By now, your clients likely have a solid handle on risk management. But what about their third-party risk? Third-party risk management (TPRM) isn’t just a subfield. And if the data is right, your clients might not be grasping that complexity.
So, what should your clients know about third-party risk management?
Read on to find out.
What’s third-party risk?
Of course, the best place to start is with third-party risk itself. What is it?
Third-party risk is the potential risk that arises from organizations relying on outside parties to perform services or activities on their behalf.
Third-party risk is particularly keen when the services or activities in question constitute material business activities. These prioritized activities are those that have the potential, if disrupted, to have a significant impact on an organization’s business operations or the ability of that organization to manage its risks effectively.
Are your clients prepared to address third-party risk?
Increasingly, these prioritized activities are being outsourced to third-party vendors. As a result, you must ask your clients whether they’re prepared to tackle third-party incidents as risk accumulates?
From a bird’s eye view, the answer is no. Why?
For one, with Covid, clients likely became more dependent on cloud service providers (CSPs). Indeed, 73 per cent of Deloitte global survey respondents stated they had moderate to high levels of dependence of CSPs in 2022, with numbers set to skyrocket further in the years to come.
Another obstacle reducing preparedness: clients are facing a newer spectrum of more complex risks across overlapping domains. Those domains include geopolitical, geographic/supplier concentration, sanctions, export controls, etc.
Leading practices in third-party risk management
So, what then can clients do to address escalating third-party risk?
Well, clients can go a long way to reducing their overall third-party risk profile by embedding third-party risk management practices in all levels of the organization.
What do some of those practices look like? According to our research, clients should consider the following:
- Define objectives and scope. To build a successful TPRM program, organizations should consider anchoring their operational resilience and third-party risk management plans to an existing framework, be it the Digital Operational Resilience Act, APRA CPS 230 in Australia, or the UK Operational Resilience Framework.
- Fully understand, document, and maintain third-party inventories.
- Develop policies and procedures. Lack of coordination between internal stakeholders is often cited as the biggest challenge for organizations undertaking third-party risk management.
- Enhance ongoing monitoring. Organizations will need more robust, ongoing monitoring of third parties to enable more dynamic risk reporting.
- Establish a governance structure for TPRM. Regardless of ownership, the program will require input from multiple functions and teams, making well-defined governance crucial. For global entities, it’s, therefore, recommended to have a consistent global policy with local addenda for sub-entities.
- Implement technology and automation. Programs that integrate digital third-party risk management functionality into the supplier lifecycle and embed automated cross-functional workflows, e.g., procurement, cyber risk, resiliency, are more effective in managing third-party risk and reporting to senior leadership.
Seems like a lot. But it doesn’t have to be for your clients. Existing regulatory frameworks already set criteria and expectations for third-party dependency management and business continuity planning and testing.
What are some of the practices they suggest? Download our Introductory Guide to Risk Management to find out.