Many of the risks that an organisation faces can be dealt with head-on in a structured but flexible manner. That requires deep understanding of the nature, causes and effects, and likelihood of occurrence of the risks involved.
This in turn allows the development and implementation of options for avoiding, minimising and mitigating the consequences of those risks. That’s risk management in a nutshell.
Third-party risk management (TPRM) is just one subset of dealing with the totality of risks that any organisation has to contend with on a daily basis."
This article provides an overview of TPRM, covering:
What is a third-party?
To do what it was established to do, every organisation needs products and services. These are primarily obtained externally from other organisations and individuals.
Each provider of those products and services will be commonly and interchangeably described as a supplier or a vendor, despite these terms having different meanings in some circles.
An organisation might also have business relationships that don’t involve other parties supplying it with something. For instance, they might be working together as a partnership or a joint venture for some common purpose.
‘Third-party’ then is a general, all-encompassing term for describing an organisation’s suppliers, vendors and other parties it has engaged with."
Interestingly, some regulators expand the definition of a third-party to include an organisation’s internal service providers, like IT.
What is third-party risk?
An organisation can encounter many different types of risks. Natural disasters, pandemics, government actions and technological failures are a few common sources of such risk. So are other organisations, from two perspectives.
First, competitors in the same market can threaten an organisation’s well-being or even its existence by being smarter, faster or better at what they do. That’s situation is normal.
Second, and more insidiously, an organisation’s third-party relationships are a growing and increasingly concerning source of risk that could impact business continuity.
That’s because those third-parties themselves are subject to all kinds of risk, including from their own third-parties. This happens all the way down any chain of third-parties to the originator of the chain.
There’s no guarantee that any third-party in a chain will be able to deal with any of its own risks well enough to prevent repercussions from cascading up the chain, sometimes all the way to the organisation itself."
This means every organisation must be prepared to face some fairly universal types of risk from its direct third-parties over the duration of their relationship. The consequences of the occurrence of such risks for an organisation will be based on its level of awareness of their likelihood, preparedness for their occurrence, and the efficacy of its response measures.
Examples of such third-party risks include but are not limited to:
- Business continuity risk: any failure by a third-party to take the necessary steps to recognise and protect itself from the occurrence of situations with a strong potential for affecting it to the point where it might not be able to operate
- Concentration risk: any over-reliance by a third-party on just one other third-party to perform several critical or high risk activities, its use of multiple third-parties clustered in a single geographic region, or similar scenarios where no unaffected alternatives will be available under certain circumstances
- Contract performance risk: any failure by a third-party to meet the agreed standards and timelines for the part they have to play under the terms of existing contracts
- Compliance risk: any failure by a third-party to comply with its obligations in respect of agreed operational processes, applicable regulations and standards, or societal and ethical norms and expectations
- Cybersecurity risk: any failure by a third-party to ensure appropriate and effective protection of the security and availability of any IT systems it uses, or any access it has been granted to those of the organisation
- Information security risk: any failure by a third-party to adequately protect any confidential information, wherever located and however stored, provided to it by an organisation.
An organisation should focus its attention on the third-party risks that can hurt it the most in the event the associated third-party doesn’t deal with them effectively."
That hurt can manifest in terms of effect on an organisation’s finances and reputation, disruption to its operations, the theft and publication or misuse of its or its customers’ confidential data, the loss of customers and staff, and increased attention from regulators, for example.
Elements of TPRM
Undertaking a TPRM program requires an organisation to set the rules of third-party engagement. These should take account of its third party risk management plociy, overall governance framework and tolerance level for risk, its data security and privacy policies, and any other factors considered relevant.
At a high level, management of third-party risk has the following elements:
1. Prior to establishing a contractual relationship with a potential third-party, conduct an initial due diligence exercise to:
- understand its current risk landscape
- check if it is adequately prepared for dealing with those risks
2. During contract development:
- include the third-party engagement rules, as well as auditing requirements, in all third-party contracts
- develop a plan for responding to any failures by the third-party to effectively deal with the occurrence of risks likely to have material consequences for the organisation
- record details of any organisational data that the third-party will be sent or able to access, its level of sensitivity, where it will reside once received or accessed, who it might or will be sent on to, and anything else relevant
3. Following contract signature, as part of the organisation’s standard third-party onboarding process:
- collect and validate all the information needed to establish the operational relationship with the third-party
- establish the configuration of the assessment content needed to address the third-party’s risk landscape
- determine the extent and frequency of the due diligence assessments that will be required during the relationship’s lifetime
- determine the criticality status of the third-party, based on attributes like risk profile or level of access to the organisation’s data or systems
- comply with any regulatory requirements about reporting commencement of third-party relationships
4. Once in a contractual relationship with a third-party, periodically or continuously:
- check if the third-party is delivering in accordance with the contract and achieving high levels of compliance with applicable regulations
- maintain awareness of the current state of the third-party’s risk landscape
- assess the ongoing relevance and effectiveness of the third-party’s risk management approaches for its current risk landscape
- deal with any issues found with the third-party’s performance or approaches to managing risk
- monitor the ongoing adequacy of the organisation’s due diligence approach and its planned response to any material third-party risk failures, and make any necessary adjustments
5. At the conclusion of the contractual relationship:
- disable any access to the organisation’s systems granted to the third-party
- advise all relevant stakeholders about cessation of the relationship, and update internal systems to record the fact
- ensure the third-party returns or deletes the organisation’s confidential information by the due date agreed for such action
- retrieve everything loaned to the third-party for the duration of the contract, such as computers, software, access key-cards and so on
- comply with any regulatory requirements about reporting cessation of third-party relationships.
Clearly, there is a strong connection between TPRM and Contract Lifecycle Management (CLM). Historically, many of the TPRM elements listed above have been an integral part of CLM, but growth in the importance of those elements has resulted in the establishment of TPRM as a practice in its own right.
This still leaves CLM and TPRM in a brothers-in-arms relationship when it comes to dealing separately and jointly with the risks associated with an organisation contracting with third-parties.
The value of TPRM
Implementation of a TPRM program anda risk management framework provides a number of significant benefits to both an organisation and its community of third-parties:
- it optimises, standardises and unifies the organisation’s overall approach to managing its third-party risks organisation-wide, while allowing assessment techniques to be customised to suit the profiles and characteristics of each third-party
- it allows the organisation to maintain high visibility of the type of consequential risks it could potentially face from its third-parties’ failure to deal effectively with the risks they encounter, and plan or improve its responses to such events
- it enables the organisation to track where, how and why its data is used by its third-parties
- it incentivises the organisation’s third-parties to improve the robustness and effectiveness of their own risk management approaches and practices to minimise any downstream effects on the organisation
- the organisation and its third-parties will be able to more readily achieve compliance with any applicable regulations governing TPRM, or be better prepared for the arrival of such regulations.
Just like it is with its contracts, an organisation is likely to have more third-parties than can be reasonably managed, so it must focus on those considered to be the most critical or to have the highest risk.
That might result in a number of third-parties that’s readily manageable. Or, the number could be difficult to manage depending on the resources available. It is what it is.
A number of TPRM frameworks are available to help guide the establishment and operation of TPRM practices in an organisation. These should be reviewed for an understanding of what’s involved, allowing a decision to be made about how to proceed.
There’s a few options available for doing TPRM:
This is the budget bare-bones version that uses available tech in the organisation like spreadsheets to collect and collate data and produce whatever reports can be extracted, calendar software to diarise planned activities and provide alerts, and so on.
Minimal functionality, lowest cost, little if any automation and a fair bit of work is the typical outcome. Suitable only for smaller organisations with really just a handful of third-parties that provide sufficient risk potential to warrant the effort. Outside help might be necessary.
There’s a broad range of cloud-based solutions available for TPRM. They focus on the onboarding of third-parties, risk assessment, and due diligence aspects, with varying amounts of functionality and automation.
Client organisations are responsible for the use of such software, which may be configured to integrate data from various internal and external sources for performance measurement, security ratings and various types of relevant data feeds.
A number of providers offer TPRM-as-a-service to organisations having a large third-party community to monitor and deal with.
Based on the organisation’s requirements, these providers configure and run a TPRM service on the organisation’s behalf, producing information allowing the organisation to make operational decisions about dealing with their third-party risk landscape.
All organisations are subject to various kinds of risk from many quarters: their markets, the weather, various regulatory regimes, continuous change, the third-parties providing them with products and services to name just a few.
Different approaches are usually needed for dealing with each source of risk, and often for the different types of risk associated with each source.
An organisation can engage with a few to a whole lot of third-parties, each with its own individual set of risks to manage. Some of those risks might result in a threat to the organisation if the associated third-party doesn’t manage to deal with them adequately."
It’s a lot of hard work getting on top of TPRM, particularly when an organisation deals with many third-parties from many jurisdictions. And it can be costly to set up and operate.
Against that though could be the costs of a single risk that doesn’t get dealt with effectively by a third-party, and triggers severe consequences for the organisation.
If that sounds familiar given the last few years, it’s unjustifiably optimistic to think that something like it can’t happen again. And again.
It’s past time to knuckle down on TPRM, just in case things get worse before they get better. There may be no legal requirement to do so, but that might just be a case of ‘watch this space’. In today’s world, it’s a no-brainer, considering the rise and rise of third-party risk and the associated regulation with its own risks relating to non-compliance.
It’s best to heed the timeless metaphorical warning from Buffalo Springfield when they sang: ‘You step out of line, the man come and take you away’.
TPRM is a good way to keep the man at bay.
If you would like more information about the rationale for a TPRM program, or how Gatekeeper can assist with that activity, then contact us today.