From trust to security: managing third-party risks

January 2025  |  FEATURE | RISK MANAGEMENT

Financier Worldwide Magazine

January 2025 Issue

Trust is a valuable commodity. This is certainly true in the world of business, where the ability to be honest, open and completely trustworthy is often the bedrock of successful trading relationships.

Between a business and its third-party vendors, this is undeniably so. Many companies rely heavily on third parties to help get products to market faster, as well as to run business operations or provide other critical services.

Such relationships are proliferating. A 2024 survey by The Cyentia Institute and RiskRecon found that companies are becoming increasingly reliant on a larger number of third parties, with 26 percent of respondents stating they managed over 250 vendors – a significant increase from 13.5 percent in 2020.

However, while third parties can be a true asset, providing a wide range of products and services to meet the diverse needs of companies, they can also introduce a host of risks that can compromise the confidentiality, integrity and availability of sensitive information and critical systems.

According to Deloitte’s ‘Third-party risk is becoming a first priority challenge’, while the threat landscape is constantly evolving and new threats are on the rise, risks typically fall into one of the following three categories based on how they threaten to impact a company’s business.

The first is the risk that a third party could damage a company’s revenue or reputation. For instance, a company’s reputation is on the line after a supplier provides them with a faulty component for their goods.

The second is the risk that a third party will impact a company’s compliance with legislation or regulation. For example, if a supplier violates labour or environmental laws, the company can still be found liable. Outsourcing does not mean the end of responsibility.

And the third is the risk that a third party could disrupt a company’s operations. For instance, if a software vendor is hacked, the company may be left with a downed system.

What is also certain is that these risks are escalating. Testifying to this is a 2024 study by Prevalent in which 61 percent of surveyed companies reported experiencing a third-party data breach or security incident in the past year, marking a 49 percent increase from the previous year.

Further illustrating the extent of the risks posed by third parties is analysis by KPMG which found that 73 percent of companies have experienced at least one significant disruption caused by a third party within the past three years. In addition, a study by SecurityScorecard found that 98 percent of companies have a relationship with a third party that has been breached.

“Historically, third-party risk has implied bribery or sanctions violations,” says Dan Hartnett, director of third party risk at LSEG Risk Intelligence. “However, in recent years, this has broadened to new risks, such as cyber, data privacy, geopolitical, environmental, social and governance (ESG) and bankruptcy risks.

“It is also no longer just about immediate business partners,” he continues. “Recent global regulations have expanded the focus horizontally to supply chain partners and vertically to the owners of a business partner. While technically any business relationship can create risk, traditionally suppliers, agents and intermediaries have been seen as the riskiest.”

Thus, as more goods and services are outsourced, companies face rising privacy, security, compliance and operational risks, making the effective management of third parties mission critical.

Assessing risks

With recent years seeing dramatic changes in business, technology and regulatory environments, such changes are reshaping how companies think about risk, and third-party risks in particular.

“Due to the significant legal, financial and reputational damage third-party risks can cause, companies are placing an emphasis on screening business partners before working with them,” says Priya Nallan, head of risk product management at LSEG Risk Intelligence. “Larger, more global companies, and especially those that are regulated, tend to have the most mature programmes.”

With companies increasingly outsourcing goods and services, the third-party risk landscape will continue to evolve, with a host of privacy, security, compliance and operational challenges lying in wait.

However, according to a study by The Hackett Group, 22 percent of companies only assess risks during supplier onboarding, while continuous assessment throughout the lifecycle is more common.

“Responsibility for risk assessment depends on the risk type, with many companies having dedicated teams for each risk domain but oftentimes working in silos,” notes Nick Xiao, a principal at The Hackett Group. “To manage risk assessment at the enterprise level, we recommend a council-led approach. Due diligence is often concentrated in select risk domains or overlooked in favour of expediting relationships, with contracting prioritised.”

However, despite having dedicated teams in place, many companies still rely on outdated compliance tools. According to Prevalent’s 2024 ‘Third-Party Risk Management Study’, half of the surveyed companies still rely on spreadsheets and multiple disparate tools to assess and manage their third-party relationships.

Establishing a TPRM programme

Companies with extensive third-party arrangements need to establish a third-party risk management (TPRM) programme that can detect, assess and minimise potential risks associated with their suppliers, distributors and partners, while regularly monitoring any change in status.

“To develop an effective TPRM programme, companies need to identify key risk domains and gather responsible stakeholders, such as legal for legal risks,” opines Mr Xiao. “Create a list of risks and questions to assess each area, then assign a central risk score to reflect the inherent risk without mitigation.

“Then, work with suppliers to gather more information or develop action plans to reduce risks,” he continues. “After implementing actions, reassess and assign a residual risk score. This process can be tailored based on the organisation’s risk exposure and programme maturity.”

In its 2024 analysis ‘How can businesses protect against third party risk?’, The Security Company (TSC) puts forward key steps, outlined below, to help companies establish a TPRM programme that provides a resilient defence against potential risks.

First, assess the third party’s security levels. This involves scrutinising its cyber security practices, training and awareness, data protection policies and incident response capabilities. A comprehensive evaluation provides insights into potential vulnerabilities, enabling organisations to make informed decisions regarding the level of risk associated with a partnership.

Second, include third party security protocols in vendor contracts. Effective third-party security begins with clear and enforceable protocols outlined in vendor contracts. These agreements should articulate expectations regarding data protection, access controls, incident reporting procedures, and compliance with industry standards and regulations. By doing this, organisations establish a shared commitment to maintaining a robust security posture.

Third, identify responsible individuals and decision makers. Designating key individuals within the company to oversee and manage third-party relationships is pivotal. These individuals serve as the point of contact for security-related matters, ensuring effective communication and decision making. As a result, companies can respond swiftly to security incidents and effectively implement uniform security protocols.

Fourth, continually audit and reassess third-party vendors. Cyber threats are dynamic and ever evolving, making regular audits and reassessments of third-party vendors a necessity. Periodic evaluations ensure that external partners adhere to agreed-upon security measures and remain aligned with the company’s evolving security standards.

Lastly, build offboarding protocols for partnership terminations. While onboarding is crucial, establishing clear offboarding protocols is equally important. When terminating partnerships with third-party vendors, companies must have procedures in place to secure the transition. This includes ensuring the secure transfer or deletion of data, revoking access rights, and conducting a final security assessment to mitigate potential risks associated with the termination.

“The best programme is one that is tailored to a company’s specific situation,” suggests Ms Nallan. “It should start with a clear understanding of who all the third parties are across the entire organisation, categorising them into low, medium or high risk categories based upon logical, objective criteria.

“Companies should also implement a risk-based approach focusing often limited resources on higher risk third parties,” she continues. “Regardless of the third party’s risk score when they were onboarded, it is important to set up a robust mechanism to monitor them after onboarding – risk does not stand still, and neither should the programme.”

Also important, contends Ms Nallan, is for companies to invest in advanced technologies such as artificial intelligence (AI), blockchain, and real-time data analytics to improve visibility, transparency and response times, overlaid with strong governance and regular audits.

Non-disruptive termination

While the onboarding of new third parties is a key process and a critical part of a TPRM programme, the termination of a relationship is also an important aspect, but one that often receives much less attention.

Ideally, companies should have processes in place to identify when and how third parties should be terminated and to ensure completion of the procedures associated with proper termination of the relationship. To ensure consistency, these processes should be automated across the organisation.

“It took a global pandemic to highlight the risk of overreliance on a supplier, or so-called concentration risk,” affirms Mr Hartnett. “While sometimes unavoidable, it does increase the risk in a business relationship, especially if it is for a critical part or service. Having additional third-party options can help minimise the chances of a disruption should your primary supplier no longer be a viable option.”

In the view of Mr Xiao, the process of replacing a vendor should mirror the due diligence from your onboarding. “Rather than treating offboarding as a reactive and tactical activity, companies should implement a risk mitigation approach to offboard a supplier to manage potential risk, such as handling of secure and private data after the relationship ends, and alignment of IP ownership,” he suggests. “This proactive approach can help mitigate potential disruptions after offboarding.”

Evolving risks

With companies increasingly outsourcing goods and services, the third-party risk landscape will continue to evolve, with a host of privacy, security, compliance and operational challenges lying in wait.

“Common challenges include managing fourth-party risks, integrating risk programmes with ‘procure to pay’ processes, leveraging technology for better risk assessments and navigating ESG challenges,” says Mr Xiao. “Also of concern are regulatory risks, with countries, especially in the European Union, punishing companies for associations with human trafficking or corruption, and force majeure events, which are unpredictable but require contingency planning for supply chain continuity and resilience.”

Also of concern is the rise of instantaneous communications such as social media. “Such technology means that negative incidents involving third parties can quickly affect a company’s reputation, even if the company itself was not directly involved,” says Ms Nallan. “Mitigation requires strong collaboration between legal, IT, procurement and compliance teams to ensure such risks are addressed across the enterprise in a timely manner.”

With 2025 about to unfold and the world increasingly filled with risk, such collaboration is essential to ensuring that companies understand the varied and evolving risks they face. In doing so, they will manage third-party risk effectively and respond quickly and thoroughly in the event a material incident occurs.

© Financier Worldwide

BY

Fraser Tennant

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.