Most organizations will need to rely on third parties at some point. Those relationships expose your organization to various types of third-party risk. Even if you understand the basic concepts behind these third-party risk types, it may be difficult to know how they could affect your organization. To improve understanding of third-party risk, we’ll cover examples of typical third-party risk types to illustrate how these risks manifest.
6 Third-Party Risks and Examples
- Compliance: This risk appears when a third party fails to comply with laws and regulations that govern the products and services your organization provides to customers.
Example: Your organization has a third party that provides loan services. The third party created a marketing campaign that advertised lower interest rates on future loans for consumers who repaid on time. However, thousands of customers filed a complaint, stating they weren't eligible for lower interest rates despite a history of on-time payments. The CFPB filed an action against the third party for violating the Equal Credit Opportunity Act, leaving your organization exposed to compliance risk.
- Strategic: The third party presents a strategic risk when its actions or decisions don't align with your own organization's objectives.
Example: After creating a new product, your organization requires a third party specializing in its delivery or distribution. As you perform your due diligence on a selection of vendors, you discover that they all use the same type of technology to automate a particular function. However, two of the vendors you're vetting use outdated technology with a history of issues. Selecting a third party that uses aging technology would present strategic risk to your organization.
- Operational: A third party can present internal and/or external operational risks. Internal risk can relate to the third party's own ineffective or failed processes, people, controls or systems. External risk can be caused by outside events like natural disasters, cyberattacks or acts of terrorism, which are beyond the control of the third party.
Example: Your organization relies on a third party to provide virtual customer service. Their customer service center is in an area known to have recurring natural disasters like hurricanes, flooding or wildfires. Even though they have business continuity (BC) and disaster recovery (DR) plans, the third party hasn't tested them in over a year. They may be unaware of new risks or issues that could make their plans ineffective. As hurricane season approaches, your organization will be facing operational risk because of your third party's untested BC/DR plans.
- Information Security: Cyber and physical security risks are under the umbrella of information security risk. Cyber risk is present when a third party has vulnerabilities that can expose your organization's data through events like cyberattacks and breaches. These vulnerabilities can be anything from an unsecured server configuration or weak policies regarding on-site visitors.
Example: A third-party vendor is used to manage your customers' passwords. During the pandemic, they shifted to a hybrid work model. However, they neglected to update their information security policy with requirements specific to remote working. Your organization is exposed to information security risks and potential data breaches that can affect your customers.
- Financial and Credit Risk: A third party's financial health can significantly affect its ability to consistently provide quality products and services to your organization. Insufficient investor funding, cash or credit can expose your organization to financial and credit risk.
Example: When performing due diligence on a potential new third party, your organization reviews its financial records and discovers that they have no available credit and less than six months' worth of operating cash. An unstable or unhealthy financial profile may indicate that the third party cannot provide products and services to your organization's expectations and may go out of business during the contract term.
- Reputation Risk: Third parties can impact your organization's reputation in many ways through poor service, lawsuits, data breaches or even misrepresenting its relationship with you. Your customers won't differentiate between your organization and a third party, so managing this risk is essential to protect your valuable reputation.
Example: Your organization's third party suffered a data breach and began the process of notifying your customers who were affected. However, the third party mistakenly sent notification letters to your customers' next-of-kin. These letters revealed confidential health information such as illnesses, medications, and medical procedures. Understandably, your customers are upset and have filed a lawsuit against your organization for violating HIPAA laws which prohibit revealing patients' health records without consent. As a result, your reputation is severely damaged because of your third party's actions.
3 Best Practices to Manage Third-Party Risk
Now that you have a better understanding of how third-party risk can affect your organization, let's review some best vendor risk management practices:
- Perform risk-based due diligence: After determining the vendor's inherent risk and criticality, you can proceed with collecting and reviewing due diligence. For critical or high-risk vendors, you'll want to review additional documentation such as BC/DR plans.
- Schedule ongoing monitoring: Vendors need to be monitored for risk throughout the relationship, not just at the beginning. Regular performance reviews, risk assessments, document collection, and monitoring will help your organization stay on top of existing risks and identify new or emerging risks.
- Report to the board of directors and senior management: Regulatory guidance requires that the board and senior management be involved in vendor risk management. By keeping them informed of vendor risk management activities, they'll be better prepared to set the "tone-from-the-top" and establish clear goals for your organization.
Third parties often provide significant value by delivering additional products and services or supplementing the capabilities of an organization. They can also present many risks that need to be appropriately managed. Identifying and managing existing, new and emerging risks will help your organization get more benefits from your third-party relationships.