By Sal Petriello, Director of Integrated Risk Management Strategy at NAVEX
Recent coverage of cybersecurity incidents stemming from compromises of organizations’ third-party vendors highlights an important, yet often overlooked, aspect of risk management. While the specifics of execution can be complex, it is imperative for risk managers to grasp and communicate across the organization that risk-based vetting and continuous monitoring of third parties are essential.
Part of a holistic risk management strategy, third-party risk management (TPRM) concepts are more important than ever as external vendors provide many services essential to the success of the modern enterprise. Through this lens, risk managers can evaluate, plan and communicate how their organization must manage an often-sprawling vendor landscape and the risk they bring.
Sometimes referred to as an organization’s supply chain, third parties can occasionally seem indistinguishable from the organization itself. While some are more obvious external entities – such as a provider of raw materials for a manufacturer – others provide back-office functions like electronic file storage. Even aspects of the information security function, a crucial element of TPRM, often involve third-party services.
Some organizations rely on thousands of service providers to fuel their business. As part of a major public effort to apply a set of goals and values across its supply chain, retail giant Walmart said it had more than 100,000 suppliers as recently as 2021. Third-party vendors can have their own suppliers as well, often referred to as fourth-party vendors.
The other side of this equation, third-party risk, is just as complex as the range of services third parties provide. From regulatory violations to ethical misconduct, intellectual property theft, and more, the risk landscape is vast.
Of special concern are the third-party information security risks that have spawned major cyberattack headlines in recent years. Third-party suppliers often need to access some portion of their client organization’s systems and data to deliver services, a bridge that a malicious actor could potentially exploit.
All this adds up to a large web of possible third-party risks. And while the legal and regulatory risk of an incident will depend on applicable laws, the pure reputational harm of customers learning that an organization failed to properly vet their third parties applies, sometimes severely, in every case. As Under Armor founder Kevin Plank once noted, brands are all about trust. That trust is built in drops and lost in buckets.
One way to keep an organization’s proverbial trust bucket full is to rely on the pillars of holistic TPRM. They provide a powerful, straightforward and scalable framework that can enable any organization to ensure its vendor landscape aligns with its own risk tolerance. While no two TPRM programs will look the same, these common practices will ensure all start on the right foot.
Effective Onboarding is Crucial
Asking the right questions during the onboarding of a new third-party vendor is crucial, but organizations must first ask important questions internally, starting with an internal weighted assessment of third-party-related risks. Some of those risks may be acceptable against the benefits and nature of certain relationships, while others may be non-negotiable. These internal questions often include elements specific to individual industries, regulatory environments, geography, dependence on certain external services, and financial risk. This process ensures that organizations will ask the right questions, and weigh them with the right importance, as they bring on new third parties.
Yet not all believe they are excelling in this crucial first step. Recent NAVEX survey data showed that 53 percent of organizations rated themselves as “good” to “great” in setting specific and accurate contract terms with their third parties. Almost as many, 48 percent, said they leveraged risk-based enhanced due diligence in their TPRM programs. This suggests there is an opportunity for many organizations to revisit and improve how they onboard vendors in respect to managing risk.
Monitoring Third Parties Never Ends
The potential risk of third-party relationships doesn’t stop after the contract is signed. In fact, it has only just begun. Ongoing monitoring of third parties is a crucial task that must occur throughout the course of the relationship, starting with the highest-risk and most-important relationships. However, it is still important to review even the lowest-priority third parties.
The first of two main areas of ongoing management for third-party risk involves information security. Many third-party vendors will have some connection to an organization’s IT infrastructure, and vendors should regularly prove they have sufficient security measures in place to secure their own operations against attack. It is also important to audit the level of system access a given vendor possesses to ensure it is appropriate. Audits commonly discover vastly more access is granted than necessary for the business relationship.
Ongoing monitoring involves much more than cybersecurity assessments. Depending on the risk profile established as part of the third-party onboarding process, organizations should also monitor their third parties for evolving risks in media coverage, reputational problems, financial duress, sanctions, international political dynamics, environmental issues, and other appropriate factors.
A Crucial Journey
While the risks involved with essential third-party relationships are increasingly well understood across organizations, NAVEX data show that only 35 percent of organizations felt they were “good” or “great” in their ongoing monitoring.
Fortunately, the same growing understanding of third-party risk is also a mechanism risk managers can use to gain buy-in for the resources needed to fuel their TPRM programs. Just as a chain is only as strong as its weakest link, decision-makers across the organization should understand that effective TPRM is a crucial part of holistic defense-in-depth.
While the implementation of a given TPRM program can be complex and highly specific to a certain organization, the common-language framing of the risks involved, and strategies needed to mitigate those risks, is a powerful step toward maturing any program.
Sal Petriello is a senior operations, risk, audit, and compliance leader whose career includes experience in the highly regulated sectors of banking and healthcare services. As director of integrated risk management strategy at NAVEX, his thought leadership includes guidance for organizations seeking to mature their approach to risk management.