Risk management is the continuing process of identifying, analyzing, evaluating, and treating loss exposures and monitoring risk controls and resources to mitigate the adverse effects of loss.
But third-party risk management isn’t just a subfield of the broader category of risk management. Third-party risk management (TPRM), as this guide will argue, is its own distinct discipline.
Entities will do well to understand TPRM in its complexity, which can be accomplished by reading this guide that (1) provides better comprehension of third-party risk, (2) lays out the rationale for adopting TPRM procedures now, and (3) articulates certain third-party risk management best practices as they’ve been advanced by analysts and regulators in the field.
Third-party risk management is multi-faceted because third-party risk is so complex, particularly in the cybersecurity, compliance, and finance arenas. In fact, third-party risks are just as prevalent and varied as internal risksi . But tied up as they are with another entity’s actions, operations, and processes, third-party risks tend to be more unpredictable.
But what’s third-party risk, exactly? It’s the potential risk that arises from organizations relying on outside parties to perform services or activities on their behalf.
Third-party risk is particularly keen when the services or activities in question constitute material business activities, defined in the statutesii as those activities that have the potential, if disrupted, to have a significant impact on an organization’s business operations or the ability of that organization to manage its risks effectively, having regard to such factors as:
The financial and operational impact and impact on reputation of a failure of the service provider to perform over a given period of time
Cost of the outsourcing arrangement as a share of total costs
Degree of difficulty, including the time taken, in finding an alternative service provider or bringing the business activity in-house
Ability of the entity to meet regulatory requirements if there are problems with the service provider
Potential losses to the entity’s customers and other affected parties in the event of a service provider failure
Affiliation or other relationship between entity and the service provider
So, why the focus on third-party risk in the first place? As Deloitte notes, companies have become more reliant than ever on third-party vendors. In fact, “the use of third-party vendors has increased exponentially”iii.
Nor is it just a matter of the quantity of vendors, it’s the kind and quality of services provided, as well. Where formerly third-party vendors were seen as cost savings and efficiency boosters, handled by Procurement, they’ve now become central to how businesses operate – “many companies even outsource core functions”iv.
The implication, though, is when vendor incidents happen, they quickly cascade into reputational crises for the organization by compromising material business activities.
Further, the pool of vendors organizations rely upon is also shrinking, according to a Deloitte Global Survey taken last yearv . This has had the effect of introducing further risk due to the concentration of critical dependencies in the hands of a few providers.
Are organizations prepared or third-party incidents as their risk accumulates?
The short answer is the pre-COVID work many organizations did to build up business continuity and disaster recovery plans for their third-party networks hasn’t been able to keep pace with the profound shift in the risk environment ushered in by the pandemic.
We can describe that shift this way.
COVID precipitated greater dependence on cloud service providers (CSPs). As of 2022, 73 per cent of Deloitte global survey respondents stated they had moderate to high levels of dependence of CSPsvi. Already staggering in itself, the figure is set to jump all the way to 88 per cent in the years to come.
Another result of COVID-related disruptions is that organizations are facing a newer spectrum of more complex risks across overlapping domains. Those domains include geopolitical, geographic/supplier concentration, sanctions, export controls, etc.
Deloitte summarizes trends in the third-party risk environment thusly:
Increased incidents related to vendors. Suppliers are causing more disruption and risks are not being managed. Information security, privacy and anti-fraud management are some examples.
Regulators focusing on supplier risk. Regulators are increasing the pressure on organizations to better manage their supply chain risk.
Pressures from economic volatility. Economic conditions mean tighter margins for suppliers
Of the above, we’ll single out regulatory pressure for special comment. Regulatory pressure is particularly acute in the financial services sector
Under the banner of operational resilience compliance, banking regulators have put forth specific compliance requirements for firms who have “outsourced” material business activities to third parties.
The European Union, for its part, has gone even further, passing the Digital Operational Resilience Act (DORA), which will soon compel entities operating in its vast jurisdiction to establish third-party risk management measures to mitigate ICT (information and communications technology) risk.
A quick list of relevant regulations in advanced markets include:
Australia. Australian Prudential Regulation Authority. Prudential Standard 231 Outsourcing.
U.K. Bank of England Prudential Regulation Authority. Policies relating to operational resilience for banks, building societies and investment firms.
U.S. The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC), Treasury. Interagency Guidance on Third-Party Relationships: Risk Management
How then to mitigate third-party risk, avoid exposure, and comply with statutes? At the bare minimum, companies should be following the third-party risk management lifecycle when onboarding critical third parties.
The purpose of the TPRM lifecycle is to help organizations manage their third-party risk by ensuring that vendors meet the same standards and expectations (be they for cybersecurity, data privacy, or any other matter) as their internal teams.
So, what’s the third-party risk management lifecycle consist of?
Like the risk management lifecycle from which it’s derived, the third-party risk management lifecyclevii is an ongoing process requiring regular reassessment to ensure that risks are being appropriately managed.
The process itself consists of the following stages:
Identification of whether you need to employ a third party
Conducting due diligence
Shortlisting and selection of a third party
Sending out a risk questionnaire
Commencement of the onboarding process
Undertaking of internal audits
Contract termination or offboarding
Far from being undertaken in silo, though, the third-party risk management lifecycle should fit within the context of a broader TPRM program. The purpose of that program will be to provide better governance over a company’s third-party ecosystem.
Why better governance? Internal teams often lack visibility over third parties, inhering risk accordingly.
Strong governance, as Deloitte notesviii, reduces that particular risk by increasing transparency, better aligning third party-engagements to overall company strategy, and providing consistent regulatory compliance.
Companies can go a long way to reducing their overall third-party risk profile – remember, internal teams across any given organization engage with third-party vendors – by embedding third-party risk management practices in all levels of the organization.
The benefit of formalizing third-party governanceix in such a way includes:
Following a more intelligent risk-based approach better aligned with enterprise strategy
Better training of staff and executive champions in aligning service delivery with strategic objectives
Development of standardized processes and proactive decision making via the use of data and analytics
Creation of fully customized, value-added tools that support decision making
Such are the benefits of third-party governance. But what should the program itself look like?
Like with risk management more broadly, third-party risk governance will be highly site-specific. Of course, analystsx have provided some generic leading practices that all organizations with significant third-party risk exposure should consider following.
The practices consist of the following:
Define objectives and scope. To build a successful TPRM program, organizations should consider anchoring their operational resilience and third-party risk management plans to an existing framework, be it DORA, APRA, or the UK Operational Resilience Framework (More later).
Why? These frameworks already set criteria and expectations for third-party dependency management and business continuity planning and testing. Organizations, therefore, do not have to reinvent the wheel to perform an impact assessment and gap analysis against currently proposed drafts.
Fully understand, document, and maintain your third-party inventory.
Develop policies and procedures. Lack of coordination between internal stakeholders is often cited as the biggest challenge for organizations undertaking third-party risk management.
Enhance ongoing monitoring. Initial due diligence is only a floor. Organizations will need more robust ongoing monitoring of third parties to enable more dynamic risk reporting.
Establish a governance structure. Regardless of ownership, the program will require input from multiple functions and teams, making well-defined governance crucial. For global entities, it’s, therefore, recommended to have a consistent global policy with local addenda for sub-entities.
Implement technology and automation. Programs that integrate digital third-party risk management functionality into the supplier lifecycle and embed automated cross-functional workflows, e.g., procurement, cyber risk, resiliency, are more effective in managing third-party risk and reporting to senior leadership.
As noted, building a successful third-party risk management program often entails aligning plans to an existing regulatory framework. This best practice makes sense. After all, the regulatory interventions themselves are the result of increased risk (to financial markets) posed by the sharp rise in third-party risk.
As a result, regulations, even for organizations outside of the industries in question, are a good place to turn to when beginning to build out TPRM programs.
On this score, what do the statutes say? Released in 2016, APRA Prudential Standard CPS 231, which deals with outsourcing, requires that all outsourcing arrangements involving material business activities be subject to appropriate due diligence, approval, and monitoring.
Drilling down a bit, some specific CPS 231 requirements include:
Maintain a policy, approved by the Board, relating to outsourcing of material business activities
Have sufficient monitoring processes in place to manage the outsourcing of material business activities
For all outsourcing of material business activities with third parties, have a legally binding agreement in place, unless otherwise agreed by APRA
Consult with the regulator prior to entering into agreements to outsource material business activities to service providers that conduct their activities abroad
Notify APRA after entering into agreements to outsource material business activities
The standard also imposes timely notification requirements on regulated entities should they get into outsourcing arrangements involving material business activity. And when they do, entities must also provide a summary of the key risks involved in the outsourcing arrangement and the risk mitigation strategies put in place to address these risks.
In many respects, the bulk of CPS 231’s requirements simply serve to extend risk management best practices to the realm of outsourcing. And so, all organizations, even those not under APRA’s remit or in the financial services sector at all, could benefit from adopting the following best practices:
Identify, assess, manage, mitigate, and report on risks associated with outsourcing to meet the institution’s financial and service obligations to its stakeholders
Have procedures to ensure that all the institution’s relevant business units are made aware of, and have processes and controls for monitoring compliance with, the outsourcing policy
Rest ultimate responsibility on the Board for oversight of any outsourcing of a material business activity. Although outsourcing may result in the service provider having day-to-day managerial responsibility for a business activity, the entity remains responsible for complying with all requirements that relate to the outsourced business activity
Give the Board responsibility to ensure that outsourcing risks and controls are taken into account as part of the institution’s risk management strategy and when completing a risk management declaration
As a subset of third-party risk, ICT risk has grown by leaps and bounds. The European Parliament, as mentioned earlier, recently passed landmark legislation to address ICT risk (broadly).
The Digital Operational Resilience Act, however, also includes specific provisions on ICT third-party risk management. Included here are a few requirements laid out in that subsection which might be of interest to all organizations even those outside of DORA’s jurisdiction:
Finally, third-party risk is exploding, while the supplier ecosystem is shrinking. Addressing this new risk environment, as this guide has argued, will take time, effort, and robust third-party risk management procedures.
Beyond these procedures, though, organizations should also seek out third-party risk management software to manage risk across their entire third-party ecosystem.
These solutions, such as Noggin, seamlessly collaborate with third parties in a unified workspace dedicated to enhancing resilience. From onboarding and due diligence to risk monitoring, contract, and action management, these platforms equip teams to pinpoint and address the top issues across the vendor ecosystem.
i. Cherelle Johannes, JDSUPRA: Risk Management 101: Navigating the Tightrope of Third-Party Risks. Available at https://www.jdsupra.com/legalnews/ risk-management-101-navigating-the-1412363/.
ii. “Material business activity” as defined in APRA CPS 231: Outsourcing
iii. Deloitte: Third-party risk is becoming a first priority challenge. Available at https://www2.deloitte.com/ca/en/pages/risk/articles/reduce-your-thirdparty-risk.html.
v. Deloitte: Emerging stronger: The rise of sustainable and resilient supply chains: Global third-party risk management survey 2022. Available at https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-uk-global-tprm survey-report-2022.pdf
vii. Lexis Nexis: Defining Third Party Risk Management. Available at https://internationalsales.lexisnexis.com/glossary/compliance/third-party-riskmanagement.
viii. Deloitte: Third-party risk is becoming a first priority challenge. Available at https://www2.deloitte.com/ca/en/pages/risk/articles/reduce-your-thirdparty-risk.html.
x. Michael Giarrusso et al., EY: 2023 EY Global Third-Party Risk Management Survey. Available at https://www.ey.com/en_gl/risk/2023-ey-global-thirdparty-risk-management-survey.
Updated December 12, 2023