Third-Party Risk Management: The Essential Guide

As a process made possible by an organization’s management, support personnel and project leaders, ERM is applied to all aspects of a business and applied to the whole business entity. An ERM protocol is designed to pinpoint and manage any potential events that may have an adverse effect on the company’s ability to reach crucial, strategic goals. 

While ERM operates at the highest levels of an organization, resulting in a top-down approach applied across all facets of the business, third-party risk management is a subset of ERM. Most specifically, third-party risk management focuses on various aspects of vendor management, as well as other third-party relationships. 

Rising Importance of Third-Party Risk Management 

All types of organizations are increasingly outsourcing functions of their business to third parties that specialize in the areas they need. Third parties include vendors, suppliers, business partners, brokers, contract manufacturers, distributors, agents, and resellers. Outsourcing may include human resource responsibilities, payroll administration, managed cloud solutions, IT support, web development, production, shipping and much more. The possibilities are virtually endless. 

This type of business relationship is invaluable. It allows organizations to tap into high-quality, specialized talent without needing to hire and train staff in-house. Outsourcing represents a significant economic savings. Business leaders increasingly rely on external help for both short-term and long-term projects that do not warrant hiring a full-time staff member. 

Though third parties are experts in their field, they may not be experts in risk management. Trusting external players that may not follow the same risk-related protocols that your company diligently upholds mean potentially introducing significant risk. 

What Is Third Party Risk? 

Third-party risk is the potential impact linked to the reliance on outside parties – service providers, vendors, suppliers, etc. – to do certain business activities. It is usually referring to a potential negative result, but risk can also be positive. 

Sometimes understanding the risks you face is the first, and most important step, when choosing to work with a third-party associate. Following are just a few types of potential risk that may result from third-party relationships: 

Strategic Risk 

Such risk is often due to a third-party having made adverse business decisions, or not having properly implemented the measures to meet their goals. 

Reputation Risk 

If a third-party entity gains a negative reputation, the client company’s business may ultimately suffer as well. Reputation damage by association happens all the time when a breach or a scandal is uncovered and other businesses linked to it fall into a bad light. 

Operational Risk 

This risk is associated with inadequate or failed processes, systems, people or other external factors. Such inadequacies and complexities within a third-party organization may cause unnecessary complexities and issues for the client company. 

Transaction Risk 

Transaction risk arises from problems with service or product delivery. The third-party may fail to perform as anticipated by customers or the financial institution due to technological failure, human error, fraud, or limited capacity. Any one of these can expose the client to transaction risk. 

Financial Risk 

This is the term for the risk that an organization will not have adequate cash flow to meet its financial obligations and contractual arrangements. 

Compliance Risk 

Once a third-party relationship has been formed, the external company must comply with any of the same necessary rules, laws and regulations that the client business must. Failure to do so is considered compliance risk. 

Implementing Third-Party Risk Management 

Now that you have some idea of what risks are most often associated with third-party engagements, you can start devising a management strategy. This should cover avoidance and mitigation strategies that address each risk stemming from work with third parties. 

TPRM aims to find a point of balance between regulatory requirements, stakeholder expectations, risk acceptance, and the company’s business model. 

Assess Your Risk Level 

Organizations in certain industries hold a wealth of data that needs protection from the many potential vulnerabilities of working with third-party businesses. 

Here are a few of the most at-risk types of data: 

• Protected Health Information (PHI) 
• Payment Card Industry (PCI) Transactions 
• Personally Identifiable Information (PII) 
• Intellectual property 
• Human resource information  

Perform a Risk Assessment of the Third-Party 

A third–party risk assessment, performed by a trusted auditing firm, is the best way to launch your decision-making process for a secure business partner. The core goal of the risk assessment process is to learn whether the proposed relationship is consistent with your institution’s overall ERM strategy. 

Vet Third-Party Organizations Carefully 

TPRM requires fully vetting and carefully selecting your third-party vendors and associates. Once you have performed a formal risk assessment, you can build on those results and learn more about these companies, exercising due diligence. Check the company’s financials, its performance, reputation and fit with your institution. 

Gather the following information to help make the best assessment of each vendor before committing to engagement: 

• Learn the business’s base location, countries of operation, other clients served and all the types of services they offer. 
• Perform interviews with third-party clients to gain insights into the level and quality of service, regarding system controls and protection of data. 
• Request reports from the third-party’s own internal system audits and assessments, if available. 
• Ask to review the company’s own technology policies and procedures manuals, files and documentation. 
• Require third-party candidate divulge information about fourth parties upfront and into the future as they outsource future projects, for the life of your mutual engagement. Fourth parties will be subject to your same policies and procedures as the third-party business. 

Increase the Involvement of High-Level Managers 

It is important to put high-level management and other leaders on the front line; particularly if they work closely with third-party organizations. These high-profile staff members can form a relationship with the outsourced entity to better understand their risk. At the same time, the manager can help the organization to understand their responsibilities to avoid risk. Additionally, the manager can more readily identify risk, due to sheer familiarity with the account. 

Control the Risks Expected, and Prepare for Unexpected Risks 

If you have already engaged a third-party organization, and you begin to see the potential for risk in certain areas, it is important to do your best to mitigate exposure. On the flip side, it’s important to acknowledge that anything can happen, at any time, in another organization. Your approach to the outsourced arrangement must also include preparing for unexpected potential threats that may arise. 

To avoid unnecessary issues from the outset, you should focus on: 

• Developing contracts that govern third-party relationships, applicable to a broad swath of organizations. 
• Framing policies and implement key controls that serve to mitigate third-party risks. Employ appropriate monitoring and testing processes, with the assistance of your Enterprise Risk Management (ERM) team to make sure all risk mitigating controls are working, per policies and as planned. 

Continually Evaluate YourThird-party Risk Management Program 

As the environment changes and your business evolves, so must your preparation for and response to risk. It is important to work with your auditing team to consistently monitor and update your third-party risk management program. 

Do You Need Help Assessing Third-Party Risk? 

Third-party organizations are essential in today’s fast-paced business landscape, particularly in banking and financial institutions. Working with a specialized business to meet your needs, save money and provide invaluable expertise is simply part of modern business. At the same time, your institution needs protection from the many potential vulnerabilities that arise from a third-party’s misalignment with your risk mitigation practices. 

At I.S. Partners, LLC., we’ve seen the sharp rise in third-party engagements over the past several years, and it isn’t slowing down. We help many of our clients gain clearer insight and plan security protections addressing third-party risk. We can help you hire the right outsourcing entity to meet your needs, perform risk assessments, and carry out compliance attestations.

About The Author

Anthony Jones

Anthony has over 20 years of experience and has worked with a variety of industries, including Health Care Insurance, Banking and Financial Services, Information and Analytics, Telecom, and Utilities. Anthony has extensive knowledge in IT Security consulting; he is also a Certified Information Systems Auditor (CISA), and Project Management Professional (PMP) designation holder with expert ability to accurately determine needs, understand risk tolerances, offer alternatives to current situations, develop action plans and cultivate longstanding client relationships. Anthony’s area of expertise consists of MAR, HIPAA and Sarbanes Oxley Compliance, IT Security and Privacy Management, Enterprise Risk Management (ERM), Health Care Insurance Banking and Financial Services, Manufacturing and Utilities. Prior to joining IS Partners, LLC Anthony spent 12 years with PWC as a Senior Manager in Business Risk Solution (BRS) Practice advising Fortune 100 financial services, manufacturing, Insurance and utility companies. Anthony graduated Saint Joseph’s University. Anthony received his MBA from SJU Haub School of Business.
Anthony Jones frequently blogs for I.S. Partners, LLC.