Third-party vendors are increasingly central to the way companies do business. As Deloitte puts it: “many companies even outsource core functions.”[i]
Although these arrangements have clear benefits, increased productivity and efficiency come to mind, they also introduce risk – third-party risk to be precise. How to mitigate the risk third-party vendors pose to your organization? We’ve written the following articles relaying the eight ways to mitigate third-party risk.
What’s third-party risk?
But first, what’s third-party risk, exactly? Well, third-party risk is the potential risk that arises from relying on outside parties to perform services or activities on an organization’s behalf.
For example, a 2022 Gartner survey showed that 84% of respondents said that third-party risk “misses,” i.e., a third-party risk incident, resulted in operations disruptions. Third-party risk incidents also caused adverse financial impacts (66% of respondents), increased regulatory scrutiny (60% of respondents), adverse reputation impact (59%), and regulatory action (33% of respondents).
How often do these incidents happen, though? When it comes to third-party incidents involving data breaches, specifically, they are prolific. According to an Apple study conducted last year[ii], 98% of organizations reported having a relationship with a vendor that experienced a breach within the last two years.
Third-party risk management best practices
What then can businesses do to mitigate their third-party risk? They must first implement rudimentary, third-party risk management best practices. And it doesn’t get more foundational, here, than following the third-party risk management (TPRM) lifecycle when onboarding critical third parties.
The purpose of the TPRM lifecycle is to help organizations manage their third-party risk by ensuring that vendors meet the same standards and expectations (be they for cybersecurity, data privacy, or any other matter) as their internal teams.
So, what’s the third-party risk management lifecycle consist of?
Like the risk management lifecycle from which it’s derived, the third-party risk management lifecycle[iii] is an ongoing process requiring regular reassessment to ensure that risks are being appropriately managed.
The process itself consists of the following stages:
- Identification of whether you need to employ a third party
- Conducting due diligence
- Shortlisting and selection of a third party
- Sending out a risk questionnaire
- Contract drafting
- Commencement of the onboarding process
- Ongoing monitoring
- Undertaking of internal audits
- Contract termination or offboarding
Ways to mitigate third-party risk
Simply following the third-party risk management lifecycle likely won’t be enough. If they are to successfully control third-party risk, companies might need to implement some, if not all, of the following leading practices:
1. Manage third-party risk as an integral component of risk management (more broadly)
Companies should manage their third-party risk within the parameters of the broader risk management framework. In doing so, they should ascribe to the following principles:
-
- Contractual arrangements involving the use of third-party services should remain compliant with relevant regulations and laws. This might include requirements to report on the number of new third-party arrangements, the categories of third-party service providers, the type of contractual arrangements, and the services and functions which are being provided.
This might also include requirements to inform regulators about any planned contractual arrangement on the use of third-party services supporting critical or important functions as well as when a function has become critical or important.
- The management of third-party risk itself should take into account:
- The nature, scale, complexity, and importance of the dependency
- The risks arising from contractual arrangements on the use of third-party services, taking into account the criticality or importance of the respective service, process, or function, and the potential impact on the continuity and availability of services and activities.
2. Adopt and regularly review a strategy on third-party risk
This should also be done as part of the broader risk management framework. However, third-party risk strategy should include a policy on the use of third-party services supporting critical or important functions.
What’s more, the board of directors should, on the basis of an assessment of the company’s overall risk profile and the scale and complexity of its business services, regularly review the risks identified in the use of third-party services supporting critical or important functions.
3. Maintain and update a register of information about all third-party arrangements
Contractual arrangements themselves should be appropriately documented, distinguishing between those that cover services supporting critical or important functions and those that do not.
4. Third-party risk identification prior to entering contracts
Before entering a contractual arrangement with a third-party vendor, companies should get in the habit of identifying all salient risks by:
-
- Assessing whether the contractual arrangement covers the use of services supporting a critical or important function.
- Identifying and assessing all relevant risks, including the possibility that the arrangement may contribute to reinforcing concentration risk
- Undertaking all due diligence on the prospective third-party service providers and ensuring throughout the selection and assessment processes that the third-party service provider is suitable
- Identifying and assessing conflicts of interest that the contractual arrangement may cause.
5. Ensure robust security standards are met
Organizations should only enter contractual arrangements with third-party service providers, especially cloud-service providers (CSPs), who comply with appropriate information security standards, including the most up-to-date and highest quality information security standards.
6. Establish continuing auditing protocols
Taking a risk-based approach, organizations, in exercising access, inspection, and audit rights over third-party service providers, should pre-determine the frequency of audits and inspections as well as the areas to be audited.
7. Put in place opt-out mechanisms
Organizations should ensure that contractual arrangements on the use of third-party services can be terminated, particularly in any of the following circumstances:
-
- Significant breach by third-party service provider of applicable laws, regulations, or contractual terms
- Circumstances identified throughout the monitoring of third-party risk deemed capable of altering the performance of the functions provided through the contractual arrangement, e.g., material changes that affect the arrangement or the situation of the third-party service provider
- Third-party service provider’s evidenced weaknesses pertaining to overall risk management, specifically in the way it ensures the availability, authenticity, integrity, and confidentiality of data
8. Put in place exit strategies for third-party service providers supporting critical or important functions
Companies should have specific, concrete exit strategies for third-party services supporting critical or important functions. The exit strategies should take into account possible failures on the part of the third-party service provider, a deterioration of the quality of their services, any business disruption due to inappropriate or failed provision of services, or any material risk arising in relation to the appropriate and continuous deployment of the respective service.
Finally, third-party risk has exploded, making now the time for companies to take concrete steps to mitigate their third-party risk.
We’ve laid out some of the leading practices third-party risk management programs should take. Missing, though, are third-party risk management software capabilities to help teams pinpoint and address the top issues across their vendor ecosystem.
Not certain what those capabilities are? We’ve written a comprehensive guide covering the Digital Strategies and Tools Needed to Manage and Mitigate Third-Party Risk.
Sources
[i] Deloitte: Emerging stronger: The rise of sustainable and resilient supply chains: Global third-party risk management survey 2022. Available at https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-uk-global-tprm-survey-report-2022.pdf.
[ii] Professo Stuard E. Madnick, Ph.D., Apple News: The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase. Available at https://www.apple.com/newsroom/pdfs/The-Continued-Threat-to-Personal-Data-Key-Factors-Behind-the-2023-Increase.pdf.
[iii] Lexis Nexis: Defining Third Party Risk Management. Available at https://internationalsales.lexisnexis.com/glossary/compliance/third-party-risk-management.