26 Mar Managing Third-Party Risks
Third parties are a necessary risk for many organizations, helping them to expand their reach and services to limits far past what could be achieved on their own. For many, this boils down to the cost-effectiveness of certain functions, keeping revenue highest by outsourcing what doesn’t make sense to keep inhouse. In other cases, organizations need third parties to support existing operations. These are your third-party vendors, contractors, and systems. Examples of third parties include a marketing agency to promote your product or services, a shredding company to ensure company documents remain private, or an attorney to consult over legal matters.
When these third parties are allowed access to your company assets (think data, facilities, equipment) you’re increasing the number of risks you’re subject to. To continue with our previous examples, your marketing agency could have access to your server and they experience a cyber breach that makes your network exposed. The company that shreds your documents could forget to shred a bag of files, allowing someone to come across confidential information. Countless scenarios like these can result in unintended consequences for your company such as regulatory trouble, financial impact, operational disruptions, or reputational impact.
So why do we accept these risks? If the risk is low enough, organizations can usually justify taking it on if the result is growth for the company. Without any risk, your organization would never expand. As a result, the challenge with third parties is not how to eliminate risk but how to manage them and keep them low. Just remember that outsourcing an activity to a third party does not remove the responsibility, obligation, or liability of your company to ensure everything goes smoothly. See how RiskWatch helps with third-party management.
The challenges with third-party management will be plentiful and unique to every arrangement. Opus & Ponemon Institute announced in the results of their 2018 Third-Party Data Risk Study that “59% of Companies Experienced a Third-Party Data Breach, Yet Only 16% Say They Effectively Mitigate Third-Party Risks”
The saying goes, “Nothing worth having comes easy” and it isn’t any different with risk management. Otherwise, would only 16% of businesses say they effectively manage third-party risks? That’s not to say that it is an exceedingly difficult process, but we often encounter businesses with a lot of uncertainty around how to implement an effective risk management plan for their third parties. When internal resources are already stretched, many foolishly take the stance of expecting the third party to be able to manage themselves (and take responsibility when something goes wrong).
The primary challenge usually comes from a lack of support in leadership. Upper management needs to see the value in risk management and approve budgets so team members can establish an effective risk management plan. If anything, the fact that 59% of companies experienced a breach should motivate decision-makers to act.
Approaching Third-Party Risks
Whether you’re exploring the possibility of using third parties and want to be prepared or just want to review your current approach, here are some key steps in approaching third-party risks.
Before you can begin assessing risks and planning mitigation, you need to determine who will champion your efforts. This will typically be risk management or compliance staff, but if you don’t have dedicated employees for these activities you’ll need to select knowledgeable and relevant staff across departments.
Pre-Screen Third Parties
Most companies perform background checks and drug tests on new employees to ensure the company will be investing time and resources into a worthwhile candidate; why should a third party differ from this thought process? When selecting a supplier, vendor, or another third party for your organization, make sure you complete a thorough risk assessment to ensure they are the right fit for you. Depending on the industry, this could be asking for proof of security certifications, a record of regulatory compliance, the testimony of other partners, etc. Conducting due diligence on all potential third parties is crucial prior to entering into contracts or relationships.
Identify Potential Third-Party Risks
As we did with the examples given in paragraph two, describe scenarios where risks can arise from your partnership with a third party. Ask who has access to customer data. Is a vendor located in a high crime area, and could this cause interruption to business? How is your information protected by third parties? A risk assessment will identify all areas of concern.
Many third-party relationships will necessitate sending and receiving information and access to private networks and systems. Identifying these risks is the first step of your risk management plan and key to having healthy, lasting relationships with third parties.
Management and legal counsel should review contracts prior to signing and actively participate in negotiations. Incorporate your standards from the pre-screening and include any necessary potential risks that you’ve identified. Determine under what circumstance your partnership will continue and what actions (or inactions) will result in termination.
Once you’ve negotiated terms and settled into a normal business routine, it’s important to conduct regular assessments to ensure your third party is keeping up their end of the agreement. This isn’t to say they’re inherently untrustworthy, but when the prosperity of your company and employees is on the line, you can’t be too safe. It could also be required depending on certain regulations you must adhere to.
Third-Party Risk Solution
As third-party risks become more complicated and organizations increasingly outsource services and functions, a clear risk management solution becomes increasingly vital. Remember that mitigating risks and ensuring compliance is always the responsibility of your company and you can be responsible for the actions of your third-party partners.
To get started, utilize RiskWatch for your third-party management needs. Our software simplifies a complex task, eliminating the need for spreadsheets, emails, and file shares. Keep all relevant materials in a centralized location to ensure assessments are done quickly and you always have proof of compliance for an auditor or for internal use. The software automatically analyzes gathered data, providing insight into a third party’s compliance and risk. From the software dashboard, easily track and monitor your third-party’s progress on mitigating risks to know if development is underway or if a contract should be terminated.
Have a third party you need to assess? Use our platform for free!