Although competition has always been fierce in the retail industry, the last few years have proved particularly difficult for some retailers. The pandemic continues to have long-lasting effects, including supply chain interruptions, economic conditions, and labor shortages.
Consumer and retail sectors are also receiving increased attention from regulators. In June 2022, new anti-human trafficking and forced labor laws came into effect in the United States. Environmental, social, and governance (ESG) risk management practices are also becoming the norm in the global marketplace.
Meanwhile, technological advances and rapid changes in consumer habits have created new risks. Several long-established brick-and-mortar stores have closed, proving that retail businesses of all sizes have to struggle to survive.
Protecting Brand and Reputation in Retail
A retailer's brand and reputation are its most valuable assets. This statement has never been truer than in the age of social media, where it can take just a few minutes for trust to be eroded and the value of an organization to be destroyed. To remain competitive in a complex market, retailers must rely on their brand's reputation to attract and retain customers, employees, and investors. Once a brand's reputation is damaged, it can be difficult to restore.
In many cases, brand reputations are destroyed as a result of unexpected events and the way they are handled. Even if your company is skilled in maintaining its reputation and protecting its brand image, many external factors can impact your brand.
For example, even ten years later, Target is still remembered for its massive data breach in 2013. Hackers stole a reported 40 million credit card numbers in one of the biggest data breaches in history. Using stolen credentials from a third-party HVAC vendor, the hackers breached a platform that handled billing, contract submissions, and project management. Target settled the data breach in 2017 for $18.5 million, just a drop in the bucket compared to the estimated $202 million the breach cost them.
There have also been many cases worldwide in which retailers have unintentionally exposed their customers' payment information through hacked point-of-sale software. But data breaches are only part of the story. Some retailers have been guilty of human rights abuses and exploitive labor practices via their third parties. Chances are that a more proactive approach to third-party risk management could have prevented these issues.
What Is Third-Party Risk Management?
Third-party risk management, or TPRM, is the process of identifying, assessing, monitoring, controlling, and reporting risks that are posed by relationships with third parties such as suppliers, subcontractors, vendors, manufacturers, distributors, and other external entities.
TPRM has been around for decades, is widely considered a best practice, and is a regulatory requirement for many industries. But what exactly are the risks that TPRM is attempting to manage? Every product, service, and vendor relationship has associated risks that must be identified, assessed, and managed.
Let's examine some of the most common risks:
- Strategic risk occurs when your third party's actions and/or decisions fail to help your organization meet its goals and objectives.
- Compliance or regulatory risk happens when your third party fails to comply with laws or industry-specific guidelines. Violations of consumer privacy laws, inadequate cybersecurity practices, and human rights and labor abuses are all examples of compliance/regulatory risk.
- Cyber or information security risk includes both cyber and physical security risk. It exists whenever a third party accesses, transmits, or stores sensitive data belonging to your organization (or its customers) or has access to your privileged networks or facilities.
- Financial risk exists when your third party has poor or declining financial health, possibly preventing them from delivering products and services to your organization.
- Operational risk is present in cases where a third party's product or service is necessary to maintain your organization's daily operations.
- Concentration risk occurs when your organization obtains several high-risk or critical products or services from the same third party. It’s also present if too many third parties are located in the same geographic area, increasing your exposure risks from natural disasters, pandemics, civil unrest, war, etc.
- Reputation risk occurs when your third party's actions or decisions impact your customers' perception of your organization. Your vendor's bad customer reviews, lawsuits, and negative publicity can all harm your retail brand.
- Geo-political risk occurs when a vendor is located in a country or location with political unrest, corruption, human rights violations, lax privacy and data security laws, or other factors that could negatively impact your operations, finances, or reputation.
Left unchecked, any of the abovementioned risks can negatively impact your organization or customers. The best way to manage these risks is to identify and mitigate them before they become major problems for your organization, customers, employees, or investors.
For retailers, third-party risk management is the best solution.
Developing, implementing, and maintaining a third-party risk management framework for any organization takes time, effort, and constant improvement. Still, protecting your retail brand and business is a necessary and worthwhile endeavor.
Components of Third-Party Risk Management
Every organization must begin by identifying all the third parties with whom it does business and the products and services they provide. Then, determine which products, services, and relationships will be in scope for the program.
From there, it’s a matter of building the right TPRM framework and processes to incorporate the following tools and processes:
TPRM Policy: A formal document that details the internal rules and requirements for TPRM, clarifies stakeholder roles and responsibilities, and outlines the governance and oversight of the program.
Inherent Risk Assessment: An internal questionnaire that identifies the specific types and amounts of risks associated with the product or service.
Risk Ratings: A methodology to rate the amount of risk in a vendor engagement based on the results of the inherent risk assessment.
Vendor Criticality: Criteria to establish if a vendor is critical or non-critical to day-to-day operations or to your customers.
Due Diligence: Verifies that a third party operates legitimately and has an established reputation. Also includes the processes to collect, analyze, and review information and documentation provided by the vendor to evidence their risk management practices and controls.
Vendor Risk Review: The formal evaluation and review of vendor due diligence information performed by qualified subject matter experts.
Contracting: Contacts are an essential risk management tool, so it’s important to define the standard terms and conditions you’ll require in the contract based on the risks of the engagement. These include insurance and indemnity, cyber security protections, legal and regulatory compliance, business continuity, and a right to audit.
Periodic Risk Re-Assessment and Due Diligence: Third-party risks are always changing, so it is important to re-evaluate the inherent risks and conduct vendor due diligence regularly (at least annually for critical or high-risk vendors).
Performance Monitoring: Ensuring your vendor is meeting performance expectations and delivering the anticipated value of the engagement.
Ongoing Risk Monitoring: Vendors must be monitored for new and emerging risks between formal risk re-assessments. Risks can be internal such as a change in management or declining financial health as well as external such as industry developments or regulatory changes.
Reporting: Effective TPRM programs ensure that reporting is reliable and repeatable for the purpose of helping stakeholders drive action, address issues, or make decisions.
TPRM has been a regulatory requirement and best practice for decades, and for a good reason. Identifying and managing risks before they impact your organization is just common sense. Although TPRM is still relatively new in the retail industry, it’s an excellent time to develop your framework. Remember, TPRM is one of the most important tools any organization can have to protect its valuable reputation and safeguard the brand.