Third Party Risk in 2016: Does Your Risk Management Program Measure Up to Today’s Threats?
Speed. For today’s consumer, it isn’t a benefit or feature, it is an expectation. Thanks to rapid innovation across an expanding landscape of service providers, manufacturers, and supply-chain partners, companies today are better positioned to meet this expectation than ever before. Convenience is now a commodity.
However, the convenience of calling upon a global network of vendor support comes with considerable risk. The consequences of inadequate due diligence cannot be overestimated. With a strong third party risk management program, your organization’s network of third party service providers can be part of a successful path to industry leadership. Without a good program to identify and remediate risks, you may someday find yourself scrambling to pick up the pieces of everything you built while your hard-earned customers jump ship.
Recent years have seen a number of large scale data breaches attracting massive amounts of attention. Individual breaches are now seen by the public as part of a trend. This has resulted in tighter regulation, greater consumer skepticism, and a stronger-than-ever need for organizations to identify third party risk management as a primary focus area.
The Stakes Are Higher Than Ever
Companies that do not rely on third party vendors for at least part of their operation today are few and far in between. The practice is commonplace globally across nearly all industries. Though the trend reached maturation some time ago, third party vendor services remain high in demand. This continues to drive innovation across markets. Explosive growth is possible today in ways we couldn’t have imagined even 20 years ago.
Of course, with growth comes vulnerability. Every day customers are trusting companies with more sensitive information, companies are utilizing new capabilities for storing information, and bad actors are developing new ways to target systems.
A breach of data security for your organization means a breach of trust for your customers. A security breach resulting in the exposure of sensitive customer information is a red flag for everyone watching, including current and potential customers. A vendor may be at fault, but your customers will ultimately hold the principal organization accountable. Customers simply will not care which one of your vendors caused you to fall short of their expectations. This means an immediate negative impact on your bottom line.
Beyond the financial risk, a breach in data security can mean litigation, loss of market value, a decrease in share price, and any number of regulatory penalties. Perhaps the most damaging effect, and certainly the hardest to remediate, is the hit to your organization’s reputation and perceived trustworthiness. Building customer confidence is a long term process in which one negative experience can spoil years of hard work.
Be Deliberate in Protecting Your Business
Your organization is only as safe as the least protected component of your third party vendor network. It is up to you to ensure adequate protection against risks like the loss of sensitive data or changing regulations.
Many companies do not have a formal third party risk management program. Some have a program that was sufficient when put in place, but is no longer relevant to today’s risks. If your risk management processes do not grow and adapt with evolving threats and regulations, you are vulnerable. This is an area where assumptions are simply not enough.
Developing and implementing a third party risk management program is essential, but not easy. It is a deliberate process with many considerations. Organizations grapple with decisions at every point in the risk management process, from identifying what risks call for increased oversight to efficiently addressing issues when they are discovered.
Know Your Needs and Modernize How They Are Addressed
The key to effective risk management in 2016 is proactivity. Asking difficult questions now can save you from answering accusatory questions later. An honest self-assessment is imperative. Questions you might consider include:
Are your vendors equipped to protect your sensitive information against today’s risks?
- How sophisticated is your cloud and social media security?
- Are your vendors capable of adapting to regulatory compliance changes?
- Are proper redundancies in place to ensure your information protected against acts of nature?
- Who owns the process internally?
- Do you have a set methodology for addressing incidents?
- Do you maintain an accurate and complete interactive inventory of your vendors?
- Can you identify warning signs with vendors?
- Do you have a well-communicated reporting process?
Considerations change from company to company and from industry to industry. Financial institutions have a set of concerns far different from food service companies. Universities have a set of concerns far different from construction companies. And certainly the size of an organization will shape the necessary functions of a risk management program as well. A five-person start-up will require a much different program than a 5,000-person corporation in order to be adequately protected.
That said, modern risk management programs all have a number of things in common. While organizations can take many shapes and sizes, the principles of responsible risk management are one-size-fits-all:
Not all risks are created equal. What risks are organizations in your industry most susceptible to? Prioritize your focus. Know which vendors carry a greater risk and require a more active risk management strategy. Not all vendors require on-site review. A vendor with no history of security concerns and with little access to sensitive information does not call for the same level of scrutiny as a vendor managing large amounts of transactions through a web of multinational compliance procedures.
If you fail to plan, plan to fail. Maintain standards and policies for compliance across your organization. Depending on the complexity of your vendor network and the nature of your organization, you might consider hiring a firm that specializes in due diligence services. Even if this is the correct route for your company, it is still crucial — perhaps even more so — to identify an internal point person to own the process and to maintain the principles of risk management within your culture.
Keep it evolving. Your program should be subject to frequent adjustments and regular review and ongoing evaluation. Your ability to respond to changing regulations and adjust accordingly is crucial. Keep a close partnership with regulators. Know what changes to anticipate. Additionally, the tools at your disposal for risk management continue to strengthen in cost-efficient ways. Organizations are relying less on passive, time-consuming and costly manual assessment of vendors, and more on analytic-focused, automated actions. At its core, a thoughtful third party risk management program protects your most valuable asset — the trust of your customers — in a manner that saves both time and money.
Stay focused. It’s common sense: Companies that identify third party risk management as a primary focus area are in the best position to succeed. Whether your company is building a program for risk management for the first time, refreshing a program built previously, or conducting a scheduled review of your processes, it is important to establish and effectively communicate the purpose of the program. Maintaining an effective risk management program cannot be a passive task. It must become part of your company’s culture.