Third-Party Risk Management: Challenges and Best Practice for Companies
What makes third-party risk management so relevant for companies? Challenges and best practice.
A Deloitte survey on Global Extended Enterprise Risk Management (EERM) published in 2021 shows that most companies believe the cost of a third-party incident has at least doubled in the past five years, and with Covid-19 being declared a global pandemic, the research predicts a further increased need for investment in risk management.
The research shows that the cost of a third-party risk incident such as a supply chain failure, data privacy breach or disruption to IT would cost your organization between €470m – €940m, or more. As highlighted by Kristian Park, Deloitte Global leader for Extended enterprise Risk management “despite an increase in incidents, companies are not yet investing sufficiently in managing third-party risk”.
What makes third party risk management so relevant for companies today?
While organizations may have considerable visibility into their own ethics, compliance and risk management practices, they often have little insight into, or understanding of, the risks posed by associated businesses. These threats are heightened by today’s regulatory environment, in which world governments and enforcement agencies are increasingly holding organizations responsible for the values, ethics and business behaviors of their third-party risks.
The potential harm posed by third parties is not limited to regulatory action. The reputational damage firms can experience for associating with an unscrupulous or negligent third party can be far more substantive and lasting than regulatory fines. Businesses can also be held accountable for the past actions and prior associations of the companies they acquire. In some cases, the relationship with the offending party may not even be known to the acquiring organization, yet the damage can be far-reaching, long-term and difficult to recover from.
Third-party relationship and reliance on third parties for crucial business requirements has existed for ages, but the art of managing your risk to regulatory requirements and best practices is a relatively new business requirement. To properly align your organization with the guidelines of numerous regulatory agencies and acts (SAPIN 2, UK Bribery Act, FCPA, BaFin, etc..), you need to pursue a risk-based program that adapts to the level and nature of the risk each of your third parties represents.
Enterprises entrust the protection of their crown jewels, their customer data, their finances, their reputation, and their business availability with their third parties.
A breach of your third party is a breach of your enterprise, so you need to know:
- Are they trustworthy?
- Why?
- Why not?
- What should be done about it?
- What level of risk they pose?
- What is your risk-appetite?
These questions are yours to answer and act on.
What are the challenges for companies?
Organizations across the globe are exposed to critical business risks emerging from COVID-19, sanctions violations, corruption, compliance violations, payment fraud data and security breaches. To combat these risks and protect the reputation of your organization, your compliance program must be dynamic, robust and effective enough to adapt to rapidly changing conditions and threats.
Third-party risk management is hard. It requires deep transparency, strong accountability, comprehensive and secure software and effective collaboration. To keep pace, organizations are expected to employ mechanisms designed to identify whom their third parties are, understand how they do business and determine how committed they are to ethical business and people practices. Knowing and understanding your third-party ecosystem and the risk that ecosystem could present to your company should be critical process in your risk management if it is not already.
Best Practice: The Risk-Based Approach to Third Party Risk Management
All organizations are now expected to employ a risk-based approach to the development and implementation of their compliance programs. Such a risk-based approach begins by applying objective criteria to all third parties, creating logical evaluations of potential risks that can used to formulate tailored risk-mitigation strategies. Organizations identified as high-risk can then be designated for further screening, depending on the specific red flags and risk factors posed. Finally, a risk-based approach to Third Party Risk Management requires a continuous monitoring of all parties, with assessments routinely updated to reflect any “apparent violations or systemic deficiencies identified” (A Framework for OFAC Compliance Commitments, page 4).
Adopting a risk-based Third Party Risk Management program provides numerous benefits for your organization including preventing third-party misconduct, avoiding government investigations and enforcement actions, enhancing your organization’s ethical culture and extending that ethical culture to your organization’s third parties.
The first steps for your third party risk management programme
If your organization has not formalized its Third-Party Risk Management program, it is important to understand the best practices that you should be striving toward. One-size-fits-all solutions never work, as each organization has a different inherent risk profile. Your compliance program needs to reflect actual risks rather than assumptions. The first step is to gather the right stakeholders from within the organization, including the compliance team, the legal team, procurement, audit and others, so everyone can understand both the broad objectives and the organization’s unique risk profile. That profile should steer all other risk-management processes.
This guide provides a clear overview of how to successfully conduct a compliance risk analysis in your company