Third-party risk management
Not only is the prevalence of outsourcing growing, but as the business landscape becomes more complex and globally interconnected, each company is working with increasing numbers of third parties. 60% of organizations currently work with over 1,000 third parties. As outsourcing grows more prevalent and the number of third-party relationships increases, the risks companies face from their outsourced operations increase rapidly too.
Third-party outsourcing may deliver cost-savings, efficiencies and enable companies to focus on their core capabilities. But it also brings with it significant risk if it isn’t properly managed within a robust governance framework. This is particularly true at times of crisis or volatility, which is becoming more common in today’s operating environment.
This is why third-party risk management (TPRM) is becoming more commonplace and more vital. Particularly for companies in regulated sectors, managing risk in third-party relationships is non-negotiable and a growing focus for boards and stakeholders.
While it may be growing in popularity, third-party risk management is still an under-used strategy for many businesses. 40% of companies lack any clear third-party risk management responsibilities for functional partners. This creates a potential — and precarious — blind spot.
Here, we explore:
- What is third-party risk management
- The risks third parties pose to the companies entrusting their operations to them
- Why is third-party risk management important
- Third-party risk management best practices: what makes an effective third-party risk management framework
- Third-party risk management regulations
- How to address common TPRM issues
- Why businesses are increasingly using a third-party risk management solution to manage third-party risk
What Is Third-Party Risk Management?
As you might imagine, third-party risk management — sometimes known as third-party vendor risk management — is a facet of risk management that focuses on identifying and mitigating risks relating to third parties: those risks that we have outlined above.
A third-party risk management framework aims to help organizations to understand:
- Which third parties they use — often more than they think, due to incomplete data and incorrect understanding of what constitutes a third party
- How they use their third-party vendors, suppliers and partners
- What safeguards and risk management programs their third parties have in place
There are subsections of third-party risk management that relate to specific categories of risk; for instance, third-party cyber risk management, when looking at cyber risks specifically. A best-practice third-party risk management framework will encompass all of these. Terms like “third-party vendor risk management” are also often used interchangeably with third-party risk management (TPRM). However, the TPRM definition can be slightly different for vendor risk management.
Third-party risk covers suppliers and business partners of all types, not simply vendors. So third-party risk management tends to be the overarching term used to cover risk management relating to all third parties.
Increasingly, “third-party” is a reductive description, as third-party risk management today tends not just to focus on your immediate suppliers but to have fourth parties, sub-contractors and the entire supply chain in scope.
Your approach to third-party risk has to be comprehensive but proportionate. As the U.S. Government’s Office of the Comptroller of the Currency notes, your strategy should be “commensurate with the level of risk and complexity of [your] third-party relationships.”
What Risks Do Third Parties Pose?
Third-party risk management matters because third-party vendors and partners can pose many risks to the organizations that employ them. These risks span the spectrum of business operations. They include:
- Cybersecurity and information security risk: The risk that a third-party’s actions or negligence may compromise your systems and data.
- Environmental, social, and governance (ESG) risk: The risk of your suppliers failing to meet standards, whether externally mandated or set by your internal ESG policies around sustainability, social or governance matters.
- Compliance, legal and regulatory risk: The risk that suppliers, third-party vendors or business partners may jeopardize your compliance with regulations or legislation.
- Financial risk: The risk that a third party could impact your revenue. Perhaps they fail to supply to you or your customers, creating delays or putting you at risk of having to provide compensation. Perhaps they deliver a faulty component, causing costly recalls or delaying production. Maybe your revenues are impacted by association with an unethical supplier. Third-party risk management strategies are needed to tackle financial risks.
- Reputational risk: Closely related to financial risk. Many of the threats impacting your income also threaten your reputation; issues of ethics, sustainability or quality.
- Operational risk: The risk that third parties’ actions imperil your ability to operate; for instance, a supplier fails to deliver parts that your production line needs, or a third party hosting your data has an outage, impacting your systems.
- Strategic risk: Risks that strike at the heart of your corporate strategy, affecting the direction your organization wants to take.
Because the risks posed by third-party vendors and suppliers are so wide-ranging and impact fundamental areas of your business, the importance of third-party risk management has grown as an essential element of your risk management strategy.
Why Is Third-party Risk Management Important?
Third-party risk is nothing new, and neither is third-party risk management. But several factors are making it ever more important to put in place a third-party risk management program:
1. Third-party risk is growing. Organizations are seeing increased issues from vendors and increased global volatility impacting customers and suppliers alike.
Increasingly disruptive and increasingly frequent cyberattacks and fraud threats affect vendor reliability. As margins tighten, suppliers’ ability to absorb shocks decreases.
Coupled with the trend towards outsourcing, reduced reliability in supply chains is accelerating the potential for third-party risk.
- The implications of third-party risk are becoming bigger. Regulators have supplier risk on their radar, driving businesses to focus on their supply chain risk. A growing regulatory burden relating to third-party risk is incentivizing organizations’ adoption of third-party risk management frameworks.
Third-party risk exposes your organization to threats, including:
- System and operational outages within your operations — for instance, disruption of key systems if they rely on outsourced inputs
- Interruptions to suppliers’ operations, disrupting their ability to deliver
- Issues that impact your suppliers’ integrity, ESG credentials or ability to provide you with the assurances, data or compliance that you require
Real-life examples of these risks might be:
- Your CRM system is outsourced to a third-party provider. Your ability to contact and serve customers is impacted if their system is compromised.
- A global supply chain relies on a vendor whose operations are disrupted by a typhoon. You are unable to manufacture your products as a result.
- Your supply chain due diligence uncovers that one of your suppliers is not meeting human rights standards. You need to sever links with them before they cause you reflected reputational risk.
Outsourcing is a central tenet of today’s business operations, driving efficiency and cost-effectiveness, opening up global supply chains that enable you to innovate and evolve, and allowing your company to focus on its core competencies while outsourcing non-key operations. The downside is its potential to expose your organization to supply chain vulnerabilities and threats.
An effective third-party risk management policy provides the assurance you need that you can get the most from your outsourced relationships while minimizing the risks incurred.
It is essential when considering higher-risk third parties: those who process customer data, for instance; host board or other sensitive company information; or whose business continuity is crucial to your operations. Also, robust third-party risk management is a key consideration if you operate in a regulated environment.
In any of these scenarios, having a third-party risk management program in place is even more vital.
What Are the Goals of Third-party Risk Management?
What is the purpose of third-party risk management? A structured third-party risk management framework can deliver significant reductions in the risks you face from third parties. From a governance point of view, it can provide data and evidence that you are taking steps to tackle the third-party risks that you face.
Putting in place an effective third-party risk management program is designed to:
- Ensure you have a comprehensive catalog of your third-party providers
- Identify the third-party risks your organization is exposed to, and prioritize these for action
- Reduce your risk of business interruption
- Minimize the regulatory, compliance, reputational and financial risks you face from third parties
- Give you a “long-range” view of incoming threats and enable you to address these future risks more efficiently and effectively
- Cut the cost of your third-party risk management activities and third-party risk mitigation
Third-Party Risk Management Best Practices
Whether you are starting off on your third-party risk management journey or have already put in place the steps you need to effectively manage third-party risk, there are some best practices to follow.
What does third-party risk management best practice look like? An effective third-party risk management process will generally include the following elements:
- Identify all the suppliers who should be included in your third-party risk management program. As we noted above, this might not be confined to tier-1 suppliers. Your third-party risk management inventory should also include subcontractors and those further down your supply chain.
- Undertake supplier evaluations to assess the risk posed by each of these third parties. There are numerous ways to do this: you could issue suppliers with a questionnaire to complete around their practices and policies. This is an exercise you can carry out with existing suppliers, and should also undertake with prospective providers.
- Evaluate and segment your third-party suppliers according to the risks they pose. Categorizing your vendors and partners is an essential foundation of your third-party risk management program. This will enable you to take an appropriate and proportionate response to the risks they expose you to, based on the data obtained in your supplier evaluation exercise.
- Outline and implement a third-party risk management framework to address the risks inherent in your third-party relationships. Do you have controls to identify that any of these risks are coming into play? What are your risk tolerances? Ensure mitigation plans are in place to quickly respond to any threats.
- Identify clear owners for all elements of your third-party risk management program. Roles and responsibilities should be unambiguous. The three lines of defense in risk management are well-established; apply this to third-party risk management to give it the structure it needs for success.
- Define contingency plans for any third-party risk breaches. These will vary depending on the nature or severity of the risk in question, but need to be clearly documented and communicated so that risk mitigation plans can swing into place at maximum speed in the event of a problem.
You can read more on third-party risk management best practices in our 7 Steps to Effective Third-Party Risk Management.
Examining Third-Party Risk Management Frameworks
There is no single way to carry out third-party risk management; no prescribed TPRM program or framework.
There are, though, several recognized approaches that you may find useful as start points for your own third-party risk management program. Because third-party risk management can be a daunting challenge, many organizations turn to these existing frameworks to provide structure and support.
What Is a Third-party Risk Management Framework?
A TPRM framework provides the structure for your third-party risk management strategy.
A framework can bring welcome clarity and guidance to the process of setting up a TPRM program. The process of putting in place third-party risk management is complex, involving multiple vendors, often spanning many countries. For each of these, you must evaluate the risks the third party brings to your organization - a process that requires exhaustive due diligence.
How to Choose a Third-party Risk Management Framework
There are a number of existing TPRM frameworks. Choosing the most appropriate one will depend on the nature of your business, the types of risk you face and the resources you have available to tackle third-party risk.
Types of Third-party Risk Management Framework
The two most common TPRM frameworks used are the NIST third-party risk management framework published by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO).
These frameworks can be used to supplement, and bring more focus to key areas of, your third-party risk management strategy. Once you’ve established your initial TPRM framework using this external guidance, you can always customize your approach or add other frameworks to prevent any gaps in risk coverage.
Third-Party Risk Management Regulations
A growing list of regulations pertains to third-party risk management. And while they may seem like yet another area of compliance for your business to address, they serve a valuable purpose in bringing focus to your TPRM program and, ultimately, in reducing risk.
Many regulations firmly put responsibility for third-party compliance with the company that employs them, making understanding and complying with third-party risk management regulations a necessity rather than a nice-to-do.
Third-party risk management regulations have a number of benefits to suppliers and users alike:
- Third parties are held accountable and, as a result, operate to higher standards
- Identifying compliant, ethical — and therefore hopefully lower-risk — suppliers is easier
- Due diligence of new suppliers is, therefore, simpler and quicker
- Reduced risk of business interruption and disruption
- Regulatory requirements bring structure to the third-party risk management lifecycle with inbuilt controls and metrics
- In combination with the frameworks we’ve noted above, third-party risk management regulations create consistency and make best practices visible and actionable
The same third-party risk management regulations that will apply to your organization will depend on your location and the jurisdictions in which you operate.
Well-known Third-party Risk Management Regulations
Some of the best-known third-party risk management regulations include:
- GDPR — the General Data Protection Regulation. A European Union (EU) regulation, the GDPR applies to any organization processing data on EU residents, no matter where the organization is located. Non-compliance brings significant financial penalties.
- Sarbanes-Oxley Act (SOX) — SOX applies to all U.S public companies. Its requirements are aimed at ensuring financial statements and disclosures are accurate and reliable.
- HIPAA — the Health Insurance Portability and Accountability Act of 1996. HIPAA is another data protection regulation applicable to the healthcare sector. It sets rules for healthcare providers and third parties around the maintenance, use, sharing and protection of personally identifiable information.
How to Address Common TRPM Issues
Third-party risk management is an essential element of today’s risk management strategy. But it’s not without its challenges. Common TPRM stumbling blocks include:
- Onboarding and inventory. Onboarding and creating a centralized repository of third-party suppliers can be labor-intensive and time-consuming. Standardized or best practice controls should be included as standard. A document register will enable you to get a full picture at a glance. Automating the process can be transformative.
- Third parties can be outside your risk management process. You must put in place a Corrective Action Plan (CAP) for any risks you identify; a plan that automatically recommends, approves and applies remediation actions. If your third-party partners are not part of this plan or the solution that supports it, you will not succeed in managing their risks.
- Risks are not routinely and accurately assessed or prioritized. Automate your process for classifying, assessing and tackling the risks your third parties pose, and you will bolster your approach as well as reduce inefficiency and duplication.
- Many organizations use an identical data-gathering process for all of their third parties. This can be unnecessary and over-engineered, wasting time and money and drowning staff in paperwork. Focus your data-gathering on identifying high-risk suppliers and drilling into those rather than subjecting all third parties to the same onerous, “one size” third-party risk management approach.
- Monitoring is ad-hoc with no schedule or structure. Third-party risk management should be a continuous process, with data gathering tailored to the risk profile of the third party. Automating this process can pick up changes to risk level, allowing you to flex your approach as needed.
- Reporting is unclear or incomplete. As mentioned above, data-overwhelm helps nobody. You need out-the-box dashboards and customizable tools to enable meaningful, concise and relevant reporting. A solution that grows with you will allow your third-party risk management framework to evolve with your changing needs.
- Future-proofing your third-party risk management program can be difficult. With regulatory requirements, corporate ambitions and consumer expectations constantly shifting, a flexible approach to third-party risk management is key. As Fola Ojumu, Partner, Kearney & Company, noted at Diligent’s Modern Governance Summit 2022, “You need an adaptive strategy to react to change — otherwise you miss emerging risk.” A rigid TPRM solution can stifle your ability to change as needed. Third-party risk management best practices include adapting your approach to the external landscape, and the route you choose must accommodate this.
As with any risk management challenge, a structure around your approach is essential. In the same way that you might create a checklist for your wider audits and assessments, it helps to take a systematic stance on TPRM. Fortunately, there are third-party risk management solutions that can help you.
Benefits of Third-Party Risk Management Software
The right third-party risk management solution can transform your ability to tackle your TPRM challenges:
- Automating the process makes it more robust, from data gathering, through risk scoring and analysis, to remediation
- Third-party intelligence can be integrated into your approach to deliver a 360-degree (and up-to-the-minute) vision of third-party risk at all times
- Existing workflow processes and legacy data can be easily integrated
- Third parties’ risk profiles are evaluated to prevent over-engineering
- Risks can be accurately assessed and prioritized for action, reducing unnecessary work, duplication and wasted resource
- Reporting is clear, customizable and appropriate for your stakeholders, providing clear snapshots of progress
- A more efficient process enables you to fast-track TPRM, increasing risk assessments, bolstering data gathering and controls, and accelerating remediation
- The best solutions will future-proof your third-party risk management strategy, allowing you to optimize your TPRM process at every stage
For tips on choosing the best solution for your organization, download our third-party risk management buyer's guide, written by compliance expert and former CCO Kristy-Grant Hart.
Simplify and Scale Your TPRM Program With Diligent
Many third-party risk management implementations stall or fail because they're too complex and too rigid to accommodate change. Third-Party Risk Management from Diligent is designed to provide a simplified solid foundation to grow and scale with your organization and adapt to the ever-changing business, regulatory and risk landscape.
Discover how Diligent Third-Party Risk Management can streamline onboarding, centralize vendor management and make more informed decisions.