Everything You Need to Know About Third-Party Risk ManagementTHE RESILIENT ENTERPRISE | THE RISKMETHODS BLOG
When you understand the threats posed by suppliers, vendors and other companies, learning to manage third-party risk is as easy as 1-2-3. Read on.
When enterprises outsource production or services, they must also manage the third-party risk that these businesses pose. So, the definition of third-party risk management (TPRM) is “managing threats posed by organizations you do business with.” The term is often interchangeably used with “vendor risk management” or “supplier risk management,” because vendors and suppliers are classified as third parties - but so are agencies, contractors and infrastructure providers, among others.
Basically, any organizations who sell you products or services expose you to risk. However, many companies manage third-party risk with a siloed approach. The finance or IT-department may know most of their relevant third parties, but not have a complete picture. This is unfortunate, because disruption in one part of the enterprise will most likely affect overall operations.
For example, you probably know that your financial software vendor is based in Jaipur India, but who lets you know if flooding shuts down the main office temporarily? A better approach includes third-party risk management tools - such as a world map to visualize risk at the location level. And, because the world operates in real-time, you need continuous monitoring that sends you warnings of events as they unfold, so you can react immediately.
Third-party risk management is critical for making sure the companies you are associated with uphold relevant laws, regulations, and industry standards. Traditionally third-party management addresses risk arising from financial health, IT security or data protection. Yet compliance and reputational risk are also important. Consumers can be unforgiving when unfair practices at a third party come to light – and your company is likely to suffer the consequences.
As third-party relationships continue to expand, governments have introduced more regulations. To help you deal with the complexity, your third-party risk management process should include aspects of advanced supply chain risk management. You’ll need to have a third-party risk framework to assess the criticality of risk objects, along with a set of collaborative plans for handling third-party risk events. We are big believers in a three-step process:
As described in our third-party risk management whitepaper, your benefits include greater resilience and increased risk awareness. This is relevant to all organizations and across all industries.
When onboarding new partners, procurement performs rigorous third-party risk assessment (also called vendor risk assessment, supplier risk assessment or third-party vendor risk assessment). Typically, you collect information from the companies through questionnaires or interviews, and perhaps involve external ratings providers. Such assessments help uncover weaknesses or vulnerabilities among your third-party vendors and suppliers, and you qualify and classify third-party risk posed by each company on the data gathered
As part of your assessment, you might ask: What is third-party compliance? Your due diligence process includes making sure that third parties comply with regulations and have the same level of ethical conduct as your enterprise does. When companies that you are associated with break the rules and expose you to risk, you can suffer severe financial, reputational or legal consequences, including high fines.
In a business context, third parties are any external providers of products or services to a company. Vendors are third parties, and so are suppliers. Typically, the vendor is the seller, but not necessarily the manufacturer of the goods. Companies that provide IT services, for example, are commonly referred to as vendors, whether or not they develop the software. The terms vendor, third party and third-party vendor are often used interchangeably. Sometimes, the term third-party vendor is used to refer to entities that provide products on your behalf to your customers.
If you’d like to know who is considered a third party in business, let’s give you an example. In a business transaction, the first party is the seller, and second party is the buyer. The third party is a business that is not directly involved in the sale but has in some way contributed. So, the third-party vendor may have developed the software used in the finished product. By the way, in this context, the word “party” has its origin in “part” – as does the word “participant” – to indicate that the entity being referred to is one of several actors.
Enterprises might work with hundreds of third-party vendors, each with different contract terms, pay rates, and contacts. Through vendor management you can obtain quotes, determine capabilities, evaluate performance, and so on. Yet many companies do not comprehensively manage third-party risk nor conduct enterprise-wide reporting on risk management efforts.
When each business segment manages its own third-party risks from a silo, it’s impossible for a large enterprise to understand all of its risk exposure. Indeed, among companies with supply chains, few are able to name all of their first-tier suppliers and their locations, and even fewer know all sub-tier suppliers. The situation is at least as complex when managing a wide range of third-party vendors.
In supply chain risk management, we talk about the ripple effect of disruption. First, you have the direct costs of disruption and the clean-up that follows. But expense or lost revenue spreads out to other areas within the enterprise, including quality control, customer service, business interruption, and so on. The circles grow bigger as the disruption ripples reach your customers, consumers and employees, damaging morale, profits and your reputation.
Managing third-party vendors becomes easier when you have a third-party risk management solution that:
The riskmethods Solution™ can do all that, and more. Our solution provides comprehensive risk coverage, is customizable, scalable and even makes reporting simpler for you.
When talking about “third-party insurance policy,” you are the first party, the insurance company is the second party, and another entity is the third party. So, although the term “third-party insurance policy” does not relate directly to third-party vendors, the concept is useful in the context of risk management.
This is because third-party insurance protects you against the claims by a third party for damage suffered when adverse events materialize. As an example, we can look at some consequences of cyber risk, and what is covered under first-party risk insurance versus third-party risk insurance.
What is first-party cyber risk coverage? In general, first-party cyber risk insurance would cover you against losses directly resulting from a cyberattack. For example, it would repay what you spend to restore your systems, to repair or replace hard or software, or possibly even loss of business from downtime.
Third-party risk insurance, on the other hand, might reimburse the cost of notifying your clients, perhaps cover court fees if a customer decides to sue you, or pay certain other damage claims. Because damage from a data breach can cost companies millions of dollars, handling cyber threat is an increasingly urgent focus of third-party risk management, particularly as cyber criminals often sneak in through the weakest security link in your supply chain – which may be your third-party. Managing cyber risk in your third-party network is critical to protecting your business.
At riskmethods, we believe that modern third-party risk management (supplier risk management, vendor risk management) should include aspects of supply chain risk management. Let our power of three – identify, assess and mitigate risk – work for you.