The regulatory tide is turning. Supervisory agencies are coming after third-party risk – fast.
Indeed, at the end of last month, the Basel Committee told EU banks that they need to do more to develop appropriate business continuity and contingency plans and exit procedures where third parties provide critical operations.
That was just the latest example of regulators, policymakers, and standards setters becoming increasingly concerned about the third-party risk of the firms they oversee. For instance, everyone’s heard of the Digital Operational Resilience Act. But do they know that the measure to enhance the overall digital operational resilience of the EU financial sector has some of the most stringent third-party risk protections on the books?
In turn, this article poses the questions why: (1) why exactly are stakeholders becoming more interested in third-party risk, (2) and what should organizations being doing about it?
To the first question, the simple answer is third-party risk has ballooned.
Deloitte, in its article, Third-party risk becoming a first priority challenge, notes that companies have become more reliant than ever on third-party vendors: the use of third-party vendors has increased exponentially.
Add to that, companies aren’t just using third-party vendors for ancillary activities. Deloitte has also found that increasing numbers of companies are outsourcing their core functions.
And that’s happening as the pool of vendors is itself shrinking, according to Deloitte’s 2022 Global third-party risk management survey.
In other words, companies are introducing new sources of risk to their material business activities in the form of third parties. While at the same time, many companies are becoming dependent on the same third-party vendors, concentrating risk in the hands of a few third actors.
Covid-era disruptions metastasized this trend. In particular, Covid precipitated greater dependence on cloud service providers (CSPs).
As of 2022, 73 percent of companies stated they had moderate to high levels of dependence on CSPs (Deloitte). Already staggering in itself, the figure was set to jump all the way to 88 percent in the years to come.
As a result, suppliers are causing more disruption to the companies to which they provide prioritized activities. And regulators, for their part, are increasingly finding that home companies are not adequately managing that risk, particularly where information security, privacy, and anti-fraud management are concerned.
How then to mitigate third-party risk specifically to information and communication technology (ICT)? That’s where third-party risk management (TPRM) best practices come in. And it doesn’t get more fundamental than the TPRM lifecycle.
The purpose of the TPRM lifecycle is to help organizations manage their third-party risk by ensuring that vendors meet the same standards and expectations (be they for cybersecurity, data privacy, or any other matter) as their internal teams.
So, what’s the third-party risk management lifecycle consist of?
Like the risk management lifecycle from which it’s derived, the third-party risk management lifecycle is an ongoing process requiring regular reassessment to ensure that risks are being appropriately managed.
The process itself consists of the following stages:
1. Vendor Identification and Selection: Thoroughly assess potential vendors based on their capabilities, reputation, and track record.
2. Due Diligence and Risk Assessment: Conduct a comprehensive evaluation of the vendor’s risk profile, including legal, financial, operational, and cybersecurity risks.
3. Contract Negotiation and Review: Develop robust contracts that clearly define responsibilities, obligations, and liability for both parties.
4. Ongoing Monitoring and Performance Management: Continuously monitor the vendor’s performance and compliance with agreed-upon standards.
5. Termination and Transition: Establish clear exit procedures to minimize disruption and ensure a smooth transition in case of vendor termination.
Far from being undertaken in silo, though, the third-party risk management lifecycle should fit within the context of a broader TPRM program. The purpose of that program will be to provide better governance over a company’s third-party ecosystem.
Why? Well, strong governance reduces third-party risk by increasing transparency, better aligning third party-engagements to overall company strategy, and providing consistent regulatory compliance.
That’s why companies can go a long way to reducing their overall third-party risk profile by embedding third-party risk management practices in all levels of the organization. For one, they will accrue the following benefits:
– Increased protection against cybersecurity and data privacy breaches
– Enhanced regulatory compliance and risk mitigation
– Improved vendor performance and reliability
– Strengthened business resilience and continuity
The question remains, though, how to go about setting up leading third-party risk governance practices? To learn how, check out Noggin’s Introductory Guide to Third-Party Risk Management which walks you through those best practices, as well as details compliance requirements to consider, and the role of third-party risk management software in managing risk across your entire third-party ecosystem.
