arising from inadequate or failed procedures, systems or policies. Any event that disrupts business processes.
4th Party Risk: It’s not just third-parties that bring risk – it extends to their third-parties and beyond. This is the risk assumed when third-parties use sub-contractors to manage part of their service or product.
Data Privacy Risk: The risk of financial loss, disruption, or reputational damage from a failure to protect personal information.
Bribery and Corruption Risk: The risk of offering, paying or receiving a bribe through an officer, employee, subsidiary, intermediary or any third-party acting on the commercial organization’s behalf.

A dozen best practices for managing third-party risk
1. Get the foundations right. It’s important that you build on solid foundations. Third-party risk management is so much more than reactively sending a questionnaire or risk assessment to tick off a box because you want to bring on a new supplier. You need to ensure you have invested time and thought into ensuring your third-party risk management policies, procedures and governance framework are well defined, documented and embedded.

2. Define roles and responsibilities. Have clear roles and responsibilities defined within your program. You will want to ensure that you have the right stakeholders across the business involved – typically you would expect roles across procurement, third party/supplier/vendor risk, compliance, IT/IS, legal as well as relationship managers to be involved. There should be sponsorship and oversight from senior executives.

3. Contracting. Contracting is an important part of risk control, and the provisions in a contract should address the risks associated with a vendor, depending on the products and services that they are providing. More contracts are, for instance, including a right to audit, and requirements for more transparency about sub-contractors.

4. Remove business silos. Don’t tackle third-party risk in silos, take a federated approach across the business. For instance, view IT vendor risk in purview of the larger third-party risk management program, rather than a separate siloed program.

5. Take a holistic approach – In the same vein, take a holistic view of the risk associated with your third-parties. A single vendor can expose you to multiple risk types – ABAC, information security and so on. There can be multiple engagements with a single vendor in which each have different types and levels of risk. You want to be able to have a 360-degree view of risk that allows you to drill into details.

6. Maintain a single inventory. One of the biggest challenges should be the simplest. Having one inventory of all your third parties – a golden source of truth – is important, and streamlines the management of your program.

7. Take a life-cycle management approach. Third party risk management is not a one and done exercise. Afterall risk and business conditions change and evolve all the time. This means that risk must be monitored and managed throughout the life of the vendor relationship. This is something that the regulators are very focused on. Multiple regulators have referenced this expectation including the DOJ, SEC and FCA. The problem is, many companies apply most of their focus on the onboarding stage of the relationship, and neglect ongoing monitoring. When considering lifecycle management, you need to ensure vendor selection, intake and scoping, risk assessments, due diligence, onboarding, issue management and remediation, ongoing monitoring, and termination and offboarding are all factored in.

8. Take a risk-based approach. Risk is multi-dimensional. When it comes third parties you need to understand what risks they expose your organization to (e.g. information security, ABAC, etc.), the level of risk that they bring (e.g. low, medium high) and also just how critical their goods and/or services are to your business.

9. Ensure your programs are adequately resourced and empowered. The regulators expect this – you should ensure that your program has resources commensurate with the volume and riskiness of your third-party universe.

10. Assess and understand your program maturity. Evaluating the maturity of your program is important. By understanding the maturity of your program, and areas of strengths and weaknesses, you can define your roadmap for improvements. It helps you understand what to prioritize and focus on and where to invest. Calculate your maturity here.

11. Leverage TPRM Intelligence data. Data from external risk intelligence providers such as Refinitv, Security ScoreCard, Bitsight, Rapid Ratings, DisasterAware and others now form an important part of monitoring risks across your third parties. Automated data feeds can enable organizations to recognize risk sooner and respond with increased operational resilience.

12. Leverage Automation: Today, the volume of third parties that most organizations work with, coupled with the dynamic nature of risk, mean that trying to manage third party risk manually is no longer an option. Look for a solution with strong business automation with capabilities that support risk management throughout the relationship lifecycle. The best solutions will come with deep domain experience and an ability to support organizations at any stage of their maturity – from those just getting off spreadsheets, to the most complex of global third-party risk management programs.

Aravo delivers the market’s smartest third-party risk and performance management solutions, powered by intelligent automation.

As a centralized system of record for all data related to third-party risk, Aravo helps organizations achieve a complete view of their third-party ecosystem throughout the lifecycle of the relationship, from intake through off-boarding and all stages in between and across all risk domains.

To find out how we can help you deliver a best practice third-party risk management program contact us for a demo today.

Share with Your Friends:

Our Expertise
Who We Help

Ready to get started?

Get in touch for a better approach to third-party risk management