Member Q&A: defining third-party risk management for your organisation
Disaster often has to strike before a company takes third-party risk seriously. When things do go wrong, execs can point the finger at risk teams, members admit, asking why things have seemingly gotten so out of hand. Taking the initiative, risk leaders are now getting a handle on third-party risk management, exploring ways to take it from mere tick-box exercises to something far more valuable.
Most organisations don’t exist in isolation; rather, they rely on a complex mix of suppliers, service providers and alliance partners that make up their extended enterprise ecosystem.
The use of third parties provides these organisations with business value and strategic advantage, yet it also exposes them to a myriad of associated risks, such as non-compliance and reputational damage, supply chain disruption and inconsistent customer experience.
Taken from a recent member meeting as part of a series we’re hosting on third-party risk management, we present here some of the questions and answers discussed by members who want to take third-party risk management from the often-futile tick-box exercise to something actually useful that adds strategic value.
This is an extract from a more detailed guide available to members on our Intelligence platform.
What is a third party?
The simplest definition of a third-party relationship is any business arrangement between an organisation and another entity, by contract or otherwise. This could include:
- Suppliers
- Contractors and subcontractors
- Vendors
- Joint ventures
- Agents and brokers
- Software providers
- Distributors
Who are my organisation’s third parties?
Sometimes just knowing who all your external partners are can be challenging enough, and without knowing the universe of third party providers you work with, you won't be able to begin to understand the risks you face.
It is therefore essential that you speak to the teams who are actively working with third parties in order to see which data or information they already have on the nature of your engagement with these external providers. Chances are, the organisation is involved with more third parties than you originally thought.
What are some of the risks associated with third parties?
The ability to manage third-party relationships becomes even more critical to success when considering that a significant number of companies outsource core business functions to deliver operational efficiencies and cost savings.
Problems can occur when third-party operations are intertwined with organisational operations. If a third party is unable to provide its services as promised, the organisation may be unable to perform daily activities.
The violation of laws, regulations, or internal processes by a third party is not only a compliance risk, but also has financial, reputational, and strategic implications. At its most serious, evidence of third-party criminal activity or regulatory non-compliance could result in imprisonment or substantial fines, and this will have flow-on effects for the company.
Reputational damage is a risk when a third party makes business decisions that do not align with a company’s strategic objectives or perceived corporate social responsibility, such as misleading investors or the public, and revealing exploitative employment practices or a lack of sustainability initiatives.
Whether due to negligence or a cyber security breach, the loss or disclosure of customer information held by a third party can also harm the public perception of a company as consumers lose confidence in their competency to safeguard sensitive data.
Where do I begin with third-party risk?
The third-party onboarding process really sets the scene for ongoing relationship management, capturing essential third party information along with any necessary certifications, contracts, and documents.
It’s possible to include a request for risk management procedures and business continuity plans in all new contracts, or build risk management into the tendering process so that risk management and business continuity play a part in the scoring of proposals.
Even with the most comprehensive onboarding process, due diligence does not end there. If no one bothers following up on the relationship – whether the result of a lack of resources or poor internal processes – the consequences could be devastating.
How do I take it from compliance to the next level of third-party risk management?
For large organisations, it can be difficult to get a full understanding of every third-party provider they are engaged with – this could number in the hundreds or thousands – and continuous monitoring and screening of each of these third parties just may not be feasible. To add an extra layer of complication, there is not normally one central team responsible for ownership of third-party providers.
In this instance, giving each third party a criticality rating can help determine how important each partner is to the day-to-day running of the business. These ratings can take the form of a simple scale from one to five, allowing the business to highlight the third-party providers that are most critical and therefore require further review and monitoring.
This process can be supplemented with a simple survey of senior leadership to see which partners they see as being most critical to the business, enabling a comprehensive overview of third-party risk across the business.
What do I do with the information collected on third-party risks?
All the information gathered can inform scenario and business continuity planning, as well as the identification of potential mergers and acquisitions to bring key capabilities back in-house, to provide a framework for managing all of the critical third parties and the various risks they present to the business.
Are alternative partners available?
For those partners critical to the ongoing success of your company, it is important to know if there are any alternatives out there should the need arise for a change of provider.
This also tells you that – for those companies with few or no alternatives – the risk is much greater, and more resources and measures should be put in place to manage that relationship and the effectiveness of the services being provided.
It is also essential to remember to assess the ease with which you can leave a partner for another – it is no good having an alternative in mind if it is virtually impossible to partner with them.
Should my organisation acquire partners?
In some cases, the risk of outsourcing a service to a third party can be too great, and in such cases it may be worth assessing if that partner is a possible acquisition for your company.
By bringing the risk in-house you can better manage and mitigate your exposure as you are no longer relying on external parties for the ongoing service, nor the associated risk management.
Are you an in-house risk manager who could benefit from collaborating with a global network of risk leaders? find out more about how we work with risk leaders here.