Why Now’s the Time to Consider Third-Party Risk
The regulatory tide is turning. Supervisory agencies are coming after third-party risk – fast.
Indeed, at the end of last month, the Basel Committee told EU banks that they need to do more to develop “appropriate business continuity and contingency plans and exit procedures where third parties provide critical operations.”
That was just the latest example of regulators, policymakers, and standards setters becoming increasingly concerned about the third-party risk of the firms they oversee. For instance, everyone’s heard of the Digital Operational Resilience Act. But do they know that the measure to enhance the overall digital operational resilience of the EU financial sector has some of the most stringent third-party risk protections on the books?
In turn, this article poses the questions why: (1) why exactly are stakeholders becoming more interested in third-party risk, (2) and what should organizations being doing about it?
Where the interest in third-party risk is coming from
To the first question, the simple answer is third-party risk has ballooned.
Deloitte, in its article, Third-party risk becoming a first priority challenge, notes that companies have become more reliant than ever on third-party vendors: “the use of third-party vendors has increased exponentially.”
Add to that, companies aren’t just using third-party vendors for ancillary activities. Deloitte has also found that increasing numbers of companies are outsourcing their “core functions.”
And that’s happening as the pool of vendors is itself shrinking, according to Deloitte’s 2022 Global third-party risk management survey.
In other words, companies are introducing new sources of risk to their material business activities in the form of third parties. While at the same time, many companies are becoming dependent on the same third-party vendors, concentrating risk in the hands of a few third actors.
The special case of cloud-service providers
Covid-era disruptions metastasized this trend. In particular, Covid precipitated greater dependence on cloud service providers (CSPs).
As of 2022, 73 percent of companies stated they had moderate to high levels of dependence on CSPs (Deloitte). Already staggering in itself, the figure was set to jump all the way to 88 percent in the years to come.
As a result, suppliers are causing more disruption to the companies to which they provide prioritized activities. And regulators, for their part, are increasingly finding that home companies are not adequately managing that risk, particularly where information security, privacy, and anti-fraud management are concerned.
Managing third-party risk with the third-party risk management lifecycle
How then to mitigate third-party risk specifically to information and communication technology (ICT)? That’s where third-party risk management (TPRM) best practices come in. And it doesn’t get more fundamental than the TPRM lifecycle.
The purpose of the TPRM lifecycle is to help organizations manage their third-party risk by ensuring that vendors meet the same standards and expectations (be they for cybersecurity, data privacy, or any other matter) as their internal teams.
So, what’s the third-party risk management lifecycle consist of?
Like the risk management lifecycle from which it’s derived, the third-party risk management lifecycle is an ongoing process requiring regular reassessment to ensure that risks are being appropriately managed.
The process itself consists of the following stages:
- Identification of whether you need to employ a third-party
- Conducting due diligence
- Shortlisting and selection of a third-party
- Sending out a risk questionnaire
- Contract drafting
- Commencement of the onboarding process
- Ongoing monitoring
- Undertaking of internal audits
- Contract termination or offboarding
Far from being undertaken in silo, though, the third-party risk management lifecycle should fit within the context of a broader TPRM program. The purpose of that program will be to provide better governance over a company’s third-party ecosystem.
Why? Well, strong governance reduces third-party risk by increasing transparency, better aligning third party-engagements to overall company strategy, and providing consistent regulatory compliance.
That’s why companies can go a long way to reducing their overall third-party risk profile by embedding third-party risk management practices in all levels of the organization. For one, they will accrue the following benefits:
- A more intelligent, risk-based approach better aligned with enterprise strategy
- Better training of staff and executive champions in aligning service delivery with strategic objectives
- Development of standardized processes and proactive decision making via the use of data and analytics
- Creation of fully customized, value-added tools that support decision making
The question remains, though, how to go about setting up leading third-party risk governance practices? To learn how, check out Noggin’s Introductory Guide to Third-Party Risk Management which walks you through those best practices, as well as details compliance requirements to consider, and the role of third-party risk management software in managing risk across your entire third-party ecosystem.
More on
