No matter where an organization is positioned in a value chain, it will have to contend with risk. Even the most reliable and stable processes experience disruption, whether it be natural disasters or an altered compliance landscape. Chaotic upstream challenges, fluctuating downstream capacity, regulations created in response to extreme market conditions, and changing public opinion mean that every organization needs to be prepared for risk beyond its four walls.
When more than one vendor exists, there is a tradeoff in the efficiency of using a single third-party supplier or vendor and the threat to operational resilience should that single source be disrupted. However, if there is only one vendor, or if every supplier is disrupted at the same time, the need to include third-party risk into risk management plans becomes clear. There is no possibility of simply switching suppliers or vendors, so the third-party’s operational resilience directly impacts your organization.
Furthermore, in a digital era when anyone can research the relationships between your organization and the third parties within your organization’s network, the behaviors, and practices of those third parties can lead to reputational damage to your organization. See how third-party risk should be woven into an organization’s risk management practices in “The State of Integrated Risk Management.”
Why You Need to Consider Third-party Risk
When mitigating risk and creating a culture of integrated risk management, focusing on the domains that are directly answerable to an organization itself is a great starting point. A risk-aware and compliant organization can respond faster during a disruption, leading to increased operational resilience.
No matter how robust the internal processes and procedures are, in today’s world no organization can be truly independent. Third-party disruptions can take the form of input scarcity, a lack of qualified personnel to fill positions, softening demand, logistics issues, and even cyberattacks. There simply is no way to completely insulate an organization from third-party risk.
As the Solarwinds attacks demonstrated, even something as simple as running a software update can introduce serious risk. SAAS or other cloud services can expose an organization to third-party risk, even if the management and provisioning of the cloud software are performed by industry leaders.
An organization that doesn’t integrate the risk posed by third parties into its risk management process remains vulnerable. Moreover, when third-party risk is dismissed or ignored, the threat of disruption cannot be properly quantified, potentially leaving threats unmanaged and opportunities squandered. Visibility into third-party dependencies improves the oversight of products and services provided by third parties and needs to consider potential business impacts - both positive and negative - of the relationship.
Third-party Relationships Can Pose Reputational Risk
The ability to perform due diligence to identify the types of risk third parties pose, monitor third-party activities, and mitigate risks and threats are key elements to managing vendor and supply chain risks. More than one-third of respondents in the 2020 RSA Digital Risk Survey stated that their number one priority regarding vendor and supply chain risk is an approach that integrates third-party risk management with enterprise and operational risk management.
The deeply interconnected nature of today’s world hasn’t escaped the notice of end-users either. It is no longer considered credible to treat third-party malfeasance or negative externalities as outside the scope of an organization’s oversight process. Consumers making choices informed by ethical concerns have come to expect organizations to devote resources to third-party monitoring and to enforce higher standards from third-party vendors.
Extreme labor conditions at a third-party supplier for a major device manufacturer can quickly redound on an otherwise well-respected organization. The complexity of an enormous web of suppliers and vendors may not insulate an organization from negative public opinion.
We recommend organizations implement a programmatic and risk-driven approach to identify, assess, evaluate, treat, and monitor third-party risk, including risk related to third-party employees and their activities.
Compliance in the Financial Sector and Elsewhere
During and after the mortgage crisis, the practices of financial organizations that relied upon third-party assessments for credit ratings of investment instruments were called into question. The press and regulators are more often viewing an organization’s relationships with third parties as less of an airtight barrier to ethical and legal concerns than before. When it comes to reputation and regulation, third parties are often seen as an extension of an organization rather than completely independent.
Regulators are establishing increasingly higher standards of accountability for the oversight of third-party relationships and therefore, organizations need to consider multiple elements of third-party risk including financial impacts, resiliency, security, and compliance. The United States Department of Justice has updated its guidance on evaluating corporate compliance to include whether an organization has made a good faith effort to ensure their third-party vendors are compliant.(1)
Resilience to outside risk is now directly mandated by regulators. Financial institutions must undertake rigorous stress tests that quantify the results of extreme disruption. A financial organization that is found to lack the capital reserves to survive a tested risk is required to either grow its reserves or alter its operational profile to be able to meet the stress-test requirements. We have found that this has become a key concern for many financial organizations. Almost 50% of financial services respondents in the 2020 RSA Digital Risk survey stated a risk-based compliance methodology is the number 1 priority when it comes to keeping up with regulatory obligations.
Why Third-party Risks Effect Operational Resilience like Internal Risks
A consolidated view of all third-party relationships and an understanding of which third parties are most important to ongoing operations provides the ability to scale the number of assessments that can be completed and streamlines response to open issues identified during the assessment process. It is important to start to quantify third-party risks the same way internal risks are measured. This will provide a common framework for analyzing the impact of both internal and external disruptions.
The ability to perform due diligence to identify the types of risk third parties pose, monitor third-party activities, and mitigate risks and threats are key elements to managing vendor and supply chain risks. Benefit from our analysis of Archer customers and 20+ years of evaluating risk trends. Download our whitepaper, “The State of Integrated Risk Management” to discover how to make your organization more resilient by protecting against multiple sources of risk, including those beyond your four walls.
(1) https://www.justice.gov/criminal-fraud/page/file/937501/download