In a world of risk: third party risk management in 2022

July 2022  |  FEATURE | RISK MANAGEMENT

Financier Worldwide Magazine

July 2022 Issue

A form of risk management that focuses on identifying and reducing risks relating to the use of third parties (i.e., vendors, suppliers, partners, contractors or service providers), third party risk management (TPRM) seems more important than ever in 2022.

Serving to underline that contention are major events such as the coronavirus (COVID-19) pandemic and the military conflict between Russia and Ukraine – both of which have significantly changed the third party risk landscape and impacted companies across industries globally.

Given that they span a multitude of goods and services necessary for companies to operate, third-party relationships naturally come with a certain amount of risk. Third parties expand the human capital footprint, technology access and environmental impact of a company, among a multitude of other ramifications.

“Third-party contractors, especially technology vendors, are becoming increasingly integrated in every business function and industry, including core business functions,” observes Navex Global in its ‘Third-Party Guide to Risk Management’. “Outsourcing work makes it possible for business to be responsive and agile in a disruptive environment. But third parties also introduce risk, up and down the supply chain.”

Moreover, increasing public, investor and internal attention on how companies conduct their business brings further scrutiny – such as the growing awareness of environmental, social and governance (ESG) issues – not just of the primary company in question, but also the risks posed by its third-party relationships.

“While third-party risk is not a new concept, recent events and a greater reliance on outsourcing have brought the discipline into the forefront like never before,” states the OneTrust blog ‘What is Third-Party Risk Management?’. “Disruptive events, such as the COVID-19 pandemic, have impacted almost every business and their third parties – no matter the size, location or industry.

“Most modern companies rely on third parties to keep operations running smoothly,” the blog continues. “So, when a company’s third parties, vendors or suppliers cannot deliver, there can be devastating and long-lasting impacts.”

Enter TPRM. Boiled down, TPRM involves identifying, assessing and controlling risks that occur due to interactions with third parties. According to BlueVoyant, TPRM helps ensure third parties: (i) comply with regulations; (ii) avoid unethical practices; (iii) protect confidential information; (iv) strengthen supply chain security; (v) maintain a healthy and safe working environment; (vi) handle disruptions effectively; and (vii) achieve high performance and quality levels.

Testifying to the importance of TPRM is new research by KPMG International – which surveyed 1263 senior TPRM professionals across six sectors and 16 countries worldwide – which reveals that TPRM is a strategic priority for 85 percent of companies, up from 77 percent before the outbreak of the pandemic.

Bread and butter third-party risks

In addition to the third-party risks generated by seminal events such as the COVID-19 pandemic and the conflict in Ukraine, there are many bread and butter third-party risks for companies to contend with, including those cited by BlueVoyant, outlined below.

First, cyber security risk. A third party can lead to a cyber attack that may result in data exposure or loss. Companies can mitigate this risk by performing due diligence before onboarding new vendors and by continuously monitoring the vendor lifecycle.

Second, operational risk. A third party can disrupt business operations. Companies can manage this risk through service level agreements (SLAs), and by setting up a backup vendor to ensure business continuity.

It is vital for companies to have recourse to an effective TPRM programme – not only for identifying and reducing the third-party risks they face, but to ensure their ongoing safety and success.

Third, compliance risk. A third party can impact a company’s compliance with regulations, agreements or legislation, such as the European Union’s (EU’s) General Data Protection Regulation (GDPR). Managing compliance risk is critical for financial services, government organisations and healthcare facilities.

Fourth, reputational risk. A third party can introduce risks that negatively impact public opinion. Third-party data breaches may occur due to poor security controls. It may lead to inappropriate interactions, poor recommendations and dissatisfied customers.

Fifth, financial risk. A third party can negatively impact the company’s financial success. For example, poor supply chain management may reduce sales or result in no sales at all.

And sixth, strategic risk. A third-party risk may cause companies to fail to meet business objectives.

Of these, data breaches and cyber security incidents are particularly common sources of third-party risk. Indeed, according to OneTrust, more than half of the breaches that have occurred over the past two years can be attributed to a third party.

It should also be noted that these risks will often overlap. For example, a company experiencing a breach that results in compromised customer data faces operational, reputational, financial and compliance risks.

Best practices

In order to identify and respond to the risks posed by third parties, companies are well-advised to implement a third party assessment programme – a TPRM plan that can effectively navigate the complexities inherent in an increasingly globalised business environment.

“TPRM is designed to give companies an understanding of the third parties they use, how they use them and what safeguards their third parties have in place,” affirms OneTrust. “The scope and requirements of a third-party risk management programme are dependent on the company and can vary widely depending on industry, regulatory guidance and other factors. Many TPRM best practices are universal and applicable to every business or organisation.”

According to Navex Global’s ‘9 Tips Best Practices for Third-Party Risk Assessments’, the practices listed below can help companies to stand up a streamlined third party assessment programme.

First, understand risk appetite. Regulatory bodies usually advise on who to assess and how often. However, determining questions to ask in an assessment is frequently left to companies. To determine how an assessment might impact policies and procedures, companies should build and test a third party assessment programme internally using questionnaires that reflect their risk appetite.

Second, classify vendors. Companies should develop a method for classifying vendors to identify third parties that are in-scope and require assessments. This helps them to ensure they do not assess third parties unnecessarily or miss assessing third parties that pose a risk to their organisation.

Third, improve data collected. Obtaining data is one of the biggest challenges in managing third-party risk and a high quality assessment is key. To improve the quality of questionnaires, companies should start with a widely accepted assessment and tailor it to their specific business needs and processes.

Fourth, make assessments easier to manage. If a company does business with a multitude of third parties, it needs a way to make assessments easier to manage. It can speed up the assessment process by giving all third parties a low threshold assessment with a few flagging questions. For all flagged third parties, the company should send a higher level, deep-dive assessment for due diligence on risk.

Fifth, pre-populate data for assessments. Assessments are done on a continuous basis and often with the same vendors. If a company’s assessment engine pre-populates data, the entity being assessed only has to address changes. It is less work for them and for the company and may even improve response rates.

Sixth, assess for performance, not just risk. With the right platform, companies can upload service level agreements (SLAs) and make them part of the assessment process. They should compare assessment data to SLAs and then use the analysis to provide feedback to the third party, leverage it in contract renewal, or use it to support switching to another service provider.

Seventh, reassess based on a third party’s expanded offering. When third parties expand their services to a company, it changes their risk profile. One of the best ways to address this is to periodically assess third parties for changes and update risk profiles accordingly. This way, a third party risk profile is always current.

Eighth, look beyond financial risks with third parties. Most companies assess third parties to manage financial risk. Sometimes small risks open the door to more serious consequences. Losing revenue can cause problems, but it is recoverable. Losing reputation may not be.

Ninth, dependency creates a business continuity risk. Any third party can be a business continuity risk. The litmus test is: if a third party’s service stopped, would it interrupt those of the company? Maybe it is the provider of IT services or a supplier with a key role in the supply chain. Third parties that a company is greatly dependent on can pose business continuity risks that can be identified through a risk assessment.

“When looking to improve TPRM programmes, communicating the value a given risk management

programme provides a company by regularly reporting to leadership is critical,” adds Navex Global. “Having metrics and defined values established for the data available to the risk programme will promote decision-making or responses to issues and events.”

That said, it should be noted that while a risk assessment template can be helpful in guiding the third party audit process, understanding what, when and whom to report to can be challenging with so many vendors, stakeholders and data points.

“For many industries, reporting is driven by regulations which ultimately hold executive leadership and the board accountable for compliance,” adds Navex Global. “Yet even in a less-regulated company, senior leadership will require data and analysis to determine the degree of compliance, health and stability of the programme.”

Properly compiled and disseminated, such data should provide a company with a detailed lens into the level of risk it may be subjected to, as well as the degree to which it and its third parties are compliant.

Outlook for TPRM

The world of third-party risk is constantly evolving. Companies have had to scramble to adjust their operations in recent years – an adjustment driven chiefly by an unprecedented global pandemic and, more recently, by Europe’s largest conventional military assault since World War II.

“The conflict in Ukraine, sanctions impacts, and related cyber and operational risks have caused companies to critically review their third-party risk exposure and engage in urgent third-party outreach,” states analysis by S&P Global. “Companies have been invoking their incident management and business continuity plans, working to refresh and extend their understanding of their potentially impacted third parties.”

In the view of Navex Global, third parties have become an integral part of the modern business model. “More than simply suppliers, third-party vendors, service providers and the like are seen by customers as an extension of a company’s own operations,” it concludes. “Therefore, any risks introduced by third parties are, by default, the company’s risks too.”

Ultimately, and today more than ever, relying on third parties can be dangerous. Thus it is vital for companies to have recourse to an effective TPRM programme – not only for identifying and reducing the third-party risks they face, but to ensure their ongoing safety and success.

© Financier Worldwide

BY

Fraser Tennant

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.