The modern digital enterprise is more than the sum of its employees, shareholders, and customers. It encompasses a vast and complex network of suppliers, vendors, partners, contractors, and other third parties that interact with the core business in multiple ways. As this ecosystem grows larger and more interdependent, even a small disruption along the chain can have significant implications for everyone downstream.
So, when a crisis of the scale of COVID-19 occurred, its impact on third-party ecosystems was, in many ways, catastrophic. It forced factories to halt the flow of goods. It created shortages in essential supplies and services. It led to shipping delays in almost everything, from automobile parts to medicines. And in doing all this, it pushed organizations to question the efficacy of their third-party risk management programs.
Just about everything we do today has some level of third-party involvement whether we’re aware of it or not.
Over the last few years, third parties have evolved into more than simply “cost containers”. They’re often instrumental to the achievement of strategic objectives. This has opened up organizations to a wider spectrum of risks.
A recent EY global survey found that 36% of organizations had experienced a data breach caused by a third party over the past two years. In fact, one of the largest breaches of 2019—which impacted millions of customers at a leading financial services provider—stemmed from a third-party vulnerability.
But breaches aren’t the only third-party risk to worry about. A few years ago, millions of eggs had to be recalled from supermarket shelves across Europe after they were found to have been contaminated by a harmful insecticide from an anti-lice agent supplied to poultry farmers.
More recently, a technology services major suffered a large-scale outage that knocked a whole host of sites online due to a third-party issue.
So, whether it’s an IT glitch, a food safety issue, a cyberattack, or even a global pandemic, third-party risks are becoming increasingly costly and pervasive. If left unattended, they can not only impact an organization’s financial health, but also damage its reputation and market share.
A Deloitte global survey identified six big themes driving third-party risk management or “extended enterprise risk management” (EERM):
While organizations have made significant progress in their third-party risk management programs, COVID-19 has shown us that there is still work to do. This is a good time to review one’s third-party risk management operating models, and identify gaps or opportunities for improvement.
A false assumption that
third parties alone will
take all the steps
necessary to mitigate risks
A fragmented approach to third-party risk management with
data scattered across departments
A lack of timely third-party risk intelligence which, in turn, delays decision-making and action
A limited understanding
of how third-party risks
interact with other
A lack of support from
senior management who
say “We’re not big enough
to be targeted”
The costs and resources involved in monitoring the risks of a vast extended enterprise
The global pandemic has reminded us that we can’t afford to get complacent about third-party risk management. There’s always scope to reflect upon and improve existing processes. With that in mind, here are five best practices to optimize third-party risk management programs.
Third-party risks can come from anywhere. Some may be common to many suppliers and vendors. Others may be specific to a particular business line or geography. The key to staying ahead is to identify and categorize these risks into various buckets such as strategic, financial, compliance, and IT security risks. This can be followed by an analysis of risk drivers.
Third-party risk identification and monitoring must become an ongoing exercise because the risks are constantly evolving. A year ago, the top risk may have been third-party data breaches. But since COVID-19, the big concern is third-party business resilience. Staying on top of these changing priorities is key.
A useful risk prevention tool is the third-party contract—it should clearly define and delineate risk responsibilities, so that there are no ambiguities. Internal policies are also important because they spell out the do’s and don’ts around third-party risk management. When these policies are coupled with robust control testing and monitoring processes, organizations are better positioned to keep third-party risks in check.
Many businesses leverage content from external sources to fill the gaps in risk information. These sources include Dow Jones, Dun & Bradstreet, BitSight, SecurityScorecard, and Transparency International who curate data from media reports, sanction lists, cybersecurity ratings, and other sources to identify potentially high-risk third parties.
A robust third-party screening and due diligence program can help teams make informed decisions about which providers to work with. It provides key facts about a third party’s financial health, compliance status, reputation, and red flags, which can then be used to determine the level of risk monitoring required.
A good due diligence program will also include an assessment of a prospective third-party’s risk management controls and capabilities. This is particularly essential when the provider will be given access to sensitive data. Many organizations use the “Standard Information Gathering” (SIG) questionnaires from Shared Assessments to gather key information about a vendor’s IT, privacy, and data security controls.
Apart from initial due diligence activities, regular risk assessments are important to identify those third parties that pose the highest risks. Organizations can assess and rate providers based on their criticality, risk impact, location, financial viability, and other factors. These insights make it easier to prioritize risk-response strategies.
When different business lines manage different third-party risks, there must be a way of bringing all this risk data into a single source of truth for effective analysis and reporting.
An integrated risk data model makes it easy to understand which risks are associated with which third parties, business lines, controls, and issues. It also highlights the relationship between third-party risks and other enterprise risks. This comprehensive and tightly mapped view of the risk universe helps organizations understand and respond proactively to third-party risks.
Third-party risk management is ultimately just one part of a larger risk, compliance, and resilience program. It includes third-party compliance, performance management, auditing, due diligence, issue management, and more—all of which have to tie in with the overall business risk, compliance, and resilience program and objectives. Integrating all these processes on one unified platform can simplify third-party governance, while also reducing costs.
Today’s enterprises are built on third-, fourth-, and even fifth-party relationships. Yet, not all organizations look that far. They see fourth-party management as the responsibility of their third parties. This isn’t a wise strategy—regulators like the OCC are increasingly indicating that organizations should have sufficient oversight of fourth-party risks.
One way of keeping those risks in check is to contractually bind third parties to get approvals whenever they want to use a fourth party’s services. Organizations should obtain information about the criticality of the fourth party, access to sensitive information, and the controls that the third party has in place to monitor these subcontractors.
Some organizations have joined hands with their third parties to assess and monitor subcontractors. Others are using external risk intelligence to understand fourth-party risks and controls. Whatever the approach, the end objective must be to keep fourth-party risks in sight, and ensure that they are being managed effectively.
While third parties and their risks are growing in volume, the resources available to manage them are being scaled back. As organizations look to do more with less, there are many tools that can help.
For instance, MetricStream Third-Party Management enables organizations to:
Make informed sourcing decisions with timely intelligence on third-party risks, compliance, performance, and issues
Accelerate due diligence and risk assessments with automated risk scoring and aggregated risk visibility
Control third-party risk exposure, and accelerate responses to risk events with risk alerts from multiple data feeds
Quickly identify and resolve third-party issues with NLP chatbots and AI-based analytics
Lower TPM costs through third-party consolidation, rationalization, efficient negotiation of contracts, and SLA tracking
How the Financial Services Giant Built a Safer Payments Ecosystem with a Fourth-Party Risk Monitoring Program.
As one of the world’s largest payments technology providers, Mastercard manages a highly complex operational ecosystem. Apart from its own partners and vendors, the company has a rapidly growing digital network of fourth parties, including processors, data storage entities, digital wallet operators, and payments facilitators.
Previously, there was no visibility into the risk controls in place for these fourth parties. That became a significant issue as thousands of new fourth parties entered the network, bringing with them new risks around data security, fraud, compliance, and more.
In response, the payments giant took the proactive step of building a new fourth-party risk management program, supported by the MetricStream solution for third-party management.
The solution offers Mastercard comprehensive visibility into fourth-party risks. It also enables faster risk assessments with the automatic segmentation of fourth parties into various risk categories. Assessment processes have become more efficient with automatic distribution of questionnaires and population of responses. The solution also provides actionable and timely fourth-party risk insights which have accelerated Mastercard’s risk response.
Read the full case study here.
Third parties play an integral role in business growth and profitability. The benefits they yield can be significant, but the risks they create can do much harm. Many organizations are integrating and automating their third-party risk management programs to build confidence with shareholders and regulators. They’re beginning to view these programs less as a cost center, and more as a strategic enabler. They’re recognizing that with strong tools, they can gain real-time insights into their third-party relationships. And with this intelligence, they can make better sourcing decisions, strengthen trust and credibility, and build a more resilient business during COVID-19 and beyond.