Third-Party Risk Management
Third-party relationships have become a fulcrum of successful operations for agile organisations in the transformative age – a time of both limitless opportunity and unprecedented risk. These opposing forces are inherent in the process of working with vendors in today’s increasingly complex and competitive global marketplace. Yes, these relationships have become critical to cost reduction, increasing capability, enhancing customer experience, accelerating speed-to-market, and protecting reputation – but they expose businesses to extra layers of risk. This adds complexity to the organisation’s risk profile – a challenge that has been accentuated by the COVID-19 pandemic amid dislocated supply chains and a wave of targeted cyber-attacks.
Take cyber risks for example. An organisation’s attack surface suddenly expands the moment it engages with third parties, amplifying this already prominent threat. The ransomware attack on Apple through its vendor Quanta in 2001 is a high-profile example of how things can quickly go wrong without the appropriate controls. A nefarious hacker group compromised the mutual access to information granted between Apple and Quanta, before strategically releasing privileged data ahead of Apple’s product announcement – extorting Apple in the process.
The more complex the network of third-party relationships – suppliers, distributors, intermediaries, logistics providers, service providers, customers – the greater the potential for reputational and regulatory risk. Businesses must ask themselves: Do we really know who we are doing business with? From third parties not disclosing that they are using subcontractors to those with insufficient controls that fall short of regulatory requirements, this strategic risk can blindside a business – and the regulators are watching. A raft of regulations that aim to deter corrupt practices like bribery, slavery, and money laundering expose businesses to the risk of legal liability, remediation costs, and reputational damage if the third parties they deal with fail to comply.
Therefore, third-party non-compliance is not just the vendor’s problem. When oversights arise around business practices, ethics, privacy, safety, quality, human rights, corruption, security, or the environment, both organisations will be held accountable. To mitigate these risks, businesses must achieve strong governance and oversight of their extended control environment. This includes visibility and influence over supply chains and material third-party risks, such as cyber and data privacy.
Third-party risk has traditionally been managed in a siloed fashion with individuals addressing specific risks relevant to their department or team. This narrow approach fails to consider the business’s risk exposure holistically – a comprehensive view that’s essential to understanding the full extent of third-party risk and managing it enterprise-wide.
To overcome these bottlenecks, proactive businesses recruit a Third-Party Risk Manager who is responsible for designing, implementing, and managing a holistic third-party risk management programme. Their determination to align relevant policies with this programme – including vendor analysis and vendor risk assessments – fosters an integrated approach to managing the myriad of risks posed by these external resources.
Robust collaboration ensures relevant policies – which are introduced as part of the selection process – are shared with third parties who must attest to them before joining this secure network. For example, policies linked to third parties regarding service level agreements (SLAs) or key performance indicators (KPIs) are fully documented and agreed upon by both parties – with reports and intelligence created to drive informed decisions and meaningful outcomes.
This third-party risk professional also embeds the agility and foresight needed for the programme to evolve by considering the dynamic nature of the regulatory environment and industry trends – continuously enhancing the business’s third-party risk management capability in the process.
By recruiting someone with strong judgment and decision-making skills, who can influence internal and external stakeholders, the business will benefit from value protection and value creation through the identification and management of vendors that enhance operations.