Thinking about your own business risks is already tiring, and worrying about whether the third-party businesses you rely on are properly managing their risks is often worse. But as part of your business operations and third-party risk management program, you need to know exactly what risks you and your third parties are exposed to and how you can mitigate them.
In fact, Ponemon Institute says that 51% of all data breaches happen through third-party vendors. If this has made you do a double take, stick around to learn how third-party risks can affect your business and what you can do to minimize the potential impact.
What Are Third-Party Risks?
You take on potential risks when you’re outsourcing work or building third-party relationships with suppliers, service providers, customers, manufacturers, staffing agencies, third-party vendors, or stakeholders. Third-party risks are inherent risks that come with doing business with any other organization.
For example, these could include data and cybersecurity risks when you use third-party software or financial risk when you use one service provider that could go bust rather than diversifying your business relationships. In addition, operational risk could occur when you work with manufacturers that haven’t updated their systems or gained new machinery certifications.
3 Types of Third-Party Risks
We’ve already covered a few third-party risks like financial, operational, and cyber risks, but the truth is, there are so many risks you could face. New risks will likely arise throughout your third-party relationships as industries develop and rules change.
Ultimately, though, risk is dependent on how you operate as a business and which third parties you choose to work with. Below, we’ll explore some essential risks to be mindful of.
Working with a third party that doesn’t consider important regulatory requirements could be a considerable compliance risk for you. The more global your supply chain becomes, the more significant your compliance risks. You’ll need to keep track of ever-changing international regulations and whether your third-party companies are complying.
For example, the Safeguards Rule, which sets the standard for safeguarding customer information, is due to be updated in June 2023. Companies that don’t implement correct risk assessment processes and information security programs as part of the new stricter regulations may face penalties. If you use third parties like banks or account services that will need to update their systems to comply with the new rules, this may affect your company if they don’t, as their business may be subject to fines or reputational damage.
A huge money exchange company, Coinbase, had to pay $100 million after the Department of Financial Services (DFS) found that they hadn’t been compliant with Anti-Money Laundering regulations (AML) or The Bank Secrecy Act. They conducted inadequate and simplistic customer due diligence checks, didn’t report suspicious activities, and had a backlog of high-risk enhanced due diligence checks and 100,000 unreviewed transaction monitoring alerts.
As such, they were asked to pay $50 million towards improving their compliance program. This is one of many examples demonstrating how serious things can get if you don’t keep up to date with regulations.
Another compliance risk is failing to complete OFAC sanctions checks. Not only are companies subject to consequences if they don’t do the checks they are supposed to on 25% or more ultimate beneficial owners of companies when completing risk assessments, but they are opening the doors to serious financial crime risks.
For example, Coinbase failed to complete sanctions checks as part of their due diligence process, which according to the DFS, left them vulnerable to crimes such as fraud, money laundering, potential narcotics trafficking, and suspected child sexual abuse-related activity.
It doesn’t look good for your business if you have relationships with third parties that don’t comply. It’s not only a reputational risk but also an operational risk, as it can affect your ability to rely on them.
Suppose they're suspended from doing business due to serious breaches so that you cannot continue working with them, for example. Or they go into liquidation because of massive fines. In situations like this, you could be tarred with the same brush if you continue working with them, which can make your other third-party relationships second-guess your ethical and legal priorities.
Security Gaps and Supply Chain Risk
Security gaps could increase the chances of cybersecurity risk and data breaches. For example, perhaps a third party has low-security defenses or has not updated its software to combat new hacking methods.
The SolarWinds cyber attack not only seriously affected SolarWinds, but hackers gained access to data from the company’s networks, systems, and customers, impacting the supply chain of over 30,000 organizations. It was done by malicious code being imputed into its Orion IT monitoring and managing software. Hackers can do this by impersonating users and accounts and getting into one supply chain system to access other networks, and it’s a classic example of a supply chain attack.
System vulnerabilities will be targeted when companies do not put systems in place, constantly look for network intrusions, use hardware security features or update software to control cyber risks. Therefore, you have to consider your security safeguards and whether your third-party businesses are living up to the same standards so that you’re not put at risk too.
For example, let’s say you use a social media marketing agency to do your business marketing, and they specialize in using TikTok to do so. TikTok has had numerous cases around the world of being investigated for security breaches — namely, failing to protect children’s privacy on the platform. It may be risky for you to continue using TikTok as a marketing tool after learning about these breaches, as your customers’ personal data may be at risk when they engage with your brand on the app.
One of the concerns about TikTok is that data is being passed on to China, and no one really has a clue where the information is going. You may also be increasing your reputational risk by allowing your customer data to be used in unknown ways, as it may suggest you don’t see the harm in this.
More and more stakeholders are looking at corporate ESG performance nowadays. ESG risks can be broken down into further risk factors, including environmental risks such as using excessive greenhouse gases, social risks like safety conditions and human rights violations, and governance risks such as AML and compliance.
Many of today’s customers want to know that companies have good social and environmental practices before choosing them. And investors want to ensure that there are no financial risks in investing in companies with ESG concerns that can massively impact business continuity and performance.
Take pharmaceutical company Valeant, for instance, which in 2015 lost 90% of its market value after it rose by about 4000%. So what went wrong? It came down to shady accounting and adopting a strategy to buy companies with drug products already in the market and then cutting their costs and increasing prices.
That meant doing loads of back-to-back transactions, dramatically dropping prices, and firing half the workforce of the companies they acquired in the process. They also did some suspicious accounting to make it difficult for investors to determine whether they were doing well.
6 Tips for Managing Third-Party Risks
Managing third-party risks is the best way to mitigate any potential problems before they hurt your business. Here are some tips for managing risk in your supply chain.
1. Ask Third-Party Risk Questions
Give your vendors, suppliers, or service providers questionnaires about their processes, systems, and policies to ensure they’re up-to-date, compliant, and robust. For example, you could ask questions like:
- How do you keep up to date with compliance regulation changes?
- How regularly do you test your security systems?
- Which regulations and standards must you comply with?
- How do you keep your staff updated on policy changes?
- Do you have a disaster recovery strategy?
- Do you have agreements/contracts in place with your supply chain to ensure compliance with data security requirements across the chain?
- How do you conduct customer due diligence?
2. Create Vendor Scorecards
Constantly evaluate the performance of your third-party vendors by creating scorecards to assess ongoing risk. Scorecards allow you to weigh different risk factors, gather information, and identify any new risks that may occur during your business relationship.
3. Don’t Forget Continuous Monitoring
Doing risk assessments as you start new business relationships and partnerships is essential, but you can easily get caught up by failing to do ongoing monitoring. New risks always arise. Forbes found that 60% of organizations have discovered new security gaps due to an increase in staff members working from home.
Regularly updating your risk assessments is a legal requirement for enhanced due diligence for many companies. In addition, it allows you to find out about potential risks before they make a detrimental impact.
4. Diversify Your Third-Party Relationships
Having third-party companies in one sector, jurisdiction, location, or under the same management ownership is risky. Diversify your third-party relationships so that you limit your risk of exposure if something goes wrong that’s out of your hands, like all the staff going on strike, for instance.
5. Spread Out Your Geographic Concentration
Similarly, ensure all your suppliers aren’t in one geographic location so that your whole business isn’t affected if a natural disaster or local Covid lockdown happens.
6. Track Risks in Real-Time
Use a platform like Certa to automate tracking things like ESG data and external risks like civil unrest to become aware of third-party risk factors. You can be alerted of any relevant information that may alter risk scorings, and they can be automatically updated.