Expert Answers to Biz Questions
Listen in! Pick up some expert advice to a reader's question that we selected from CyberSchmooz.
Here’s What You Need to Know about Managing Third-Party Risk
Third-party risks are getting bigger than ever. Most companies these days -- even the smallest ones -- need to rely on third-party vendors for services, supplies, distribution, and even contractors. But these relationships can create opportunities for risk to impact your business.
That’s because what goes wrong in a vendor’s organization can easily affect, or in the case of issues like data breaches or cyber attacks, even spread to, your organization. If your third-party vendor doesn’t adhere to regulatory guidelines, your company could face sanctions. If your vendor’s lax security protocols enable a data breach, your reputation and security could be on the line. Managing these risks is an essential part of running a business today. Here’s what you need to know.
Risk Assessment Has Moved Beyond Procurement
The days when you only had to worry about assessing a vendor’s risk profile during the procurement process are over. But these days, things can change quickly in a vendor’s organization -- if there’s a data breach, or some other cyber event, for example, your vendor’s entire operation could shut down in a matter of hours, and if it doesn’t, that could just mean worse news for your organization as the security breach spreads.
And in the new regulatory landscape, there are other reasons to monitor vendor risk on a continuous basis. For example, efforts to curb corruption in the supply chain mean that, under the Foreign Corrupt Practices Act (FCPA), you could be held liable for the unlawful actions of third-party suppliers and vendors even if they’re not located in the U.S. And even if your organization successfully fights off the charges, the cost of defending yourself could be debilitating, especially for a smaller company.
Whether you’re hoping to fend off data breaches, provide regulatory oversight to protect your company from liability, protect your reputation, or just make sure that you have the supplies and services you need to operate, it’s imperative that you make third-party risk management an ongoing process of monitoring vendor profiles for changes in their risk level. With enough advanced warning, you can even better prepare your organization for harder-to-avoid risk events like natural disasters and geopolitical unrest.
Remain Vigilant Against Vendor Risk
According to one study by Deloitte, 87 percent of firms surveyed said they experienced a vendor risk event serious enough to disrupt operations, and 11 percent of those surveyed said the event was bad enough to result in a complete failure of the third-party relationship. Clearly, third-party risk is common, and no matter how long you’ve been working with a vendor, no third-party relationship is immune to risk.
Third-party risk management should be a priority at every level of your organization, and your vendor risk management program should have strong oversight. Align your approach to third-party risk management not with short-term gains, but with supporting your company’s mission and objectives.
Work together with vendors to build a framework for risk management into the relationship. Every interaction with a vendor should be done with managing risk in mind, as well as with meeting your strategic goals and collaborating to help the vendor meet theirs. Employees should be trained on how to implement risk management strategies and safeguards into their vendor interactions, and there should be standardized processes for managing risk.
It’s important not to take an emergency-focused approach, in which you wait for a risk event to happen and then respond to it. Instead, you should take a proactive approach that seeks to prevent emergencies and prepare your organization to cope with them when they do occur. You can save a lot of money, time, and stress by monitoring vendors for changes in risk status, and responding accordingly to prevent risk events like data breaches, reputational damage, or operational failure.
If you want to be in business today, you need to be able to negotiate successful and long-lasting vendor relationships. But these relationships don’t come without risks. Vendors can fail to meet their contractual obligations for any number of reasons, and they can create other risky situations when they fail to take seriously the ramifications of lax cyber security protocols or poor conduct abroad. Only when you maintain continuous risk monitoring can you hope to keep your company safe from third-party risks.
Copyright 1995-2023, Idea Cafe Inc. Downloads are for personal use only, not for resale to others, and may not be reprinted in any form without written permission from Idea Cafe Inc.
DISCLAIMER: We hope whatever you find on this site is helpful, but be cautioned that it may not apply to your own situation, or be totally current at any given time. Idea Cafe Inc. and all of its current and past experts, sponsors, advertisers, agents, contractors and advisors disclaim all warranties with regard to anything found anywhere on this family of websites, quoted from, or sent from Idea Cafe. and its related sites, publications and companies. We also take no responsibility for comments published by others on these pages. TRADEMARKS: The following are Registered Trademarks or Servicemarks of DevStart, Inc.: Idea Cafe®, Online Coffee Break®, The Small Business Gathering Place®, Take out Info®, Biz Bar & Grill®, Complaint-O-Meter®, A Fun Approach to Serious Business, CyberSchmooz, and BizCafe.
DISCLAIMER: We hope whatever you find on this site is helpful, but be cautioned that it may not apply to your own situation, or be totally current at any given time. Idea Cafe Inc. and all of its current and past experts, sponsors, advertisers, agents, contractors and advisors disclaim all warranties with regard to anything found anywhere on this family of websites, quoted from, or sent from Idea Cafe. and its related sites, publications and companies. We also take no responsibility for comments published by others on these pages.
TRADEMARKS: The following are Registered Trademarks or Servicemarks of DevStart, Inc.: Idea Cafe®, Online Coffee Break®, The Small Business Gathering Place®, Take out Info®, Biz Bar & Grill®, Complaint-O-Meter®, A Fun Approach to Serious Business, CyberSchmooz, and BizCafe.