Mastering Third Party Risk Management (TPRM): Best Practices for Compliance and Security

What is Third Party Risk Management?

Third-party risk management is the process of identifying, assessing, and controlling risks associated with external partners, such as vendors, suppliers, and contractors. Since organizations increasingly rely on third parties for critical business functions, these risks (e.g., financial operational, regulatory, or cyber security-related)  should be managed effectively to maintain business continuity, compliance, and reputation.

Importance

The practice of outsourcing specific tasks to external suppliers or contractors can be traced back to the early days of commerce. While there were numerous advantages, it also came with issues like diminished oversight, increased risk, and the possibility of reputational damage. The concept of third-party risk management gained formal recognition among financial institutions in 2008, encouraging a preventive approach to managing risks, creating value, and building resilience.

The importance of third-party risk management in today’s business landscape can’t be overstated. First, it increases operational efficiency through continuous monitoring, improving risk management in physical safety and IT security. Secondly, improved performance leads to cost reductions, productivity, and compliance. Finally, a robust third-party risk management policy builds stronger relationships with partners.

Third-party risk management systems integrated into the broader Governance, Risk, and Compliance (GRC) framework enable organizations to positively influence their partners to adhere to best practices, mutually benefiting them.

Common Risks Associated with Third Parties

Identifying and assessing third-party risks is a critical first step in managing potential vulnerabilities that may arise. Early detection through due diligence, risk categorization, and ongoing monitoring allows businesses to proactively mitigate risks for business continuity, financial stability, and adherence to regulations. Here are some examples to watch out for:

Common Third-Party Risks

• Cyber security risk exposes the organization to data breaches, malware attacks, or other related threats. An example is when Target suffered a data breach in 2013 through an HVAC contractor, exposing 40 million credit card holders.

• Compliance risk is the failure to act by industry regulations or laws. In 2019, British Airways had to pay nearly £20 million due to the weak security controls of their partner, violating General Data Protection Regulation (GDPR) guidelines.

• Operational risks are any disruption or failure that impacts business continuity. One notable case is when Delta Airlines faced massive flight cancellations and delays in 2016 due to their IT service provider’s system failure.

• Reputational risks are misconducts that damage the organization’s standing in the industry and society. For example, Facebook’s Trustworthiness and market value dropped when allied firm Cambridge Analytica improperly accessed data from millions of Facebook users.

• Financial risk is caused by the partner’s insolvency, fraud, or poor fiscal management. Wirecard, a third-party payment processor, committed massive fraud in 2020, costing major banks and investors millions in losses.

• Supply chain risks are disruptions that impact product delivery, manufacturing, or other critical operations. The recent pandemic, as a case in point, triggered a global semiconductor shortage that crippled automotive and electronics manufacturing.

• Strategic risk negatively impacts the organization’s long-term goals, market position, and competitiveness. In 2019, Boeing’s 737 Max crisis contributed to two fatal crashes and the grounding of the entire fleet. This was partly due to the inadequacies of an external software developer.

Step-by-Step Guide on Third Party Risk Management

Managing risks associated with external partners is challenging for any organization because of the complexity and interdependence of today’s business ecosystems. Difficulties can be addressed when the company follows a third-party risk management framework based on GRC standards.

To guide you, follow these key activities:

1. Manage contractual risks.

Establish clear contracts with third parties. All documentation should specify roles, responsibilities, and obligations. These should also be reviewed periodically to adapt to changing regulations and emerging risks. Take note of the following best practices:

• Define performance metrics, deadlines, and penalties for non-compliance with Service-Level Agreements (SLAs).

• Clearly outline conditions for contract termination in case of serious violations.

• Include provisions for compliance with relevant regulations, such as the GDPR, Health Insurance Portability & Accountability Act (HIPAA), and California Consumer Privacy Act (CCPA), to name a few.

2. Monitor and audit continuously.

Continuous monitoring provides real-time insights into the risk posture of external partners. Potential risks and vulnerabilities can be easily dealt with as they arise when this is done religiously.

• Schedule and conduct annual or biannual audits to review adherence to contractual obligations.

• Use vendor scorecards and risk dashboards to gain a quick view of performance and risk levels.

• Leverage risk management software to track performance, flag anomalies, and report risks (e.g., security breaches, data leaks, or compliance issues) in real time.

3. Mitigate risks and plan contingencies.

Mitigation strategies help organizations prepare for, respond to, and recover from potential disruptions. Backup plans and alternative solutions enable companies to pivot quickly when the unexpected happens.

• Categorize partners by risk level (e.g., low, medium, high) and apply corresponding strategies. Contingencies, such as choosing an alternative supplier, should be developed for high-risk offenders.

• Outline crisis management protocols if the vendor fails to meet critical obligations or introduces a severe risk.

• Ensure that vendors carry adequate insurance to cover potential liabilities due to their actions.

4. Prepare third-party training and awareness programs.

Vendors, suppliers, and service providers should be given regular training and resources. It’s one of the most effective ways to uphold the company’s GRC best practices.

• Require partners to undergo compliance and risk management training, especially those involved in high-risk activities.

• Educate everyone on cyber security best practices, data privacy, and phishing prevention.

• Update third parties on changing laws, regulations, and company policies.

5. Conduct relationship termination and offboarding.

Third-party risks don’t automatically dissipate after a contract is terminated. A crucial aspect of TPRM, formal termination and offboarding is a must-do. By going through this process, organizations can better manage the complexities associated with their partners even after the relationship ends.

• Retrieve data shared with the vendor or supplier and properly secure or dispose of them.

• Revoke the partner’s access to company systems, platforms, or databases.

• Conduct a thorough review of the third party’s final performance and unresolved issues before the final termination, and then analyze the process for gaps or issues for future improvements.