Alex Hollis, GRC Practice Director at SureCloud, explains the importance of measuring and mitigating the risks third-parties can pose to your business
As GRC Economist & Pundit Michael Rasmussen commented in his guest blog, the modern organization doesn’t operate alone. Beyond its own staff, a business’ offering can be delivered by an interconnected network of suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, and more.
These third parties can offer a strategic advantage and business value, helping organizations to offer cutting-edge services and focus on their own area of specialization. But they can also present a number of third party risks that may have a knock-on effect on business, causing issues ranging from temporary service disruptions to complete shut-down.
Despite the risk of disruption, the practice of measuring and managing third party risks present is in its infancy. Recent research we conducted found that 82% were not confident or unsure if they have identified all the third party risks their organization is exposed to.
It’s essential to establish an effective third-party risk management procedure, not least because of the requirements under regulations such as GDPR, PCI DSS, and ISO certification.
But what could go wrong? Is it worth the amount of time, money and resource needed to manage your third parties effectively? How seriously can third parties really affect your business? I have drawn up three examples of common types of risk that your vendors and suppliers could pose to your business, to illustrate the importance of managing third-party risk…
Reputational third-party risk:
In a recent survey by Deloitte, over 26% of respondents said that they had faced reputational damage as a result of an incident affecting one of their suppliers. As far as your customers are concerned, the service they receive is delivered by you. Therefore, if a third-party supplier’s operations are interrupted as the result of an incident, there’s a significant risk that the services you provide could be disrupted until your supplier resolves the problem, or you find an alternative supplier. After a disruption, has affected the service you provide customers will be less likely to trust, use, or recommend your brand.
Legal and Regulatory third party risk:
Certain suppliers will need access to your organization’s data in order to provide what you’ve asked of them. If your suppliers are trustworthy and their infrastructure is well protected, this may never be an issue. But how do you ensure that your partners are maintaining a robust security posture? A breach at a third-party supplier could impact you directly; or if they store sensitive customer data that you’ve shared with them, could put you at risk of breaching GDPR, PCI DSS, ISO/IEC 27001 or a number of other regulations governing data security.
Since multiple issues could arise from financial issues such as a lack of cash flow, financial fraud or reporting errors, it pays to understand the financial risks your third parties might present.
If your suppliers aren’t financially viable, they may be forced to close their doors, and the service that you provide customers may be disrupted. Additionally, just as third-party data breaches can cause reputational damage, they can also cause financial damage from fines or loss of business.
Measuring the performance of third-party risk management:
In Deloitte’s survey, 87% of respondents said they had experienced an incident with a third party that disrupted operations. Given the third party risks that suppliers can pose to your business’ reputation, finances, and legal/regulatory stance, organizations need to address third-party risk management.
While you may feel like the risks your suppliers may present are outside of your direct control, it is possible to manage and reduce the impact they may have.
Look out for the second part to this third-party risk management blog where we will be focusing on building an effective strategy for third-party risk management and how to measure good practice in third-party risk management. See you then!