From small businesses to enterprise companies, third-parties have long formed an intricate, but critical web that supports business functions. Cloud-based technology, payroll and accounting, shipping, ecommerce and of course the good ol’ component supply chain for manufacturers – these functions are often delivered cheaper, and at higher quality, by a third party versus trying to do it all in-house.
Each dependency in the web impacts those around it. When times are good, strong vendor relationships contribute to mutual growth.
But there’s a potential for parts of the system to fail. And in extreme cases such as the current COVID-19 pandemic, the whole system may be in disarray. Large, disruptive events can also complicate an organization’s ability to conduct proper third-party due diligence, exposing firms to even greater risk.
In today’s interconnected – and thanks to social media, increasingly transparent – business environment, your third-parties’ risks are your risks. A bad decision by a compromised third-party can permanently harm a company’s reputation. The scale of impact of this risk tends to increase as unstable economic conditions worsen.
Risk is unavoidable. However, there are steps businesses can take to lessen the impact of unwanted, unnecessary risk created by your third parties. In a recent NAVEX Global webinar, risk-management advisor and author Linda Tuck Chapman describes three key precautions companies can take to minimize financial and reputational risk.
Tip #1: Prioritize with a risk-based assessment
Many organizations treat all third parties the same when managing risk: giving each the same priority, performing identical due diligence steps, and requiring them all to sign the same disclosures. That’s an easy way to “check the box” and meet compliance requirements — but it leaves the company vulnerable to other risks, including potential litigation.
The easiest way to minimize risk is to determine how critical third parties are to your business. Calculate the potential consequences to your organization if each service provider were disrupted. The magnitude of impact – measured in terms of revenue, reputation, or other lost resources – depends on your business model, industry, and other factors, weighted by the likelihood such a disruption could happen.
These metrics can help you prioritize risk responses based on impact. Call it a risk-based approach to risk assessment. Tuck Chapman sees successful companies using a “light” and “heavy” risk strategy with third parties, where light represents low criticality and potential negative impact, while heavy refers to the high-risk, critical supplier group.
To apply the strategy, send a quick survey to all third parties to identify, and better understand, those that are the most critical to your business. These are the “heavy” risks. Then direct the lion's share of your efforts toward this set.
Tip #2: Automate third-party risk management
The number of vendors and third parties a business relies on can run into the hundreds or even thousands. (Walmart, for example, has over 100,000 vendors.) It quickly becomes nearly impossible to use manual processes, like spreadsheets and emailed questionnaires, to manage the potential risk a large set of suppliers creates.
In addition to the sheer number of third-party providers, larger organizations operating internationally are subject to numerous laws and regulations that may require the different treatment or vetting of providers. Again, nearly impossible to do manually.
For example, third-party disclosure forms are critical for identifying potential risks; but even the process of gathering that information is time-consuming. These kinds of repetitive tasks are ideal for automating, with the additional benefit of enforcing consistent standards.
Successful companies employ technology solutions to automate third-party processes, such as issuing assessments with pre-populated answers to save third parties time when filling them out, especially helpful during COVID-19.
"Trying to manage third-party risk without technology? I always say, ‘just kill me now.’" - Linda Tuck Chapman
Tip #3: Ongoing monitoring of risk: Apply 'trust but verify' to third parties
Third-party risk management doesn’t end with initial due diligence. Events can occur that change a third-party service provider’s risk profile. Continuous monitoring of third parties alerts you to trigger events that require action, including bankruptcy, a major cyber security incident, or say, a global pandemic affecting a given supplier’s suppliers - anything related to financial health.
Monitoring requires fewer resources than periodic assessment and no extra effort from third parties themselves. But only if the monitoring process is automated, and part of the overall third-party risk management strategy.
The financial health of third parties is one of the most important areas to monitor. With COVID-19 affecting so many businesses, it’s important to know which may be suffering financially. While this information isn’t necessarily used to terminate contracts with at-risk suppliers, risk managers need this information to create a realistic view of their third-party web, so they can plan accordingly.
Tuck Chapman sees this as an opportunity to leverage monitoring as a force for good. You might prepay for services or consider a kind gesture like a catered lunch to the provider’s staff. A valued third party is an extension of your company, providing help, expertise and resources when you need it. Gestures of goodwill are appreciated even more when business is bad. After all, when the crisis or risk event has passed, your company will still rely on many of these businesses and their services.
Learn more in Linda Tuck Chapman’s recent webinar, Managing Third Party Risk During (and After) a Pandemic.
Linda Tuck Chapman is the president of ONTALA Performance Solutions and author of the book, Third-Party Risk Management: Driving Enterprise Value.