CEO and founder Crisis Team
Columnist
Share this content

Third-Party Risk: Be careful who you play with

Many firms were ignorant of third-party risk scale and impact even before lockdown. With the new reliance on distant supply chains and remote technology services, Bill Mew considers how firms should manage one of the fastest-growing categories of risk.

27th Oct 2020
CEO and founder Crisis Team
Columnist
Share this content
Risk calculating activities: Young woman wearing in climbing equipment standing in front of a stone rock outdoor and preparing to climb, rear view.
istock_Remains_aweb

Reliance, integration and complexity 

Trade requires goods to move smoothly in one direction, payment to move in the other, and data to move in both. Reliance can come in many forms. 

Many firms rely on the supply of goods and struggled when supply chains were interrupted during lockdown. Others are reliant on payment, operating on thin margins and with limited reserves. When cashflow dries up, these companies suffer a great deal.

Increasing levels of integration mean firms are sharing more data across supply chains, opening themselves up to data privacy and security risks. These forms of reliance on third parties increase as ecosystems become more complex. 

Firms often have inadequate partner inventories and lack the full picture of associated third parties. As a result, this exacerbates the problems with managing risk.

Supply chain risk

Adding to supply interruption, companies must be alert to corruption and contamination. Firms that use ingredients or components from suppliers need to minimise the risk that these will be compromised. 

There is a risk that laws, such as the use of child labour, the payment of bribes, or some form of engagement with embargoed economies, may also be broken during production.

Procurement fraud is also an issue within the supply chain. Research from SAS revealed that procurement fraud is more common than bribery, corruption and cybercrime. Widespread in the UK, it lags behind many countries in its detection capabilities. 

British companies, on average, lose significantly more money to procurement fraud, with 40% of UK firms hit each year for between €150,000 and €400,000. The country is far more reliant on ineffective manual detection techniques than other nations – contrary to the use of analytics or AI.

Business continuity risk

The provision of computing services is an area of particular reliance, exacerbated by the move to cloud computing. While the cloud has been a boon for businesses with employees working from home and needing to access application systems remotely, it becomes a liability when there is an outage or any kind of communications issue.

The reliance on cloud suppliers is an issue taken particularly seriously in regulated industries such as banking. In its three recent technical papers the EBF Cloud Banking Forum set out guidance for the use of cloud, cloud exit strategies, and a cloud outsourcing register, to help banks address these risks.

Data risk

Firms today are not only reliant on cloud and managed services providers to run their application systems, but they also have an ecosystem of partners that are granted access to these IT systems or entrusted with sensitive company data. 

A study from the Ponemon Institute showed that 59 per cent of companies have experienced a data breach caused by one of their vendors or third parties, yet only 16 per cent say they effectively mitigate third-party risks.

Information sharing no longer only occurs across the distribution supply chain, but it could also include outsourced digital marketing agencies or indeed professional services firms like accountants or solicitors.

Not enough firms have a clear idea of how many third parties there are in their ecosystem, and which of these have access either to their customer data, their financial data, or even their intellectual property.

Data breaches

Most firms only really do a decent job of assessing and reviewing a fraction of their partners and firms few do adequate due diligence on information security or any kind of privacy assessment.

High profile third-party data breaches have included British Airways and Equifax. Indeed, data breaches originating from a third-party – such as a partner or supplier – cost companies $370,000 more than average

Forrester analyst Alla Valente, author of a new study of Third-Party Risk Management Platforms, suggests that you start by agreeing “on the definition of what a third-party relationship is. You need to get as comprehensive a catalogue as possible. 

Secondly, update your definition of what critical is; stop thinking in very traditional antiquated ways.” Valente also says that firms should actively-monitor third-party access as contracts expire and have an ‘offboarding’ process.

Effective third-party risk management (TPRM)

Firms need to consider problems with third party impact on service or product delivery. To add to which, risks to do with violations of laws, rules, or regulations, as well as ethical standards. This is on top of the data risk arising from unauthorised access, use, disclosure, disruption, modification, inspection, recording or destruction of information.

Effective TPRM requires close management of the process of identifying, assessing, and controlling these risks and others throughout the lifecycle of your relationships with third-parties. It can start during the procurement process and often extends all the way through the end of the offboarding process.

At a minimum you need:

  • Central visibility into all third-party relationships and contracts
  • A formal, pre-contract risk assessment and due diligence process
  • Use of standardised, risk-mitigating contractual terms and provisions
  • Risk-based monitoring and oversight
  • Formal offboarding at the end of the relationship

And you not only need to consider all direct relationships but also any downstream relationships - those with vendors, suppliers, and contractors used by your own third parties. Risk extends right down the supply chain, so it’s important to know who they are and how they are managed.

With many firms reconsidering their supply chain relationships in light of the pandemic and considering on-shoring some contracts, now is as good a time as any to consider third party risk and how it can be managed.

Replies (1)

Please login or register to join the discussion.

avatar
By johnjenkins
29th Oct 2020 09:46

Unfortunately the more techno we get the more chance of scams. You would think that any new tech should have security features that can't be breached. Medicine is strictly controlled before it goes on the market (covid apart) so why not technology. The answer is simple marketing and sales. Whilst we have sloppy security then we will just have to put up with the risk.

Thanks (0)