What Is Third-Party Risk? A Quick Look for Beginners

Internal and external business risks are a given for every organization, regardless of size or industry. And many external risks are from third parties contracted to provide products and services. Third-party risks can be just as impactful to an organization’s success and well-being, yet these types of risks are often misunderstood or left unmanaged. This can lead to significant consequences for an organization and its customers.

What Is Third-Party Risk? 

Third-party risk is the potential harm that a third party can impose on your organization or customers. This harm can occur because of the third party’s actions or inactions and can be intentional or accidental. A third party that fails to patch a security vulnerability is an example of inaction that puts your organization at risk of a data breach. A third party that provides poor products or services on your behalf to your customers would be an example of a third party’s actions putting your organization at risk of reputational harm. Your organization is ultimately responsible for identifying and managing any third-party risks that occur within your vendor engagements.

Common Types of Third-Party Risk 

Many third parties will contain more than one type of risk, depending on the product or service they provide to your organization. However, it’s important to identify and measure each risk individually: 

• Strategic – The third party’s actions aren’t aligned with your strategic objectives. This might occur if the third party uses aging technology or makes abrupt changes to their core products and services. 
• Operational – The third party is unable to serve your organization because of internal or external factors. Internal factors can refer to the third party’s processes, controls, systems, or people that are ineffective. External factors can refer to natural disasters, cyberattacks, or geopolitical events. 
• Compliance – The third party’s products or services fail to comply with laws, regulatory guidelines, or your organization’s internal policies, business standards, procedures, or conduct codes. 
• Information security and cybersecurity – The third party doesn’t have effective security controls, which can increase the likelihood of cyberattacks or data breaches that impact your organization or customers. 
• Financial and credit – The third party’s financial health is poor, which can affect its ability to meet its contractual obligations and continue providing products or services to your organization.   
• Reputation – The third party’s actions have a negative impact on your reputation. This may occur if your third party interacts with your customers on your behalf and delivers poor-quality products or services. Your reputation can also be damaged if a third party suffers a security incident that affects your data or your customers’ data. 
• Concentration – A single third party provides multiple high-risk or critical products or services to your organization. This can also be known as a single point of failure (SPOF) risk. Your organization would be significantly impacted if the third party suffered an outage or went out of business. Concentration risk also exists when your organization has multiple high-risk or critical vendors in the same geographic area. An external event like a natural disaster could impact many of these vendors at the same time, which would disrupt your organization’s operations.  
• Geopolitical – The third party operates in a region that’s vulnerable to geopolitical situations that can harm your organization or its customers. These situations may include corruption, political unrest, human rights violations, or lax privacy laws. 
• Transaction – The third party processes or accepts your customers’ payments on your behalf. Payment processors are highly regulated, so this type of risk can lead to significant consequences for your organization like legal fees and regulatory violations.   

How to Manage Third-Party Risk With the Third-Party Risk Management Lifecycle 

The third-party risk management lifecycle is a simple visual that illustrates the main stages and activities involved in third-party relationships.  

Here’s a brief look at the three stages and each activity’s role in managing third-party risk: 

1. Onboarding – Before you even enter the third-party engagement, you should evaluate third-party risks and implement controls to mitigate the risks. 
   
   • Planning & Risk Assessment – Planning activities will identify the individual who will be managing the third-party risk. The inherent risk assessment identifies the type and amount of third-party risk that will need to be managed. It also determines if a third party is critical to your operations. Inherent risk is generally measured on a scale of low, moderate, and high. 
   • Due Diligence – Pre-contract due diligence will verify whether the third party has the appropriate risk management practices and controls.
   • Contracting – Sets the provisions to protect your organization from third-party risk.
      
     Example: Your organization may establish a standard set of contractual terms and conditions for all critical and high-risk third parties. Those provisions might include indemnification and insurance requirements, service level agreements (SLAs), business continuity planning, cybersecurity protection, and more.    
2. Ongoing – Third-party risks can emerge or evolve after the contract is signed. The following activities help ensure third-party risk is continuously managed:
   
   • Re-Assessments – These confirm whether the third-party risk has changed since the inherent risk assessment was first completed. 
     
     • Critical and high-risk third parties should be re-assessed at least annually, or more frequently if there are any issues like a data breach or a decline in performance. 
     • Moderate-risk vendors should be re-assessed every 18-24 months.
     • Low-risk vendors can be re-assessed every three years, or during contract renewal.
   • Monitoring & Performance – Ongoing monitoring and performance management help identify new or evolving third-party risks that may arise in between formal risk re-assessments. Negative news, declining performance, or changes in a third party’s financial health can all signal elevated risk that must be assessed and managed.
   • Renewals – Mid-term contract reviews and the subsequent renewal process help determine the most effective strategies to continue managing third-party risk. Depending on the risks identified during re-assessments or monitoring, your organization may decide to renegotiate the contract for additional provisions or decline to renew the contract and proceed with your exit strategy.
   • Due Diligence – Periodic due diligence confirms that the appropriate controls are still in place to manage third-party risk.
     
     
     Example: Business continuity plans can become obsolete, insurance certificates can expire, and SOC reports can become outdated, so due diligence must be performed periodically to ensure the third party’s documents are current and effective. This risk-based process typically follows the same cycle as risk re-assessments.
3. Offboarding – Risk can still be present even when you’re ending the third-party relationship. These offboarding steps help ensure third-party risk is thoroughly managed until the end:
   • Termination – Reviewing your contract and notifying the third party of its termination keeps your organization aware of any risks that may be involved, such as additional costs or unexpected delays.
   • Exit Plan Execution – Following your exit plan will help manage the risk that arises when the third party returns or destroys any sensitive data they may have in their possession.
     
     
     Example: Once the third-party relationship ends, it’s important to have clearly defined duties and responsibilities. This includes the return or destruction of data, revoking third-party access, and the return of equipment.
   • TPRM Closure – These final administrative tasks, such as updating your accounts payable system, help prevent any unmanaged risk from impacting your organization after the contract has ended. 

The three lifecycle stages are supported by a foundation of governance elements, which are also essential in managing third-party risk. 

• Oversight & Accountability – Third-party risk can’t be managed effectively without holding stakeholders accountable for their responsibilities. Senior management and the board should have oversight duties and establish a “tone-from-the-top” on how to manage third-party risk throughout the organization.
• Documentation & Reporting – The policy, program, and procedures each have a role in communicating the details of each third-party risk management activity. Regular reporting can help drive action or decisions about how third-party risk should be managed more effectively. 
• Independent Review – Independent reviews from internal auditors and external examiners provide detailed assessments of an organization’s third-party risk management processes to provide feedback and suggest improvements.  

Third-party risk can be an overwhelming concept because it highlights the potential challenges that arise when an organization is dependent on other entities. Fortunately, the practice of third-party risk management is an effective strategy that helps organizations identify and mitigate this specific business risk.