Chief Risk Officer

The CRO's Guide to Managing Third-Party Risk

Bram Ketting | Founder & Managing director

Introduction

In today's complex and interconnected business landscape, third-party risk management has become an increasingly important concern for organizations. As companies rely more on external vendors, suppliers, and partners to help drive their operations and achieve their goals, they expose themselves to a variety of risks that can have significant consequences if not properly managed. For Chief Risk Officers (CROs), it is essential to understand and address these risks to protect their organizations from potential financial, operational, and reputational damage.

This blog post aims to provide CROs with a comprehensive guide to managing third-party risk, outlining key steps and best practices to help them navigate this critical aspect of their role.

Understanding Third-Party Risk

Definition and types of third-party risks

Third-party risk refers to the potential negative impact an organization may face due to its relationships with external entities, such as vendors, suppliers, contractors, and business partners. These risks can be broadly categorized into the following types:

  • Operational risk: Disruptions in an organization's operations caused by a third party's inability to deliver goods or services as agreed, such as the 2017 NotPetya ransomware attack, which affected several organizations reliant on the shipping company Maersk.

  • Financial risk: Monetary losses incurred due to a third party's financial instability, mismanagement, or fraud, such as the 2008 financial crisis, which exposed banks to significant losses from their relationships with mortgage-backed security issuers.

  • Compliance risk: Penalties and fines resulting from a third party's non-compliance with applicable laws and regulations, such as the $1.9 billion fine imposed on HSBC in 2012 for failing to prevent money laundering through its third-party affiliates.

  • Reputational risk: Damage to an organization's reputation due to a third party's unethical or irresponsible behavior, as seen in the 2010 BP Deepwater Horizon oil spill, which negatively impacted the reputations of BP's contractors and partners.

Common sources of third-party risks

It's crucial to recognize that third-party risks can emerge from various aspects of a business relationship. By understanding these sources, organizations can better identify and address the risks associated with their third-party relationships. Some common sources of third-party risks include:

  • Inadequate due diligence: Insufficient research and analysis of third parties before entering into business relationships.

  • Poor contract management: Lack of clear terms, conditions, and performance expectations in contracts with third parties.

  • Over-reliance on single suppliers: Dependence on a single supplier or vendor, leading to increased vulnerability to disruptions.

  • Lack of monitoring: Insufficient ongoing oversight of third-party performance, compliance, and risk exposure, leading to undetected issues and potential escalations.

Potential consequences of unmanaged third-party risks

Unmanaged third-party risks can have wide-ranging consequences on an organization's performance, reputation, and bottom line. By recognizing the potential outcomes of these risks, organizations can prioritize risk management efforts and allocate resources effectively. Some of the possible consequences of unmanaged third-party risks are:

  • Financial losses: Direct and indirect costs associated with risk events, including fines, penalties, and loss of business.

  • Operational disruptions: Interruptions to an organization's operations due to a third party's failure to deliver goods or services.

  • Reputational damage: Loss of customer trust and brand value following negative publicity linked to third-party actions.

  • Legal and regulatory consequences: Penalties, fines, or lawsuits resulting from third-party non-compliance with applicable laws and regulations.

  • Loss of competitive advantage: Reduced market share or missed opportunities due to unmanaged third-party risks.

Developing a Third-Party Risk Management Framework

A robust third-party risk management framework provides organizations with a structured approach to identifying, assessing, and mitigating risks associated with external partners. By following these steps, CROs can ensure they are effectively addressing third-party risk and protecting their organizations from potential harm.

1. Establish foundation

The first step towards the implementation of third-party risk management includes assigning a senior leader who will be responsible for the implementation of TPRM, formulating a business-aligned vision and strategy (e.g. what are the objectives of TPRM?), defining scope (e.g. what risk domains will be in scope?), assigning ownership (who will be accountable and responsible for TPRM?), developing an operating model (e.g. do you want to execute TPRM locally or centrally?), establishing a policy and corresponding procedures (what governance changes are needed?) and implementing a tool (e.g. how to make sure that TPRM is conducted efficiently and effectively?).

2. Define requirements

The second step involves defining the requirements that third-party risk management should take into account. Two types of requirements can be distinguished: internal requirements (e.g. internal policies, business decisions) and external requirements (e.g. regulatory, industry, sustainability and compliance attestations).

3. Create an inventory of third parties

The third step is about creating an overview of all third parties and contracts. Some organizations might be able to leverage existing inventories from procurement or strategic buying. Other organizations do not have a single source of truth and need to build this from scratch. You should make sure that you assign business owners and contact persons per third-party and per contract.

4. Prioritise third parties

The fourth step includes the prioritization of third parties by assigning a risk profile to your third-party engagements. Defining a risk profile per third-party and contracts helps you to determine (a) what third parties will be in scope for the due diligence assessments and (b) in what order the third-parties or contracts need to be assessed.  

5. Define due diligence scope

Before conducting due diligence, organizations should establish a clear scope for their investigations, considering factors such as the nature of the relationship, the level of risk exposure, and relevant industry standards. Key areas to consider when defining due diligence scope include:

  • Financial stability: Assessing the third party's financial health and ability to fulfill contractual obligations.

  • Operational capabilities: Evaluating the third party's capacity, resources, and track record in delivering goods or services.

  • Compliance and regulatory adherence: Verifying the third party's compliance with relevant laws, regulations, and industry standards.

  • Sustainability: Checking whether the third party's sustainability policies and arrangements are compliant to current and upcoming regulations and standards.

6. Perform due diligence assessments

The fifth step consists of performing the due diligence assessments. You can use various assessment types, ranging from self-assessments, audits, or third-party data providers. From a content perspective, there are several options. You can rely on best practice assessment questionnaires, request compliance statements, or develop your own questionnaire (preferably based upon a recognized framework such as ISO or NIST). Due diligence assessments can be conducted pre-contract, during contract renewal, after an external event (e.g. incident, regulatory change), periodic, risk-based, or continuous.  

7. (Re-)Assessing the third party's risk profile

After gathering and analysing information, organizations should evaluate the third party's risk profile.

8. Monitor and follow-up

The sixth and final step involves ensuring that all assessments are completed, analysed and reported to the identified stakeholders. A follow-up is initiated for risks that are considered out of tolerance.

Due diligence should not be a one-time event; organizations should establish ongoing monitoring and review processes to ensure that third parties continue to meet their expectations and comply with relevant requirements. Regular monitoring activities may include:

  • Performance evaluations: Assessing the third party's ongoing performance against established benchmarks and contractual obligations.

  • Compliance audits: Conducting periodic audits to verify the third party's adherence to relevant laws, regulations, and industry standards.

  • Risk reassessments: Reevaluating the third party's risk profile in response to changes in their operations, market conditions, or the organization's risk appetite.

Regulatory Considerations

When managing third-party risk, organizations need to consider regulatory and compliance requirements. A comprehensive understanding of these aspects can help CROs ensure their third-party risk management practices align with legal and industry standards.

Understanding applicable regulations and industry standards

Organizations must first understand the regulations and industry standards that apply to their operations to effectively manage third-party risk. These may include:

  • Network and Information Security 2 Directive (NIS-2)

  • EU Deforestation Directive

  • Data protection and privacy regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)

  • Financial industry regulations, such as the Bank Secrecy Act (BSA), the Anti-Money Laundering (AML) directives, and the Dodd-Frank Act

  • Industry-specific standards and frameworks, such as the ISO 27001 for information security management, the Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA)

CROs should stay informed about changes in these regulations and standards and ensure that their organizations' third-party risk management practices align with current requirements.

Ensuring third-party compliance with relevant regulations

Organizations must also ensure that their third-party vendors and partners are compliant with applicable regulations and industry standards. To achieve this, CROs should:

  • Include compliance requirements in contracts and agreements with third parties

  • Conduct due diligence to assess third-party compliance with relevant regulations and standards

  • Implement ongoing monitoring and auditing processes to verify third-party compliance over time

  • Address any compliance gaps or issues identified through monitoring and auditing, and require third parties to take corrective actions as needed

Reporting and documentation requirements

Organizations should maintain comprehensive documentation of their third-party risk management practices to demonstrate compliance with applicable regulations and standards. This may include:

  • Risk assessment reports that detail the identified risks and risk mitigation strategies

  • Due diligence reports that outline the compliance status of third parties

  • Records of ongoing monitoring and auditing activities, including any identified issues and corrective actions taken

  • Incident reports, detailing any breaches or incidents involving third parties and the organization's response

By maintaining proper documentation and reporting, organizations can demonstrate their commitment to regulatory and compliance requirements and reduce the risk of penalties or reputational damage in the event of an audit or regulatory inquiry.

Challenges for CROs

Managing third-party risk can be a complex and demanding task for CROs, who must navigate various challenges and pain points to protect their organizations effectively. By understanding and addressing these challenges, CROs can more efficiently and effectively manage third-party risk.

Fragmented risk management processes

One of the key challenges CROs face is dealing with fragmented risk management processes across different departments and functions within the organization. This fragmentation can lead to inconsistencies in risk identification, assessment, and mitigation efforts. To address this issue, CROs should:

  • Establish a centralized risk management function: Implement a unified risk management approach, with clear policies, procedures, and reporting lines.

  • Promote collaboration and communication: Encourage cross-functional collaboration and information sharing to facilitate a consistent approach to third-party risk management.

  • Use technology that empowers teams from multiple risk disciplines to effectively work together.

Limited visibility into third-party operations

CROs often struggle with limited visibility into the operations of their third-party partners, making it difficult to accurately assess and monitor risks. To improve visibility, CROs can:

  • Enhance due diligence processes: Implement comprehensive and risk-based due diligence processes to gather detailed information on third parties.

  • Implement ongoing monitoring: Establish regular monitoring of third-party performance, compliance, and risk exposure to detect and address issues promptly.

Regulatory and compliance complexities

The ever-changing landscape of regulations and industry standards poses a challenge for CROs in ensuring that their organizations and third parties remain compliant. To navigate this complexity, CROs should:

  • Stay informed: Keep abreast of regulatory changes and industry developments that may impact third-party risk management.

  • Implement technology for managing compliance requirements: Develop and maintain systems and processes that help the organization and its third parties comply with applicable regulations and standards.

Resource constraints

CROs often face resource constraints, such as limited budgets and personnel, which can hinder their ability to effectively manage third-party risk. To overcome these challenges, CROs can:

  • Prioritize risk management efforts: Focus on high-priority risks and critical third-party relationships, allocating resources accordingly.

  • Leverage technology: Implement risk management tools and software to automate processes, streamline workflows, and improve efficiency.

Incomplete or siloed risk information

CROs often contend with incomplete or siloed risk information, which can hinder their ability to gain a holistic view of third-party risk. To tackle this issue, CROs should:

  • Centralize risk data: Establish a centralized risk repository or platform to consolidate risk information from various sources within the organization.

  • Encourage cross-functional collaboration: Foster a culture of collaboration and information sharing between departments to ensure comprehensive risk data is available for analysis and decision-making.

Non-existing or immature third-party risk management processes

In many organizations, third-party risk management (TPRM) may be non-existent or relatively immature, leaving organizations exposed to significant risks. To address this gap, CROs should:

  • Develop a TPRM framework: Establish a structured approach to third-party risk management, including governance, policies, and procedures.

  • Train and educate stakeholders: Educate employees and stakeholders on the importance of TPRM and their roles and responsibilities in the process.

  • Continuously improve TPRM processes: Regularly review and enhance TPRM practices to keep pace with evolving risks and industry best practices.

Inadequate risk prioritization leading to resource misallocation

Failing to properly prioritize risks can result in the misallocation of resources and missed opportunities to address critical threats. To improve risk prioritization, CROs should:

  • Implement a risk assessment methodology: Adopt a consistent methodology for assessing and ranking risks based on their likelihood and potential impact.

  • Regularly update risk priorities: Periodically reassess and update risk priorities to reflect changes in the organization's risk landscape and risk appetite.

Ineffective risk mitigation actions

In some cases, risk mitigation actions may be ineffective or insufficient to address identified risks. To enhance risk mitigation efforts, CROs should:

  • Monitor the effectiveness of risk mitigation strategies: Regularly evaluate the success of implemented risk mitigation actions and adjust them as needed.

  • Promote accountability: Assign clear responsibilities for risk mitigation actions and hold stakeholders accountable for their implementation and effectiveness.

Difficulty in managing emerging risks

Emerging risks, such as new technologies, regulatory changes, or market disruptions, can be challenging to identify and manage. To better address emerging risks, CROs should:

  • Stay informed: Monitor industry trends, regulatory developments, and other factors that may give rise to emerging risks.

  • Adopt a proactive approach: Develop processes and systems to identify and assess emerging risks, enabling the organization to respond quickly and effectively.

  • Integrate emerging risks into the TPRM framework: Ensure that emerging risks are incorporated into the organization's overall third-party risk management strategy and processes.

How 3rdRisk Can Help

3rdRisk is designed to help CROs more effectively manage their relationships with external partners and mitigate potential risks. 3rdRisk enables organizations to streamline their risk management processes and make informed decisions. It addresses the following everyday needs of CROs in relation to third-party risk management:

Seamless integration of TPRM with existing ERM systems

3rdRisk is built to easily integrate with your organization's existing enterprise risk management (ERM) systems. This seamless integration ensures that third-party risk management processes align with broader risk management objectives and enables organizations to have a holistic view of their risk landscape.

Industry best-practice configurations and assessment templates

3rdRisk leverages industry best practices to provide users with pre-configured assessment templates and configurations. These tools help organizations save time and resources in developing their risk assessment methodologies while ensuring they follow the most effective and up-to-date practices.

Risk aggregation and prioritization tools

With 3rdRisk's advanced risk aggregation and prioritization tools, organizations can quickly identify, assess, and rank risks associated with their third parties. This feature enables organizations to allocate resources effectively and focus their risk management efforts on the most critical risks.

Effective risk mitigation planning and tracking

3rdRisk offers robust risk mitigation planning and tracking capabilities, enabling organizations to develop and implement targeted strategies to address third-party risks. With its user-friendly interface, 3rdRisk makes it easy for organizations to monitor the progress of risk mitigation efforts and make adjustments as needed.

Comprehensive risk reporting and analytics

3rdRisk provides organizations with comprehensive risk reporting and analytics tools that deliver real-time insights into third-party risk. By offering customizable dashboards, detailed risk reports, and trend analyses, 3rdRisk empowers organizations to make informed decisions and continuously refine their third-party risk management strategies.

Benefits of using 3rdRisk

The adoption of an advanced technology solution like 3rdRisk offers numerous benefits for organizations seeking to improve their third-party risk management capabilities. By leveraging 3rdRisk's cutting-edge features, organizations can centralize and streamline processes, reduce cost, enhance risk prioritization, gain greater visibility into third-party operations, and manage emerging risks.

Centralizing risk information

3rdRisk provides a centralized platform where all risk disciplines, ranging from sustainability, cybersecurity to continuity can work together. The platform consolidates risk data from various internal and external sources, giving CROs a comprehensive view of third-party risks and facilitating more informed decision-making.

Reducing FTEs and cost

3rdRisk's automation capabilities can significantly enhance the efficiency and effectiveness of TPRM processes. The solution automates tasks such as risk assessments, due diligence, and ongoing monitoring, reducing manual effort, improving accuracy, and ensuring consistency in risk management efforts. An average organisation can save 1-2 FTE annually using our 3rdRisk platform, making it a very cost-effective solution.

Enhancing risk prioritization and resource allocation

3rdRisk employs smart analytics and configurable risk scoring models to help CROs more effectively prioritize risks and allocate resources. By analysing vast amounts of data to identify patterns and trends, the platform enables CROs to focus their efforts on the most significant risks and make more informed decisions about resource allocation.

Improving visibility into third-party operations

3rdRisk enhances CROs' visibility into third-party operations by providing tools for ongoing monitoring and real-time reporting. Its integration capabilities with third-party systems deliver insights into performance, compliance, and risk exposure, enabling CROs to promptly detect and address potential issues.

Managing emerging risks

3rdRisk plays a key role in identifying and managing emerging risks. The platform offers an extensive risk sensing capability, including news and threat monitoring.

By embracing 3rdRisk as a technology solution for third-party risk management, CROs can overcome many challenges and pain points associated with managing third-party risk. As a result, organizations can more effectively protect themselves from potential harm and create a more resilient risk management framework.

Rapid and streamlined implementation

The implementation of 3rdRisk as your third-party risk management solution is a rapid and streamlined process, taking only days instead of months compared to competitors. The platform's best practice blueprints and standardized onboarding program ensure a smooth and efficient adoption, enabling organizations to start reaping the benefits quickly. Want to know more? Contact us for a virtual coffee and a free demo.

Conclusion

In conclusion, managing third-party risk effectively is a critical aspect of any CRO's responsibilities. By understanding the sources of third-party risk, implementing a robust TPRM framework, addressing the challenges and pain points associated with third-party risk management, and leveraging technology solutions like 3rdRisk, organizations can significantly enhance their ability to mitigate third-party risks. Additionally, considering regulatory and compliance requirements is crucial to ensure that both the organization and its third-party partners operate within the confines of applicable laws and industry standards.

The rapid and streamlined implementation of 3rdRisk, coupled with its best practice blueprints and standardized onboarding program, offers organizations an efficient way to strengthen their third-party risk management practices. As a result, CROs can better protect their organizations from potential harm, minimize reputational damage, and promote a more resilient risk management framework. Embracing these strategies and technologies will enable organizations to navigate the complexities of third-party risk management more effectively and, ultimately, achieve long-term success in today's interconnected business landscape.

Contact us to learn more, start a trail or request a demo.

Blogs

Read more...

We’d love to hear
from you

img

We’d love to hear
from you

Send Us a Message