Third Party Risk Management and the Future of Your Business
Today’s companies rely on hundreds, if not thousands, of third parties to complete core business functions. These third parties include traditional suppliers, vendors and contract manufacturers as well as agents, brokers, vendors, distributors, resellers, franchisees, affiliates and more.
Together, third parties deliver the majority of a company’s revenue — from 60% or more. But as reliance on outside business partners has increased, companies face the often overlooked challenge of setting up systems to actively monitor these key relationships for risk. Ultimately, a company is responsible for the actions of its third parties, which is why forward-looking global organizations are taking third party risk management seriously.
What Is Third Party Risk Management?
Third party risk management helps companies answer a few seemingly simple yet critical questions: who am I doing business with, what risks do they pose and how do I successfully manage those risks?
It’s the process by which organizations select, onboard, and monitor their external relationships with third parties, such as partners, vendors, contractors, etc. It’s an essential process because third parties inherently introduce significant risk to an organization, including information security risks, like a data breach; lack of financial stability; supply chain disruption; environmental or social accountability issues; regulatory compliance concerns; bribery, fraud and corruption risk, to name a few. New risks emerge regularly, so it’s also important that businesses keep a constant eye on their third parties.
Companies that don’t have a program in place for monitoring third parties for risk expose their organizations to significant regulatory, financial and reputational repercussions. They’re also at a significant disadvantage when it comes to growth opportunities. Strong third party risk management enables strategic growth decisions that can put companies ahead of the pack.
So what does effective third party risk management look like?
Effective third party risk management programs focus on establishing a comprehensive view of all third parties and setting up a process to manage each based on their current and evolving risk levels. This includes maintaining an inventory of all third parties and keeping track of documentation, such as contractual agreements, workflows, risk audits and assessments. The goal is to identify potential threats to catch problems before they occur.
Though the threat of third party risk can seem intimidating, third parties are a defining feature of today’s business environment. At Opus, we view risk management not as a “have to” in order to avoid fines and penalties, but as an opportunity to take on more risk in order to spur growth. In today’s ever-evolving digital landscape, risk is necessary to stay ahead.
Protecting against risk upfront not only gives companies a competitive advantage over other organizations with less effective third party risk management, but it also allows organizations to innovate and grow. Global expansion is just one example. Third parties in some countries may pose more risk than others — but also offer greater growth potential. Properly managing the risk enables and opens up forward motion.
Third Party Risk: What Your Business Is Up Against
Third parties bring their own security practices, compliance concerns, financial health and more into your company’s operations. Though companies can outsource services, ultimately regulators, customers, and investors expect them to take responsibility for any activities conducted through third party relationships.
This is why companies need to assess and monitor third party risks just as carefully they do internal risks. A solid third party risk management program monitors the compliance and performance of third parties in several risk areas.
Information security risk is one of the biggest threats to companies in today’s digital world. As most of us know, poorly managed third party relationships have cost large companies like Pfizer, Target and dozens of others millions of dollars, and more third-party data breaches appear in the news every day.
And, in the Opus-sponsored study on Data Risk in the Third-Party Ecosystem by the Ponemon Institute, we found that data breaches caused by third parties are on the rise. 56% of respondents said they have experienced a data breach as a result of sharing sensitive information with a third party.
Third party information security risk management enables you to minimize the hazards of sharing sensitive data with third party vendors — data that’s often necessary for your company’s third party partnership to succeed.
Businesses that frequently review their third-party risk management policies and programs are 18% less likely to suffer a data breach. As a result, companies can safely capitalize on new business opportunities with less worry.
A strong information security risk management plan puts controls in place to monitor risk related to vendors, suppliers, counter-parties, partners, and customers so that you can more easily mitigate or manage issues if and when they arise. Though no one can guarantee a breach will never occur, taking a holistic and comprehensive approach to third party risk management can reduce the odds your company will experience the operational, financial and reputational hazards of a third party data breach.
Bribery and Corruption
A second large area of concern for companies is bribery and corruption risk.
Every year, over $1.5 trillion is paid in bribes, and an estimated $2.6 trillion is stolen annually through corruption. Additionally, corruption increases the cost of doing business by 10% and hurts individual citizens around the globe.
As with other forms of risk, companies that do business with third parties are responsible for their actions and can face fines and imprisonment, even if the company was unaware of any illegal activity.
Third party risk management programs help prevent this by ensuring third parties have undergone the necessary due diligence to identify and mitigate bribery and corruption risks.
Another factor to consider is the financial health of the third parties with whom you do business.
Your company relies on third parties to deliver on their contractual obligations, but a third party’s product or service quality can be directly influenced by its financial condition. Poor financial health can directly impact your customer experience and your company’s operational success.
With third party risk management, you evaluate a potential third party’s financial risk upfront, staving off potential reputational and monetary losses. It also establishes a process for ongoing monitoring to catch if your third party’s financial health begins to decline.
Environmental & Social Accountability
Companies today are devoting more energy and resources toward mitigating any negative operational impact on the environment and society. To do so, they must ensure their third parties operate in compliance with environmental and social accountability standards and best practices. Key areas of environmental risk include compliance with laws and regulations and implementing sustainable business practices around energy, waste handling, materials and more.
Social accountability risk centers on third party compliance with employment, health and hygiene, and safety laws as well as monitoring third party child labor and wages practices.
Companies manage third party environmental and social accountability risks by ensuring their third parties are matching their own commitment to the environment and society and meeting relevant laws throughout the business relationship.
Companies that conduct assessments and continually monitor third parties for risk are able to protect and enhance their reputation in this area of high-profile concern.
Supply Chain Disruption
Supply chain disruption is another key concern. Working with numerous third parties around the globe exposes companies to natural disasters, cost volatility, political crises, infrastructure concerns and more. A disruption in the supply chain can shut down business operations, ceasing manufacturing, payments and other business imperatives.
A third party risk management program can help companies identify and manage supply chain risks to reduce vulnerabilities and ensure they are prepared in case of an unanticipated disruption.
Regulatory compliance requirements around information security, data protection, and Anti-Bribery and Corruption (ABAC) are growing in number and becoming more complex. It’s difficult for organizations to keep up with compliance internally — and they also have to make sure third parties are adapting to new requirements to minimize risk.
A third-party compliance failure can result in significant fines, take a big cut of a company’s revenue, damage customer relationships and erase a decades-in-the-making brand image.
Where to Start with Third Party Risk Management
Managing third party risk takes time and effort, but it doesn’t have to consume your budget or wear out your resources. Many corporations wrongly believe that third party risk management plans are only for financial firms with unlimited funds. In fact, the average mid-sized corporation can afford to significantly lower third-party risk through smart prioritization.
Why does your company need a strong third party risk management plan?
Let’s start by considering some of the things that increase business risk.
If your company operates online, uses offshore developers or partners, uses third-party credit card processors, leverages partners in order to sell your product, operates in a concentrated supply chain, or relies heavily on a single vendor, you should have a strong third party risk management plan in place.
Several recent data breaches and compliance lapses are a case in point: consider Hyatt Hotels, Domino’s and Pizza Hut, and Lone Star Bank. An effective risk management program could have significantly reduced the likelihood of these ever occurring. No matter how big or how small your company is, if you use third-party vendors, you need to have a plan.
Compliance and risk management must start from the top of a company to be successful. When top-level executives don’t believe in or understand its merits, your plan may not get the resources and time that it needs to properly mitigate third party risk. Third party risk management plans are not a necessary evil, but a proactive process that can help solve potential third party problems and free up valuable resources.
A best practice is to take a “risk-based approach” to managing third parties. Start by determining the most pressing sources of risk and then direct the bulk of your effort toward mitigating those risks. In general, start by asking these basic questions:
- Who are your third parties?
- What services do they provide?
- Which introduce the most risk and are most important, what are their specific risks, and how can any risks be mitigated?
Once you have identified your company’s risks, another risk management best practice is to develop an up-to date, real-time inventory of all of your company’s third parties.
This inventory details the nature of each relationship and its associated risks, such as third parties with access to sensitive information and are sharing your data with one or more of their own contractors.
Most important, the inventory should not be static. Third-party risk factors must be continually monitored and all new data compiled within the inventory.
The foundation of any risk management program is buy-in across the company of the necessity and benefits of monitoring third-party risk. By making third-party risk a business priority, companies can monitor compliance, avoid fines and ultimately safely expand into new areas.
Keep in mind, third party risk management is not a one-size fits all approach. When planning how your company will assess and manage risk, it’s best to have a strategy in place. For in-depth advice on building your own strategy, Opus’ VP of Innovation and Alliances, Dov Goldman wrote this article on building an effective third party risk management strategy for your company.
The Changing Regulatory Landscape of Third Party Risk Management
Globalization and digital transformation have completely transformed the landscape of third party risk management over the last several years. The internet has erased the boundaries of state and country lines. Companies now operate within integrated and connected marketplaces that have cross-border movement of goods and capital. This has made risk management a bigger concern for companies than in the past for a number of different reasons.
Because the digital world is always on and always accessible, smart companies are moving their services online to reach customers where they are. Digital transformation is driving company growth, but is also a large source of third-party risk. In today’s connected world, it’s common to work with multiple third parties who will store, process, or in some way handle your customers’ personal data — from payment processors to mailing houses and marketing agencies.
This constant flow of data increases the risk of a security breach. A strong risk management plan, however, can develop strategic internal thinking about the reality of risk and how to make sure data is protected when expanding product offerings. A conscious focus on protecting customers while also developing innovative digital experiences is a clear business advantage when navigating the evolving regulatory and cybersecurity landscape. This is particularly true as governments continue to develop more stringent data management regulations and impose heavier fines for compliance failures.
In addition to information security risk, regulators are also introducing new financial requirements around anti-bribery and corruption and more. For many organizations, maintaining compliance with rapidly changing regulations is a key concern, and a challenging task. Adding to the burden is the need to make sure third parties are in compliance as well. A third party’s failure to evolve with new standards introduces significant risk and the potential for serious fines and reputational damage.
In response to marketplace changes, today’s governments are taking a more active role in compliance by creating new regulations and increasing efforts on enforcement. Global anti-bribery laws are also popping up as government regulations are no longer confined to the U.S. and U.K. Several new standards and regulations are coming into effect within the next year that will only increase the importance of third party risk management.
General Data Protection Act (GDPR)
In May 2018, GDPR will replace the 1995 Data Protection Directive, changing the way businesses and organizations that operate in the EU deal with data privacy and creating modern standards to better protect EU citizens.
GDPR focuses on gaining consent for processing personal data and will apply not only to EU organizations, but to any entity that monitors the behavior of EU citizens or provides them goods and services.
When preparing for GDPR requirements, companies must consider their third-party risk, particularly regarding their exposure to a data breach. Companies need to assess their third parties for GDPR compliance, as they can also be held responsible for any lapse. In recognition of this risk, Opus developed a tool for clients to conduct third-party GDPR risk assessments.
For companies, third parties are a significant source of bribery risk. The ISO 37001 standard is offering organizations a detailed, consolidated and completely voluntary set of guidelines for best practices in anti-bribery compliance. Whether used to monitor high-risk third parties or as part of onboarding, ISO 37001 provides benchmarks companies can use to make sure third parties meet anti-bribery compliance expectations. Including the standard as part of a third party risk management program has already proved effective.
While authorities all over the world begin to recognize the importance of third party risk management, small and large corporations are starting to consider more robust risk management plans for their various vendors and partners.
How Opus Can Help Manage and Mitigate Your Company’s Third Party Risks
Nothing worth doing in life comes without risk. It’s how you manage your risks that can make or break your business.
Identifying all relationships across your organization, gathering the necessary information on each and effectively assessing their compliance can be extremely time-consuming and complicated if done manually.
By managing your third party risk with our technology-based approach, Opus allows your business to free up its resources so that you can focus on what you do best.
Our solutions address third party risks including the following: anti-bribery and corruption, information security, financial viability, performance management, compliance and onboarding. Today, the world’s most respected, global corporations rely on Opus to relieve their business of the complexity and uncertainty of managing customer, supplier, and third-party risks.
Keep up with the changing world of third party risk.
More about Opus
Opus is a global risk and compliance SaaS and data solution provider. Today, the world’s most respected global corporations rely on Opus to free their business from the complexity and uncertainty of managing customer, supplier and third-party risks. By combining the most innovative SaaS platforms with unparalleled data solutions, Opus turns information into action so businesses thrive.