Manage Third-Party Risk in 5 Easy Steps

Most businesses can’t operate without the help of vendors who provide services, supplies, inventory, or other essentials. You have to cultivate relationships with third parties if you want your business to thrive, but those relationships are inherently risky. And if your company isn’t doing all it can to mitigate third-party risk, then it could be vulnerable. While you may be able to bounce back from many risk events, it’s still going to be expensive to repair the damage.

Of course, third-party risk management isn’t as simple as performing an onboarding assessment. You probably shouldn’t trust a vendor to be forthcoming with you about risk events like data breaches — and to be fair, sometimes vendors might not even realize they’ve suffered a security breach or other damage until it’s too late. You need to understand the risk profiles of each of your vendors, classify them according to how essential they are to your operations, adjust your contracts accordingly and then take the time to monitor vendor risks throughout the term of your relationship.

1) Know What Threats You’re Facing

Before you onboard a new vendor, you need to understand their full risk profile. Do they work with fourth and fifth parties overseas? There could be a potential for liability under the Foreign Corrupt Practices Act, and your company could be sanctioned even if you weren’t involved in the vendor’s behavior overseas. How are their cyber security protocols? Will they have access to customer data, and if so, how much of it and when? Will they get to store it, and if not, how will that be prevented? Work with subcontractors could present further risks, especially if they have access to sensitive data or secure physical locations. Perform a thorough and objective risk assessment of any vendor before onboarding.

2) Assess Your Vendor Relationships

Some vendor relationships will be riskier than others due to the nature of the services, products, or materials provided and how critical they are to your operations. The more critical a vendor is to your business functions, the higher the risks involved in the relationship. When a third party provides the supplies or services you need to function, you can’t function if they fall through. A vendor failure could interrupt operations, damage your reputation, and cost you money.

Assess your vendor relationships and categorize them according to what level of risk they present for your organization. Your strategy for third-party risk management will be different for vendors with the highest level of risk than for those with the lowest risk. Understanding the varying risk levels of your different vendor relationships will help you prioritize protections for business-critical functions.

3) Adjust Your Contracts

Contract management can help you put into place controls that can protect you from third-party risk and even risk further downstream. Contracts will need to accommodate regulatory requirements, but there are a range of other aspects of the vendor relationship that can be specified in the contract, too. For example, you can specify security controls and indicate whether or not subcontractors are permitted. Contracts that haven’t been renewed for several years may need to be updated to reflect modern security and privacy issues. 

4) Monitor Risks on an Ongoing Basis

You can’t just assess vendor risk once and assume it’s going to stay the same throughout the life cycle of your vendor relationship. Vendor risk levels can evolve and grow as vendors change their structure, operations, or strategies. Some risks, like cyber attacks or natural disasters, can emerge suddenly. Others may be more predictable — if the area where the vendor operates is experiencing civil unrest, for example, you can reasonably foresee a chance of it interrupting operations. By monitoring vendor risk, you can detect these kinds of changes and adjust for them before any damage is done.

5) Collaborate to Reduce Risk

You’ll often need to work closely with a vendor if you expect to successfully manage risk. In many cases, you’ll need boots on the ground providing oversight of downstream relationships to prevent issues with foreign corrupt practices or monitor physical and cyber security protocols. Vendors should be amenable to working with you to lower risk, because it will benefit them, too. 

Third-party risk can be a real threat to your company, but not if you take steps to manage them correctly. With the right approach to vendor risk management, you can stave off most catastrophes, and be better prepared for the ones you can’t.

Adam Hansen