Third-Party Risk Management Best Practices for 2024

As we begin a new year, it’s an excellent opportunity to reflect on the past and make important decisions for the future, especially for your third-party risk management program. Every year, new and emerging third-party risks arise, and we learn valuable lessons that help us improve and mature our programs.

In this regard, let's take a quick look back at 2023 from a third-party risk management perspective and identify 7 third-party risk management best practices for 2024.

Third-Party Risk Management Lessons From 2023

• Cybersecurity remained the top priority for organizations worldwide. As technology and dependence on digital products and services increase, cybercriminals do their best to stay one step ahead. Major data breach incidents like the MOVEit breach showed cybercrime isn’t slowing down, attacks are getting larger, and more industries are being impacted.
• Business continuity continued to be the second leading concern after cybersecurity. According to the National Oceanic and Atmospheric Administration, the U.S. experienced 23 separate billion-dollar weather and climate disasters in the first eight months of 2023 – the largest number since records began. Natural disasters are only one type of business interrupting event. Whether it’s cyberattacks, data breaches, or failed internal operations, organizations must ensure third-party vendors have robust and tested business continuity and disaster recovery (BC/DR) plans.
• Geopolitical risks were front and center. Organizations need to exercise caution with unstable political environments, government policies, sanctions, civil unrest, war, and terrorism. In 2023, fluctuating energy prices and weather events adversely affected many supply chains. The ongoing conflict between Russia and Ukraine, as well as recent events in Israel and Palestine, have illustrated the global repercussions of violent conflicts. Even if an organization isn’t directly involved in business activities in a foreign country, it can still be exposed to risks through fourth and nth parties in their supply chains.
• Artificial intelligence (AI) continued to expand its influence across various industries, and serious concerns have arisen regarding the potential risks of third-party AI tools and services. Organizations relying on third-party AI now need to consider the risks of data breaches, privacy violations, and algorithmic biases when conducting risk assessments, due diligence, and monitoring.
• New or changed regulatory requirements made headlines in 2023. The long-awaited Interagency Guidance on Third-Party Relationships became effective, which resulted in an expanded definition of third parties that now includes all business relationships. As a result, the scope of third-party risk management significantly increased for the financial industry. The National Credit Union Association (NCUA) and the Securities and Exchange Commission (SEC) also imposed prescriptive data breach notification requirements. The FTC's Safeguards Rule went into effect, requiring organizations like non-bank lenders, auto dealerships, mortgage companies, and consumer reporting agencies to establish security programs with administrative, technical, and physical safeguards to protect customer information. To add further complexity, many more state privacy laws became effective in 2023. 
• Third-party financial risk has always been important, but it took the spotlight in 2023. The failure of three regional banks – Signature Bank, Silicon Valley Bank, and First Republic Bank – caught many organizations off guard, resulting in various negative impacts. These bank failures underscored the importance of assessing the financial health and stability not just of your conventional third-party vendors, but also of your financial services providers and other strategic partners such as fintech companies.

Third-Party Risk Management Best Practices for 2024

2023 indeed emphasized the need for robust third-party risk management. So, what can organizations do to prepare to identify, assess, manage, and monitor third-party risks in 2024? Here are 8 best practices to follow:

1. Continue to prioritize third-party risk management. It’s clear from 2023 that third-party risks continue to grow and emerge, especially in the midst of economic uncertainty for many industries and organizations. Although it may seem like investing less in third-party risk management is a good idea to weather the economy, this can actually make things worse. It’s crucial to continue to prioritize third-party risk management and prevent regulatory fines, expensive data breaches, and lost dollars from unmanaged contracts.
2. Follow the third-party risk management lifecycle. It’s been developed by regulators to ensure organizations can effectively identify, assess, manage, and monitor third-party risks throughout the lifetime of any engagement. The third-party risk management lifecycle consists of three stages: onboarding, ongoing, and offboarding. Each stage has specific tasks and activities to ensure nothing is missed and activities take place in the correct sequence.
3. Maintain cybersecurity best practices. Collaborate with your internal cybersecurity experts to set a regular exchange of data regarding new and emerging vulnerabilities. Implement a rigorous practice of risk monitoring and review to keep cyber risks from going unidentified or unmanaged. As a reminder, it's a good time to review third-party insurance to ensure cyber policies are separate from general liability and have adequate coverage.
4. Review business continuity and disaster recovery plans. It’s crucial to give extra attention to the BC/DR planning of your third-party vendors, especially those who pose a high risk, are critical to your business operations, or can impact your customers. Double check to make sure the third party has tested their plans recently and the results were acceptable. It’s also important to ensure your third parties disclose any critical fourth or nth parties and include them in their BC/DR plan.
5. Monitor third-party risk and performance. Effective third-party risk management includes regular re-assessment of inherent risks and third-party reviews to make sure the third party has still has appropriate risk management practices and controls. Between those periodic reviews, it’s essential to keep your eyes open for any new or emerging risks or declining performance. Consider using professional risk intelligence and monitoring services to provide you with real-time information concerning changes to your third parties’ cyber risk profile, geopolitical concerns, financial health, ESG practices, negative news, and more.
6. Manage third-party issues. Don’t wait for small problems to become unmanageable. Even a small decline in performance or temporary failure of a third party’s processes must be addressed and mitigated as soon as possible. Tracking identified issues, along with its description, issue owner, remediation plan, and timing, can help you hold stakeholders accountable and prevent problems from escalating.
7. Stay aware of regulatory updates. If you’re in a regulated industry, it’s good to know that regulatory requirements often change as a result of new and emerging risks. Even regulations that have been recently updated aren’t immune to additions or amendments. Stay up to date by signing up for alerts at your regulator’s website. When proposed changes are announced, don’t wait until the guidance is effective to work toward compliance.
8. Review and update key documentation. It's crucial to regularly review and update all the essential documents related to third-party risk management, including inherent risk assessments and vendor questionnaires. These should incorporate new regulatory guidelines and emerging risks. Review your governance documents carefully and ensure they reflect the current regulatory guidelines. Also, the tools and documents used to assess risks and gather information should consider not only the known risks but also those that are new and evolving, such as AI.

It's impossible to predict all the third-party risks that may arise in 2024. However, it's essential to remember that mastering the fundamentals such as following the lifecycle, prioritizing cybersecurity, reviewing BC/DR plans, monitoring risk and performance, and managing issues can help organizations cope with the challenges of third-party risk management more effectively. Additionally, updating important documentation and being aware of regulatory developments can make it easier for organizations to identify risks and ensure compliance both now and in the future.