Too often, business lines, as well as departments such as sourcing, IT, and risk management operate in siloes, leading to a non-uniform and static view of third parties. The lack of a common taxonomy while onboarding thirdparties, or conducting risk assessments, or monitoring third-party controls leads to an environment where the risks and information around these entities is relatively
Due to the sheer size and complexity of the supplier base, many organizations find it difficult to track third-party performance. While contracts contain service level agreements (SLAs), they at times do not have well-defined parameters for third-party evaluation and penalty clauses. As a result, the ability of organizations to measure supplier compliance and performance, and to hold suppliers accountable for issues and incidents, becomes limited.
While companies may have well-defined processes to identify third-party risks, they often don’t have plans and systems in place to respond to and recover from a significant risk event such as a third-party data breach. The traditional method of conducting third-party assessments may provide insights into probable risks, but to be truly effective, it needs to be followed up with business continuity plans and measures which ensure that the organization is well-prepared to deal with and bounce back swiftly from a third-party risk event that does occur.
Third-party risk issues around sensitive areas such as data breaches, corruption, bribery, and misconduct are leading to increased regulatory oversight and fines. In the financial services sector alone, strict regulatory guidelines around third-party risk management and governance have been defined by authorities such as the Federal Financial Institutions Examination Council (FFIEC), the Office of the Comptroller of the Currency (OCC), the Financial Conduct Authority (FCA), the Monetary Authority of Singapore (MAS), th Australian Prudential Regulatory Authority (APRA), and the Hong Kong Monetary Authority (HKMA), as well as New York’s new cybersecurity rules from the Department of Financial Services, the Foreign Corrupt Practices Act (FCPA), and the EU GDPR across various jurisdictions like the US, EU, Singapore, Australia, and Hong Kong.
Organizations will increasingly seek timely risk insights on vendors in emerging technology areas such as cloud services. Many firms are looking to GRC tools to not only manage third-party onboarding, but also to monitor third-party risks based on the scores and data from multiple external content partners. These partners provide ratings on supply chain risks, financial risks, sustainability, cybersecurity, anti-corruption, and anti-bribery which can help organizations create a unified risk score for their third parties.
Effective supply chain management programs will be those that integrate the upstream and downstream supply chain, extending from suppliers, to internal operations, to logistics, and finally, customers. By linking these entities, organizations will be able to simplify data exchange, and improve visibility into their third-party ecosystem, thus enhancing their ability to identify and respond to third-party risk exposures.