I’ve worked in Third Party Risk for over twenty years. Over the years I learned first-hand the intersection of types of third party risk and business risk based on the business model and type of product or service that is outsourced. My experience as a technology service provider to regulated financial institutions and telecom communications providers always put our services into the “High Risk” category just by the nature of the data collected and processed. No matter the message I gave the C-Suite, our services would always be in a higher risk tier, so we had to accept and embrace our vendor classification and build the TPRM program to address trust for our clients.
Memories of these real-life experiences in third party risk came to mind as I helped develop the TPRM Fundamentals course for those new to third party risk. Cybersecurity and data breach risk capture the headlines and attention of the C-Suite since the risks can be quantified, measured, and easily put into a financial metric in the cost of the breach.
Here are my Top 10 lessons learned from my memories during my TPRM journey.
Definition: Third party may not meet obligations due to inadequate systems or processes.
Missing SLAs or failing to deliver services on-time and on-budget is the most common risk in vendor management. KPIs and SLAs are operational metrics that can be easily measured; but KRIs tell a more telling story. Managing risk in a TPRM program requires the collection of data not only about controls, but about results. Trends in the data can spotlight leading or lagging indicators of a vendor’s performance. I learned to tailor the metrics not just by the slotting of the vendor into the right classification or tier; but identified which metrics would have the greatest impact to my company’s operations. Metrics that matter.
Definition: Third party may not adhere to expected or contracted level of service.
Up-time, down-time, call time. Reliability is all about expected results for contracted levels of service. A challenge in managing reliability risk in TPRM is that the requirements of the client may require more stringent controls than the business operations of a vendor. In TPRM, it is important to put metrics for reliability at the specific product or service level, and not just demand across the board organizational adherence to a number. Set realistic expectations for vendors.
Definition: Risk of damage to reputation or loss of clients due to poor customer service, errors, delays, fraud, fines, etc.
While financial scandals triggered the creation of IT controls for financial reporting; the ethics of doing business with third parties triggered controls based on how consumers perceive corporate behaviors or business practices. The lack of oversight in the supply chain can create surprises when labor standards differ by geography. Managing supply chain risk is an integral part of M&A activity to identify risk prior to deal closure. Ethical sourcing, ESG, Human rights are all top of mind now for non-IT risks. A starting point in TPRM is to review a third party’s Corporate Governance/Compliance and Ethics policies, and how robust their processes are for handling complaints or dispute. Conducting external scans of complaints about a third party is a quick way to find potential red flags in the relationship.
Definition: Third party may not be able to retain skilled employees.
Hiring a third party to do work on your behalf, puts the third party on the line for maintaining skilled employees. Competency risk is a critical component for third parties that perform IT Application Development. Coding errors, gaps, or lack of quality product can create not only risk but higher costs. I learned to request metrics in third party assessments to look at not only turnover rate of staff, but also the percentage of workers new to the workforce to gain insights to the way the company was managing HR talent management functions. If you are paying for experienced workers, but getting less skilled workers, then the financial relationship structure should be reviewed.
Definition: Insufficient redundancy or resiliency.
While 9/11 triggered awareness of the need to have redundancy in networks and the power grid, twenty years later we still see outages and issues with our interconnected systems. They key to managing availability risk is not just redundant third parties but ensuring that you include infrastructure and concentration risk in your metrics for determining resilience in third party relationships.
Definition: Third party technology becomes obsolete or changes in technology triggers operational impact.
In the early days of online banking, dial-up connectivity was better than mainframes but was still network dependent on different providers. The bankruptcy scandal due to fraud at a large telco made a connectivity option for community banks obsolete virtually overnight. I learned the power of taking a public negative external event to funnel fast decisions to sunset a system and migrate quickly to a more modern technology. Using external events is a safe way to paint a picture to the C-Suite and show how actions taken by them can prevent similar issues. Use negative external events to your advantage – flip the story.
Definition: Third party mismanages threats, vulnerabilities or controls causing loss of data.
Reporting on Third Party Cybersecurity risk will always get on the Board’s agenda. What matters is how to use external cybersecurity events to shore up your own processes and leverage that attention in business case development. After conducting a Data Breach Simulation based on a cyber-attack, I was called to the CEO’s office to prep him for sharing the results with the Board. The message that mattered most – not our controls, but that the attack was at the client, and the vendor was seen as the weak link. Connecting the message that investment in cybersecurity and TPRM is not just about protecting assets, it protects the revenue stream. Ironically, a week or so later one of our largest clients reported a similar breach- driving home the need for ongoing cybersecurity testing, breach simulations, and practice events for crisis communication.
Definition: Third party may not support growth or spikes in demand without service failures
Scalability risk can be impacted by internal and external factors. Gaps in performance due to spikes in demand may be a result of poor communication or impacted by events outside the control of both the outsourcer and the third party. I’ve experienced technology service providers that host systems and applications be unprepared for changes in growth due to M&A activity. Covid-19 exposed gaps in supply chain but also spiked demand in shipping and distribution services. Scalability risk needs to be managed with short term milestones and long term expectations. The environment is changing so quickly that what once was acceptable to set annual metrics for growth, now requires a monthly and quarterly cadence.
Definition: Third party may not be compliant with laws, regulations or contracts.
Laws change, and expectations change. I’ve seen vendors that expand their services into new markets without understanding the potential regulatory implications. How a third party prepares to monitor and evaluation which regulations apply to their services. I’ve experienced vendors that simply stated, “tell me what you want us to do” and those that informed my team “here is what we are doing about this regulatory change. The latter approach inspired more confidence that the third party was aware of their obligations. A critical factor in managing compliance risk is not just putting obligations to paper but asking questions and understanding the regulatory change management process. Find out how compliance risk is reported to management by your critical third party relationships.
Third Party risk goes beyond the bits and bytes of information security and technology. Each type of risk can be triggered by a third party, or by lack of oversight of key third party obligations. Bottom line, the themes that resonant throughout these examples show that TPRM program must adapt to changes in the internal and external environment. Communicating the implications of different types of risk in third party relationships is like telling a story, remember these key points.
- Keep the message in business terms and focused on your company’s goals/objectives
- Don’t use jargon or acronyms that the C-Suite needs definitions for to understand your charts
- Communicate, Communicate, Communicate – the root cause of many TPRM issues is a failure to communicate expectations and obligations clearly.
- Prepare for the unexpected and have contingency plans in place to address different types of risk
- Review your Management Reporting scorecards/dashboards to ensure that you are not conveying only one message on third party risk. Third party risk is dynamic, and expectations change quickly. Don’t create more work to have to start with management education while in a crisis.
In closing, below is a simple graphic defining the main types of third party risk: