How to Best Manage Third and 4th Party Risk
On average, the number of third parties an organization works with is increasing by 25% per year. At the same time, third party compliance and information security lapses have subjected vendors, suppliers and the companies they work for to unwanted public attention.
In this environment, it’s no surprise that only 17% of businesses feel their third party management processes are effective at addressing risk.
In a recent survey with RapidRatings and Compliance Week, we set out to explore how companies are handling the growing complexity and urgency of third party risk management. We surveyed more than 100 compliance and risk professionals about their largest barriers for managing third party risk well and uncovered steps forward to alleviate the pressure.
Why Companies Are Feeling Third Party Strain
Companies need greater visibility into their third and fourth parties, but several factors are holding back their progress. The survey revealed that lack of staff and lack of budget are the top two hindrances for managing third and 4th party risk:
- 36% of respondents said they lack staff to manage all of their third parties.
- 24% of respondents said they lack the budget to invest in the necessary tools and technologies.
The lack of resources exposes companies to unnecessary third and fourth party financial, regulatory and reputational risks. Within the past 6-12 months, 30% of companies said they had experienced a disruption caused by a third party, evidence of the growing threat. Worryingly, nearly 20% of companies said they didn’t know if they had, because they have no visibility into third party disruptions. The problem worsens when 4th, or Nth parties, are added into the mix.
- 33% of those surveyed had limited to no visibility of Nth parties.
- 33% of those surveyed put the burden on their third party to manage Nth parties.
Yet 4th parties are a top risk source, and one requiring focused oversight as supply chains and outsourcing relationships become more complex.
James Gellert of RapidRatings and Opus’s Lee Kirschbaum discussed how companies can maximize their risk management capabilities in a webinar titled “Best Practices for Reducing Third and Fourth Party Risks,” based on the findings of our joint survey.
The most effective step is to take a risk-based, automated approach to due diligence. “This idea of a risk-based, automated approach is quite honestly the only way I think companies could scale,” Kirschbaum said. When working with thousands of third parties, companies simply don’t have enough people to conduct in-depth assessments on all of them. Not all third parties require the same level of monitoring. A risk-based approach focuses on third party vendors and suppliers that are highest risk, protecting the company from the most significant potential causes of disruption.
A second large factor to risk management success is creating a common framework for evaluating all third parties. As companies expand into new markets and geographies, being able to compare third parties against one another is critical for choosing the best business partners to help grow your business. Gellert listed several best practices for creating strong relationships with third parties throughout the lifecycle of management:
- Assess the criticality of of third parties, focusing on high criticality third parties first, and then evaluating thoroughly as many of your third parties as budget and resources allow.
- Collaborate across the company to understand the risk of third parties at the onboarding and at the diligence level before even bringing one on.
- Embed risk management requirements into contract and onboarding.
- Monitor third parties against these risk controls throughout the relationship.
- Develop a system to report on how well third parties are following the stated controls.
Listen to a full recap of the findings of our joint survey in this webinar with James Gellert of RapidRatings on “Best Practices for Reducing Third and Fourth Party Risks.”
Why Measuring the Success of Your Third Party Risk Program Is Critical
44% or companies say that they’re not measuring the success of their third party risk program, the joint Opus and RapidRatings survey found.
“That number really needs to come down and it really needs to come down quickly,” Gellert said. “The identification of value is the only way to be able to get a sustained commitment from the organizations to be able to fund and maintain these programs.”
Clear evidence of the benefits leads to greater budget and company-wide buy in. Here are ways to measure success:
- Is your program supporting and furthering company goals?
- Are you meeting compliance demands and receiving regulatory approvals?
- Are you able to efficiently measure and report on all third parties throughout life cycle?
- Are you using available resources wisely by taking a risk-based approach to third party management?
- Are you able to quickly onboard third parties that will grow your business by allowing your company to expand into new markets or adopt innovative technologies?
Third party risk management is about much more than compliance or avoiding a data breach. “When thinking about risk management for third parties, recognize that this isn’t just avoiding a disruption,” Gellert of RapidRatings said. “It’s about creating the strongest third party group possible.”
We couldn’t agree more. Third parties are core partners, and when managed well, risk goes down and business opportunities go up.
At Opus, our goal is to free businesses from risk by giving them the confidence and capabilities they need to handle third party risk effectively. Learn more.