As the poet, John Donne wrote, “No man is an island entire of itself.” The same is true for businesses – every organization works with third parties that supply a range of goods and services, ranging from office stationery to raw materials and white-labelled software that make up part of what your organization offers to customers. Add cloud storage providers, delivery and logistics companies, banks and professional services firms to the list of organizations that directly or indirectly help you to serve your customer base, and the result is a complex infrastructure of supportive partners.
But while these companies all help to ensure that you can deliver for your customers, any one of them could experience a disruption that could, in turn, impact upon your business too.
You can read a full list of examples of third party risks that could impact your organization here.
In this blog, we will be focusing on how to measure good practice in third-party risk management software.
By assessing and tracking the potential third party risks your suppliers may pose, keeping good records and ensuring communication and transparency is paramount, you can lower the chances of encountering risks like those described here.
So how can you make sure you are managing third-party risks as effectively as you can?
The following questions will help you assess the strength of your third-party risk management software and procedures, and identify where improvements could be made:
Assuming that certain risks are only the problem of individual departments is a common pitfall. In a recent poll conducted by SureCloud’s ‘How to Integrate Business Risk and IT Risk’ webinar, we found that 80% of respondents know their business suffers from miscommunication and lack of departmental collaboration. This can cause delays in third-party risk management, hide the big picture and lead to inaccurate reporting, so organizations should avoid departments operating as silos and encourage communication across the organization.
How long does it take for your suppliers to return assessments and questionnaires? Delayed responses are a sign that your assessments aren’t performing as well as they could be. Ensure your questions are clear, easy to follow, and relevant to the organization you’re assessing.
It isn’t uncommon for third parties to be risk-assessed at the procurement stage and rarely (or never) revisited. But things change, and the organization you’re doing business with now may differ significantly from the organization they were when you established a relationship. It is vital to revisit risk assessments, track progress against risky areas and review relationships if things change.
For those using traditional spreadsheet-reliant third-party risk management procedures, checking where you stand can involve lengthy searches, finding and collating data from multiple sources. This is far from optimal. Those using a one-stop platform for third-party risk management can overcome this issue, generating reports in minutes that may otherwise have taken days.