A form of risk management, third-party risk management is the continuing process of identifying, analyzing, evaluating, and treating risks related to the use of third parties.
These third-party relationships have increased in recent times. But as the numbers have increased, the risks have, too.
And that’s happened because more vendors now have access to intellectual property and other sensitive data. A vendor shutdown, if that vendor is important enough, can now adversely affect your business operations.
Given the stakes, we’ve decided to write this article explaining what third-party risk management is and helping organizations to develop the capabilities to bolster their third-party risk governance.
What is third-party risk?
Third-party risk management has proven so multi-faceted, because third-party risk is so complex. So, what is third-party risk?
As the name suggests, third-party risk is the potential risk that arises from organizations relying on outside parties to perform services or activities on their behalf. Those parties can include suppliers, manufacturers, service providers, business partners, redistributors, or more.
Given the mix, third-party risk will come in varying degrees.
The most important type of third-party risk comes when the services or activities that third parties perform are material business activities.
Material business activities are prioritized activities that if disrupted will have a significant impact on an organization’s business operations or the ability of that organization to manage its risks effectively.
Why is third-party risk management important now?
But why are we talking about third-party risk at all? Surely, third-party relationships have always existed, as companies have always sought productivity and efficiency advantages.
The short answer is that the use of third-party vendors has exploded in recent times. This has led to a commensurate increase in third-party risk.
One catalyst has been digitalization. Well underway before the pandemic, digitalization got turbocharged by Covid, with offices going virtual.
During the pandemic, organizations became particularly dependent on cloud service providers (CSPs).
Deloitte found that 73% of companies stated that they had moderate to high levels of dependence of CSPs in 2022. Nearly 90% were projected to have the same levels of dependence on CSPs in the years to come.
What risks do third parties introduce?
These CSPs and other third parties are also becoming increasingly central to how businesses operate. Many companies are outsourcing core business functions to outside parties – the material business activities we mentioned earlier.
As a result, risk accumulated for businesses, with the top third-party risks now including:
Cybersecurity and data privacy risks
Cyber-attacks are on the rise everywhere. And third parties aren’t immune. By virtue of entering into third-party relationships, firms add another entry point for cyber threats. This is particularly the case if third parties have lax security protocols, making them more vulnerable to malicious actors.
Supply-chain risks
Post-Covid global supply chains have been a mess, and organizations reliant on suppliers to bring necessary goods and services from those strained supply chains have suffered. An uptick in global volatility, with flashpoints in the Middle East and Western Pacific, has often meant tighter margins for suppliers and increased risk of disruption to companies, as well.
Business continuity risks
Dependencies on third-party vendors for critical functions pose business continuity risks, as well. If a key partner suffers an operational setback (e.g., IT outage), the organization suffers, as well.
Regulatory compliance risks
As a result of these factors, regulators and policymakers are increasing the pressure on organizations to better manage their vendor ecosystems. They have introduced a whole slew of regulations and law, effectively forcing companies to better monitor their third-party ecosystem or face sanction.
Policymakers introduce third-party risk management regulations
Indeed, regulators, particularly in financial services, have put forth specific compliance requirements for firms who have “outsourced” material business activities to third parties.
Under the banner of operational resilience, these regulations are effectively forcing organizations to bolster third-party risk management protections or suffer the consequences. Some prominent examples include:
- Australian Prudential Regulation Authority. APRA CPS 230 Operational Risk Management.
- U.K. Bank of England Prudential Regulation Authority. Policies relating to operational resilience for financial services.
- U.S. The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC), Treasury. Interagency Guidance on Third-Party Relationships: Risk Management
Beyond regulations, there are laws, passed by legislatures.
The European Union, for instance, passed the Digital Operational Resilience Act (DORA), which compels entities to implement TPRM measures to mitigate digital risk.
The benefits of third-party risk management
In this regulatory environment, the obvious benefit of third-party risk management is compliance with these laws and regulations.
However, there are other benefits of third-party risk management, as well; they include:
- Safeguarding your reputation
- Continuity of services
- Reduced costs
- Better visibility into your third-party ecosystem
- More context-based decision making
Leading practices in third-party risk management
The question, then, is how to achieve the productivity and efficiency gains from third-party arrangements while effectively managing the risks?
That’s where leading practices in third-party risk management come in. And they don’t get more fundamental than the third-party risk management lifecycle.
The purpose of the TPRM lifecycle is to help organizations manage their third-party risk by ensuring that vendors meet the same standards and expectations (be they for cybersecurity, data privacy, or any other matter) as their internal teams.
So, what’s it all about?
The third-party risk management lifecycle is an ongoing process requiring regular reassessment to ensure that risks are being appropriately managed. It consists of the following stages:
- Identification of whether you need to employ a third party
- Conducting due diligence
- Shortlisting and selection of a third party
- Sending out a risk questionnaire
- Contract drafting
- Commencement of the onboarding process
- Ongoing monitoring
- Undertaking of internal audits
- Contract termination or offboarding
Beyond the TPRM lifecycle, there’s broader governance of the third-party ecosystem.
Like with risk management, more broadly, third-party risk governance will be highly site-specific. Generic leading practices to consider include:
Define objectives and scope
Consider anchoring your operational resilience and third-party risk management plans to an existing framework, be it DORA, APRA, or the UK Operational Resilience Framework. These frameworks already set criteria and expectations for third-party dependency management and business continuity planning and testing.
Identify vendors and analyze the ecosystem
Fully understand, document, and maintain your third-party inventory.
Develop policies and procedures
Lack of coordination between internal stakeholders is often cited as the biggest challenge for organizations undertaking third-party risk management.
Enhance ongoing monitoring
Initial due diligence is only a floor. Organizations will need more robust ongoing monitoring of third parties to enable more dynamic risk reporting.
Establish a governance structure
Regardless of ownership, the program will require input from multiple functions and teams, making well-defined governance crucial.
Implement technology and automation
Programs that integrate third-party risk management software into their TPRM lifecycle and embed automated cross-functional workflows, e.g., procurement, cyber risk, resiliency, are more effective in managing third-party risk and reporting to senior leadership.
Features to look for in third-party risk management software
How to go about it all efficiently?
Thanks to advances in digital technology, companies can now procure platforms that streamline all relevant activities throughout the third-party lifecycle. These solutions use automated workflows to invite vendors and gather due diligence information using questionnaires and documents. They also simplify the onboarding process for third parties.
What other capabilities should you be looking for in third-party risk management software? Consider the following:
Integrate third parties into your resilience initiatives
Digital technology should incorporate third-party risk management into your wider resilience workspace to align third parties with your resilience initiatives – from anticipating disruptions using risk intelligence, improving preparedness with risk assessments and dependency mapping, through to collaborating during incident response.
Automate ongoing monitoring and follow-up activities
Digital technology should support monitoring of third parties on an ongoing basis to ensure you have the right data to improve the resilience of the third-party ecosystem, with automated document and questionnaire updates, third-party status updates, risk assessment and action monitoring, plus risk intelligence to stay ahead of emerging threats.
Identify and share insights to improve resilience
Digital technology should enable you to leverage the data collected from your ecosystem and visualize it using configurable analytics to identify top issues and opportunities for improvement. Insights should also be able to be shared with internal stakeholders or externally with regulators as required, to satisfy obligations in customizable, printable reports.
Vendor onboarding and other vendor services
Digital technology should also empower vendors to participate in resilience initiatives through their own workspace, resulting in less manual work following up with vendors and better-quality data to enable your team to identify the top opportunities to improve resilience. These technologies should also help you understand the dependencies that exist in your organization by capturing the services each vendor provides and relating these to contracts, 4th parties, risk assessments, corrective actions, and incidents, to provide a full picture of the dependencies that exist in your organization.
Where to find such a solution? From risk management to analytics and reporting, Noggin Resilience does it all. Keen to learn how Noggin can help you manage risk across your entire third-party ecosystem? Request a demonstration to see Noggin in action.