Third party management

Introduction

In favor of focusing and specializing on core competencies, most businesses nowadays are increasingly and heavily relying on third parties to support their businesses by outsourcing great amount of their activities such as IT support, software development, data hosting, physical security, cleaning services, heating and air conditioning, and thus subcontracting with external suppliers and service providers which are estimably responsible for driving around two-thirds of total revenue and often offer better services at low-costs. This tendency is generating numerous critical business partnerships and requires adequate control and oversight.

Third party management is the process of monitoring and managing business collaboration with external parties such as vendors, manufacturers, suppliers, partners, distributors, resellers, cleaning and security services, etc. the process is established by managing information, measuring performance, assessing risks, binding to contractual agreements and compiling to regulations.

Third party related risks

Studies revealed that the majority of recent security breaches occur as a result of third parties. Indeed, when organizations rely on third parties, their exposure to risk enlarges. If for instance a trusted vendor has deployed but poorly maintained an anti-malware software, it might end up in a massive cyber-attacks as his network gets compromised. A non-critical but trusted service provider such as an air conditioning contractor who is insecurely connected to the organization’s internal network for data synchronization or billing purposes should be then considered a high risk source. If an organization outsources the software development to a third party, he by then raises a significant risk if he closes down while the organization do not have the appropriate talent, documentation, tools or the source code itself to carry on the development and support activities.

The role or size of the third party is not as important as the nature of the relationship, the criticality of its activities, the level of access to sensitive data or property, and the organization’s liability for inappropriate behavior of its third parties. A cleaning company with access to a director's office represents a different but still significant risk relative to a supplier who provides a critical component to the production line.

When transferring operations and assets to third parties whom should be better in performance using adequate expertise and resources, businesses still assume the responsibility if any risks were to occur, combined from the likelihood of harmful events occurring and the consequence of harm, as risks remain relevant despite the fact that these operations and assets are out of the organization’s direct oversight which makes a higher burden for them to manage.

Third party risk management

Studies revealed that organizations tend to forget contracts once they’re signed, only 20% of organizations are actually including their third parties in their assessment scope.

Managing third parties is often challenging, complex and hard thus poorly addressed in most organizations, some related challenges are listed below

• Responsibility for risk - it’s frequently unclean within organizations who is, and how they’re managing the individual or the overall third party relationships;
• Reactive handling of risk - unless a critical issues surface and associated risks arise, organizations tend to ignore addressing third party risks;
• Ignorance of risk factors - organization tend to prioritize third parties based on quality, cost and delivery time, assessing and managing related potential impacts and risks are often forgotten or ignored;
• Integrity risk - if’s often hard to assure the transparency and honesty of third parties, any provided data are questionable in term of accuracy and completeness;
• Contractual terms - contract terms are often underestimated, important factors such as right to audit, pricing changes due to taxes or discounts, timing, consequences of short and long term contracts are often ignored. Organizations lean toward standard and outdated outsourcing contract templates which do not cover recent business landscape changes and emerging technologies.

In assessing third parties, risk practitioners should consider wide range of potential risks, these risks can be grouped into the following categories

• Financial risks - such as changes in currency rate, loss of product value, losses in market share;
• Information risks - such as data breaches, data disclosure, data unavailability, data loss, data destruction, unauthorized access;
• Integrity risks - such as fraud, conflicts of interest, damage of reputation;
• Compliance risks – such as non-compliance to regulations, operating without licenses;
• Operational risks - such as systems failures, supply chain disruptions, employees’ skills, employee’s turnover;
• Strategic risks - such as poor business decisions, inadequate resource allocation, industry recession;
• Technology risks - such as changing business landscape; outdated hardware, software malfunction, malware infection, denial of service, email phishing, human errors.

To overcome such threats and risks, risk practitioner should make sure to cover aspects such as

• Outsourcing process - inventory, prioritization and selection of third parties, oversight activities, performance measurement, communication channels;
• Business management - leadership, liability, trust, transparency, processes efficiency;
• Information security - complying to security requirements, implementation of security controls, planning business continuity and disaster recovery, protection of intellectual property, adherence to a non-disclosure agreement (NDA);
• Risk inventory - knowledge of exposed threats, inherent vulnerabilities, potential adverse impacts, and supposed risk scenarios
• Contractual agreement - conforming to service-level agreement (SLA), enforcement of contract terms, constant contracts revision;
• Regulatory compliance - conformance to relevant regulations, adoption of best practices; 
• Assessment and auditing - right to audit, periodic risk assessments, internal auditing;
• Ongoing monitoring - internal controls monitoring, independent and on-site reviews, reporting non-compliance.

Conclusion

In today’s world, doing business means relying on some third parties which exposes the business to significant risks. Hence, businesses should have a clear understanding of the inherent risks in their relationship with third parties. As risks continue to rise due to emerging technologies and market trends; organizations should not only establish comprehensive contractual agreements with third parties which is a step in the right direction but improve and strengthen their relationship and emphasize proactive third party risk management and make it one of main organization's goals and objectives.