As we reach the middle of 2022, Third-Party Risk has become a significant area of focus for risk governance professionals and the organisations they work for. Between the impact of Covid and the instability caused by the war in Ukraine, the global arena has seen a sudden increase in third-party issues, including supply chain disruption and cyber security breaches.
Recent reports indicate that while 85% of Third-Party Risk Management (TPRM) executives now identify TPRM as a strategic priority, around 50% of businesses are underprepared for incidents caused by third-party vendors and suppliers. As a result, many companies are anxious to implement new TPRM assessment programmes to introduce more formal due diligence and allow for continual monitoring of third parties who have the potential to damage a company's reputation and bottom line if their business practices are unethical, non-compliant or open to data breaches.
What is TPRM
Third-Party Risk Management (TPRM) is the part of risk management concerned with identifying and reducing risks explicitly relating to the use of third parties - vendors, suppliers, partners, contractors or service providers.
This risk governance and control area is designed to identify, assess and manage the third parties that companies use and the safeguards these third parties have to minimise Risk to the businesses they are supplying.
Why use third parties if they come with risks?
Most modern organisations depend upon outsourcing to third parties for the smooth running of their business. Third-party suppliers can save companies time and money by providing services and expertise not available in-house. This can be anything from the transportation of goods to website hosting or cloud storage.
While most companies would struggle without third-party input, the detrimental impact of supplier incidents can have far-reaching ramifications. Short-term issues such as a website being offline can cause loss of sales and reduce customer confidence, but a large data breach or using companies with poor ESG credentials could cause long-term reputational damage and discourage clients and investors.
Key challenges for TPRM in 2022
The most likely TPRM issue a company should prepare to face currently is cyber security, with over half of the data breaches since 2020 occurring via third parties. However, there are many areas on which companies should focus their attention to be truly successful at managing their Third-Party Risk. Some of these key areas include:
- Operational Risk – could the third party cause a problem with your company's day-to-day services to their customers?
- Compliance – does the third party comply with your region's regulations and laws such as GDPR or D,E&I policy? If not, your business could be non-compliant by working with them.
- Cyber security – is the third-party vendor open to a cyber attack that would expose your business's confidential information or clients?
- Financial Risk – if a third-party supplier cannot fulfil manufacturing requirements or delivery deadlines, this can lead to the need for customer refunds and loss of repeat business which will have a detrimental effect on company profits.
- Reputational Risk – is your supply chain free from modern slavery? Are you employing a vendor with a poor carbon footprint? Third parties who engage in unethical practices can disrepute your organisation, causing negative public opinion and reputational damage.
- Strategic Risk – a combination of any or all of the above could cause an organisation to miss their overall business objectives, meaning they fail to move forward and achieve growth. This can have a knock-on effect on retention and recruitment of staff as well as impacting revenue.
Each of these risks can also affect each other; for instance, a compliance issue could also cause reputational damage, which could have a financial impact, so it is important not to think of them in isolation but instead try to address the complete spectrum of third party risks as a whole.
The future of TPRM
A robust programme of due diligence, service level agreements and constant formalised monitoring would seem to be the way forward to tackle TPRM, and this can mean good news for Risk and Governance professionals with many roles becoming available as companies look to reduce their chances of being open to the impact of damaging unforeseen events.
TPRM is, without doubt, a growing field, and as compliance requirements increase and customers and investors become ever more socially conscious, third-party monitoring and reporting methods will likely continue to develop to meet the evolving needs of risk management.
If you are a Risk professional or your company is looking to grow its risk and governance team, contact McGregor Boyall today and find out how our expert recruiters can help you.