Swapnil Srivastav - Dec 23, 2020
Businesses are increasingly relying on third-party, suppliers and vendors for business-critical goods and services. While this form of outsourcing has helped reduce costs, it has also introduced a number of governance and risk management challenges. As such, organizations perpetually face challenges in managing a vast network of suppliers, including conducting due-diligence assessments, monitoring supplier performance and stability, and ensuring that risks to the organization’s sustainability are kept in check.
With the growing number of such incidents, organizations have become much more vigilant about the risks posed by their third-party vendors. In a recent survey conducted by KPMG, 77% of participating third-party risk management (TPRM) executives said that TPRM is a strategic priority for their business. In addition, managing cyber risks, data governance and privacy, and improving cost efficiency were identified by the respondents as among the top drivers of TPRM activity in their businesses.
While efforts are certainly being made to keep risks from the extended enterprise in check, challenges still remain. A minor lapse at the third-party’s end could lead to an enormous supply chain attack, compromising sensitive information of several organizations and causing severe reputational damage. A lack of consistent reporting and continuous monitoring could result in ineffective oversight and blind spots, making an organization highly vulnerable to data breaches. In addition, while organizations often are ill-equipped to detect such attacks, third parties may even choose not to disclose the attacks to protect their reputation. To make matters even worse, lack of visibility into fourth parties and sub-contractors could greatly limit an organization’s ability to manage third-party risks effectively.
Third-Party Risk Management Best Practices
A robust TPRM—with clear processes, policies, and tools governing third-party selection, policies and contracts, risk assessments, due diligence, monitoring, and risk mitigation—has become quintessential for continued business operations. Here are a few key considerations:
1. Gaining Visibility into Supply Chain Hierarchy
As the scope and complexity of the third-party network expands, providing visibility into supply chain hierarchy along with the mapping of the third parties to products, services, fourth-parties and business units becomes critical. A centralized repository of information will provide a comprehensive knowledge base of all third parties and the associated assets, helping organizations to better identify and understand their third-party risks and dependencies. As the same third parties are often managed by multiple departments, establishing a common nomenclature for onboarding, assessing, monitoring, and off-boarding vendors further help simplify tracking, searching, assessing, and rating various third parties.
2. Ensuring Clear and Comprehensive Documentation
With regulatory bodies pushing for better third-party risk oversight, organizations need to be able to manage documents effectively and present them if a non-compliance or security incident occurs. In addition, vendor contracts need to be more comprehensive with well-defined and crisp clauses that help third parties understand what they need to do, including how to handle sensitive data after the contract has terminated. Privacy and security requirements need to be expressed clearly, in addition to general clauses such as quality, cost, and delivery. Organizations should also set cadence for reviewing third-party service level agreements (SLAs) and non-disclosure agreements (NDAs).
3. Implementing Effective Third-Party Onboarding Process
A structured onboarding process helps determine if third parties are financially stable, secure, compliant with the necessary regulations, operating within legal bounds, and more before establishing a business relationship. It also helps in defining the frequency of future third-party due diligence, risk assessments, and monitoring activities. Onboarding can seem like a complex and time-consuming process, especially as businesses expand their third-party ecosystem to new global locations. However, the absence of a comprehensive onboarding plan can result in poor quality of third-party information, as well as the inability to identify critical risks which, in turn, can cascade into multiple adverse incidents.
4. Categorizing Vendors Smartly
Understanding which third parties have access to critical assets and directly impact an organization’s margins and profitability is a critical to building a strong third-party risk management program. Based on these factors, organizations can segregate third parties into critical and non-critical categories. For example, if a third party has access to personally identifiable information (PII), they might be categorized as a critical because a data breach at their end would significantly impact the organization. Categorization makes it easier to determine which third party requires the maximum attention and accordingly define risk management and control activities.
5. Ensuring Efficient Fourth-Party Risk Management
Fourth-party risk has emerged as a new threat that can compromise an organization’s data via the third-party relationship. While monitoring fourth parties, fifth parties and subsequent sub-contractors could be overwhelming, an organization’s larger third-party risk management program would be incomplete unless this loop is closed. For effectively managing this risk, organizations need to ensure visibility into the portfolio of the fourth parties, identify the critical ones, and perform due diligence and raise red flags on an ongoing basis.
6. Continuous Monitoring of Third-Party Risks
Assessing third-party risks on an ongoing basis helps determine changes in risk levels, identify new risks, and ascertain how secure third parties are. Organizations usually conduct self-assessments, risk assessments, and audits for evaluating third parties. However, to address the increasing threats, real-time insights are needed from content providers on various risks including cybersecurity, IT, data privacy, corruption, reputation, disaster, financial, sustainability as well as commercial. A risk-based approach helps ensure that appropriate time, effort, and costs are allocated a third party based on criticality and relevance.
7. Involving Top Management and Board
Risk management should begin at the strategic level. The involvement and support of C-suite executives and board will bolster the effectiveness of third-party risk management program. A centralized approach will help build an effective third-party oversight process—simplifying the process of reviewing due diligence assessments, addressing third-party concerns, and managing overall risks, performance, and contracts.
8. Leveraging Technology
Technology plays a critical role in strengthening and streamlining the entire cycle of third-party management and improving visibility into risks and compliance issues. An integrated technology solution offers organizations a common platform to gather information on supplier contracts, profiles, factory details, and certifications on a common repository, enabling them to identify high-risk third parties in real-time and make informed business decisions. Technology can also help organizations manage business continuity plans effectively and bounce back quickly in the event of a third-party risk event.
How MetricStream Can Help
MetricStream Third-Party Risk Management enables organizations to protect their business from existing and potential threats from the third parties, strengthen resilience, contain costs, and optimize business performance. The solution enables a comprehensive process to identify, assess, mitigate, and monitor third-party risks, as well as manage compliance, track performance, and manage issues.
With our Third-Party Risk Management solution, companies can:
As the moving parts of the extended enterprise come under greater scrutiny with increased risk assessments and monitoring, it is imperative that organizations have a well-defined third-party risk management program that provides an integrated, real-time view of the extended enterprise. A structured and automated approach across each stage of the third-party risk management lifecycle, enables organizations to gain visibility into vulnerabilities and risks posed by the third and fourth parties.
MetricStream is the independent market leader in enterprise cloud applications for Governance, Risk, Compliance (GRC)/Integrated Risk Management(IRM). MetricStream apps and software solutions improve business performance by strengthening risk management, corporate governance, regulatory compliance, audit management, vendor governance, and quality management for organizations across industries, including banking and financial services, healthcare, life sciences, energy and utilities, consumer brands, government, technology and manufacturing. MetricStream is headquartered in California, with centers in New York, London, Milan, Madrid, Dubai, Sydney and Bangalore, among several other cities globally (www.metricstream.com).