The risks associated with third-party relationships seem to increase every year. 2022 was no exception, as cyberattacks soared, supply chain interruptions continued, and many businesses faced economic uncertainty. Despite the risks, relying on third parties' products and services remains a key strategy for many organizations, which makes third-party risk management more important than ever as we head into 2023.
Every product, service, and third-party relationship exposes your organization and your customers to at least some level of risk. Third-party risk management is an important practice for organizations seeking to fully realize the benefits of outsourcing, as it helps protect against various risks such as the following:
Understanding the Continued Importance of Third-Party Risk Management in 2023
In anticipation of more intense third-party risk management in 2023, reviewing and understanding some of the most prevalent third-party risks from the past year can help you handle them more effectively in the future.
Let's review some of the risks we saw in 2022 and the third-party risk management best practices to help you manage them in 2023:
1. Cyber and Information Security
In a 2022 survey conducted by SecureLink and the Ponemon Institute, over half of responding organizations stated that they suffered a cyberattack within the last 12 months. Hackers are developing more efficient and sophisticated methods of disrupting private networks, stealing sensitive information, and infiltrating private networks, which makes information security an urgent concern.
Cyber and Information Security Best Practice for 2023: Any external organization with access to your organization's networks or privileged information poses cybersecurity risks and can expose your information to hackers. For this reason, it’s essential to conduct thorough assessments of your third party’s cybersecurity controls as part of your initial due diligence and throughout the rest of the relationship. Be sure to continually review, reevaluate, and update evidence of the third party’s controls. Documented evidence can include independent audit reports (such as a SOC 2 Type II report), penetration testing, access management practices, cybersecurity policies and management plans, and more. You should also verify whether your third party has cybersecurity insurance (separate from their general liability insurance) and adequate coverage.
2. Geopolitical Concerns
Recent geopolitical events contributed to growing third-party risk. The Russian invasion of Ukraine has generated new government sanctions, trade restrictions, and evolving geopolitical concerns, including food and fuel shortages in Europe and beyond. Additionally, the Uyghur Forced Labor Prevention Act was passed in the U.S. in response to human rights abuses in China's Xinjiang region, prohibiting the import or use of products, materials, and components from the region. Other geopolitical risks now affect third parties, such as new coronavirus strains, labor shortages, political unrest, inflation, and worldwide economic instability.
Geopolitical Best Practices for 2023: First, your due diligence process must include formal sanctions checks on companies, company owners, and principles. You should verify the third party's ownership structure (parent, subsidiary, affiliate), where they are headquartered, where they operate, as well as the physical locations of any manufacturing, production, or service operations. Mapping your supply chain is also recommended to identify possible fourth and nth party risks.
Managing third-party geopolitical risks requires constant vigilance. Geopolitical risks must not only be identified and assessed but also monitored on a continual basis. To help keep up with geopolitical risks and changes, you may consider using subscription-based risk monitoring and alert services.
3. Financial Health
Many organizations faced financial difficulties in 2022. While there have been some improvements, many industries and businesses continue to struggle. In many cases, small businesses are finding day-to-day operations increasingly difficult to sustain. According to Meta’s 2022 Global State of Small Businesses report, approximately 1 in 5 small businesses (those with 500 employees or less) are likely to shut their doors within six months.
Financial Health Best Practices for 2023: A regular review of your third party's financials is essential. Still, that doesn't mean your third party is always willing and able to provide audited financials regularly. Despite the availability of alternatives, like Dunn and Bradstreet reports, your organization may have to undertake some detective work if there is no way to obtain detailed financial information from private and small businesses. Be sure to look for indicators of financial difficulty, including a decline in service levels or product quality, the loss of key personnel, any mergers or acquisitions, reduced product offerings, and changes in the industry. Always make sure to pay extra attention to the financial health of your critical third parties and maintain realistic and actionable strategies and plans in place should their financial health continue to decline.
Vendor risk alert and monitoring services can be extremely helpful in keeping your eyes on the many factors that can indicate declining health.
4. Business Continuity
Whether it was a major hurricane or nationwide severe winter storms, business-disrupting events were a frequent third-party risk scenario in 2022. However, cyberattacks, supply chain interruption, business closures, and bankruptcy also impacted business operations for thousands of organizations in 2022. Third parties without adequate business continuity planning can disrupt, or entirely prevent, your day-to-day operations.
Business Continuity Best Practices for 2023: Start with your critical and high-risk third parties and ensure they have solid business continuity, disaster recovery, and pandemic plans in place. Also verify that the plans have been tested and request a copy of the testing results. Your third party’s vendors (your fourth parties) should also be considered in the plan, especially those critical to delivering products and services to your organization.
5. Regulatory Compliance
Over the past year, legislators (both domestic and abroad) have intensified their focus on issues such as ESG (environmental, social, and governance), consumer privacy, and data security. New and pending legislation promises more work for third-party teams in the not-too-distant future.
Best Regulatory Compliance Practices for 2023: Before anything else, you must understand the regulations that govern your industry, particularly those concerning third-party risk management. This means becoming educated and staying updated with regulatory news and agency websites. Regulatory changes often mean updating or adding to your existing third-party risk management policy and practices.
Ensure your due diligence processes assess your third party's regulatory knowledge and compliance. When there are new or regulatory changes, it's important to re-assess your vendors' policies and practices to determine whether they remain compliant or if changes need to be made.
It would be great if last year's third-party risks and challenges simply faded from view as we enter 2023, but that’s not reality. That’s why third-party risk management is so important all the time. In the new year, be sure to take the time to understand existing, new, and emerging risks and make the appropriate adjustments to your third-party risk management processes.