On a normal day when life is going well, no one wants to think about disasters. Committing time and budget to crisis preparedness can be a hard sell for businesses facing priorities that feel more immediate. Yet investing in preparation in advance is how you keep a crisis from turning into an absolute catastrophe when one does occur. And most businesses can count on facing a crisis at some point—it’s less a matter of if than when.
The United States Environmental Protection Agency has dubbed September National Preparedness Month. A lot of their guidance relates to household dangers and natural disasters, but for businesses, this month marks a good opportunity to consider one of the trickiest risks modern businesses face: third party risk.
When thinking about crisis preparedness, most companies will start with straightforward risks they have direct control over—those that relate to your own workforce, offices, and business operations. But for enterprise businesses, the relationships you have with vendors and business clients may be the true weak link in your risk management planning.
If the companies you work with aren’t bringing the same level of caution and security to their procedures that you are, their risk could become yours. In fact, in one Deloitte survey, 84% of companies said they’d had a third party incident within the last three years. Facing a crisis because of third party vulnerabilities isn’t a rare occurrence. It’s one you should expect and take steps to prepare for.
If a business you work with is impacted by a crisis they didn’t plan for, it could have dire consequences for your business as well. For Crisis Preparedness month, consider these five forms of third party risk and what you can do now to prepare for them.
Data breaches are terrifying both for the business whose data gets leaked, and for the consumers whose information is included in the breach. If your customer data gets stolen because of a vendor error, customers won’t be interested in finger pointing—they’ll hold you responsible for not keeping the information they trusted you with secure.
Research from the Ponemon Institute found that on average, businesses share their data with 583 third party vendors—and many enterprise businesses share it with many more than that. The more third-parties that have access to your data, the more risk. According to IBM research, 14% of data breaches are caused by vulnerabilities in third party software, costing businesses an average of $4.33 million.
Data breaches aren’t the only cybersecurity risk to be on guard for. Cyber attacks are a very real concern. A vendor’s website or business systems can be taken down for hours or days by DDoS (distributed denial of service), brute force attacks, or ransomware threats—causing significant disruption to their business operations. If you depend on that company’s product or services to do your business, a cyber attack that disrupts their business will impact yours as well.
No one can control the weather, and natural disasters are becoming more common with each year. If a vendor’s offices or equipment are threatened by wildfires, hurricanes, or flooding, they won’t be able to deliver on the services you expect. When their employees can’t do their jobs because of destruction in the cities they live in, that causes disruptions to both businesses as well.
While the impacts of weather disasters on a business aren’t as tragic as those to people’s homes and lives, they’re still something companies must account for in their crisis preparations. If your business lacks a plan for handling the inevitable disruptions of mother nature, you’ll have a harder time adapting when they arise.
Your business has the responsibility of knowing all the laws relevant to your industry and business practices and making sure you follow them to the tee. And some of those laws extend to your third party relationships as well. If a vendor is lax about compliance with an industry regulation, the consequences could blow back on you.
Failures in regulatory compliance can open your business up to fines and lawsuits, not to mention reputation damage. You don’t want to find yourself on the wrong side of the law because of the actions (or inaction) of a vendor.
Supply chains can be easily disrupted by material shortages, transportation issues, or labor issues—something the entire world learned the hard way with COVID-19. No business started 2020 expecting the ways the supply chain would be rocked by a global pandemic, but all had to adapt to it. Being prepared for the possibility of complications throughout your supply chain can help you weather the problems that come up more effectively.
The first step of preparing for third party risks is identifying the potential issues you’re most likely to face, so you know what you’re up against. Follow that up with a mix of risk reduction and crisis preparedness planning.
To start, vet your vendors. Put a system in place to determine whether their level of security meets your requirements before any contracts are signed. And continue to monitor any risks and vulnerabilities they present over time. A lot of risk can be reduced by practicing caution in advance, and holding the businesses you work with to the same standards.
In addition, create a plan for how to handle each type of crisis if it occurs. Planning for crisis management means you have clear steps to follow in a worst-case scenario. You won’t be stuck scrambling with no guidelines. A proactive strategy won’t make a crisis a non-issue, but it will ensure you do a better job of putting out the (hopefully metaphorical) fires and reducing the harm done.