Risk is inherent in business. As businesses become increasingly interconnected, though, new forms of risk have emerged, and it’s become increasingly difficult to identify and manage all the elements that could potentially affect your operations.
The concept of third party risk isn’t new, but it’s becoming more important to businesses of all sizes. At its most basic level, third party risk refers to the potential impacts that any vendor or third party supplier could have on your business. In this past, conversations related to this type of risk have primarily focused on supply chain issues, but as more companies have grown to rely on third-party suppliers for operational needs, it’s grown to include everything from security (including cybersecurity), compliance, strategy reputation, and more.
According to a report from McKinsey, the financial crisis of 2008 spurred the increased emphasis on assessing third-party risk. Many of the most recognizable names in financial service, including Capital One and American Express, experienced significant losses due to the actions (and misdeeds) of their suppliers. As a result, these companies developed a new approach to risk management, expanding their due diligence and relationship monitoring beyond basic security and operational aspects.
This more expansive view of risk management has trickled down to even smaller companies. As McKinsey reports, “effective third-party management is a mainstay of good operational health and cost management.” But what are the risks that need to be monitored, and how can smaller businesses implement effective controls?
Identifying Third Party Risks
The first step to implementing improved third-party risk management is to identify the risks present in your organization. These fall into several categories:
- Procurement. It’s no longer adequate to outsource aspects of your business (purchasing, staffing, security, etc.), sign a contract, and leave it alone. Your suppliers’ actions (or inactions) can have significant consequences for your business, and constant monitoring to ensure compliance with contract terms, anti-fraud standards, and deliverables reduces losses.
- Financial. Third parties can damage your financial standing or revenue due to fraud, breach of contract, or poor performance. For example, delivering faulty parts could disrupt production or even affect finished products, increasing costs.
- Reputation. Working with specific suppliers, or supplier actions, can damage your business reputation.
- Legal and compliance issues. Third parties can create legal issues for your company, or put you out of compliance with applicable regulations.
- Operational. Third party actions or issues could affect operations; for example, a computer system fails, preventing your business from accessing it as needed.
- Security. Third party security breaches could put your company’s information at risk for exposure.
Any one of these risks can cause significant damage to your business, underscoring the importance of improved management of vendor relationships.
Improving Third Party Risks Management
The first step to improving risk management when it comes to suppliers is moving away from a “set it and forget it” approach to contracting. Contracts need to be continuously monitored and evaluated, with controls in place to respond when potential risks arise.
Improved management also requires aligning risk management to the overall business strategy. Businesses need to develop formal governance policies to guide contracts and vendor relationships, and evolve beyond a risk approach that prioritizes short-term gains over the benefits to the overall business strategy.
Most importantly, managing third-party risk requires a proactive, rather than reactive, approach. Implementing powerful tools that provide deep, targeted analysis and support decision making while limiting human error can prevent many of the issues that are most damaging to your company. These tools should provide ongoing screening that goes well beyond what vendors disclose. Although due diligence during contracting may reveal red flags at that moment, without ongoing screening and analysis it’s possible to miss developing issues that could impact your business. Staying up to date and maintaining insight into your supply base ensures this doesn’t happen, and that you can take preventive measures as needed to protect your interests.
When you align your vendor relationships to your strategic goals, and continually monitor risk, you gain the benefits that expanding your network can bring in terms of operational efficiencies and capabilities that today’s competitive business environment demands. Ultimately, making third-party risk management your first priority will protect– and enhance — your business’s bottom line, reputation, and functioning.