You Can’t Outsource Responsibility
Third-party risk management is high on the agenda of both the C-suite and the Board of Directors. Leading organizations recognize that the Board holds ultimate responsibility for third-party risk and now often appoint a specific member charged with ownership. Consequently, engagement at the C-suite level has also never been higher. So why is there so much focus on third-party risk Around the world, regulators have certainly helped elevate the level of attention that third-party risk is receiving – with significant sanctions, fines, and the negative headlines that ensue. Regulators have made it quite clear that while organizations can outsource a task; they can not outsource the responsibility. Regulators are just a symptom, however, of the underlying issue –the way organizations do business is evolving dramatically and rapidly. And with this, the way they manage risk needs to evolve quickly too. Yet management of the risks that these third parties can create for their partner organizations has often not kept pace with the rate at which the business landscape has evolved.
Some key areas in which third-party relationships can result in damaging loss events include:
- Compliance risk: The third party not complying with essential industry regulations and standards.
- Bribery and corruption risk: Employees of the third party engaging in illegal behaviors in the context, or outside the context, of a third-party relationship.
- Cyber-risk: An organization’s data could be at risk if a partner isn’t adequately protected. Or if it does not abide by increasingly stringent data protection legislation.
- Operational risk: An organization can fail to deliver its products or services to customers if a third party has a significant operational risk issue.
- Reputational risk: Recently many organizations have found their name in the headlines, even though the loss event was caused by a third party relationship.