How to manage third-party risk across your entire business

Businesses today rely on third-party partnerships to get the materials, products, and services they need to be successful. However, any time you work with third parties – be they suppliers, vendors, or service providers – their actions directly impact you. This means you need to be proactive about managing third-party risk in all its many forms. Far too many businesses are still managing third-party risk using a siloed approach, with multiple departments using their own processes to manage external relationships. 

This is problematic because third-party risk impacts the entire organization across risk domains. Different teams may have different priorities, but a problem with one part of the business – such as a third-party data breach, service outage, supply chain breakdown, or compliance violation – will inevitably reverberate throughout the company, causing severe reputational damage and financial losses. This isn’t just a hypothetical concern, either. According to a survey performed by KPMG, 73% of organizations have experienced at least one significant disruption caused by a third party within the last three years.  

Companies of all sizes are quickly pivoting from third-party risk management to holistic third-party management. Learn more about the shift in this eBook. 

To get the most value from third-party relationships while also protecting against the vulnerabilities they can create, businesses need a holistic, end-to-end third-party management (TPM) strategy. This strategy must cut across departmental silos to account for all four of the key pillars of organizational trust: 

• Security 
• Privacy 
• Ethics and compliance 
• Environmental, social, and governance (ESG)  

One issue many companies face when trying to manage third parties effectively is that each team is primarily concerned with only one of the four pillars of trust. For instance, cybersecurity teams want to know whether third parties have measures in place to protect against distributed denial-of-service (DDoS) attacks, ransomware, and other varieties of cyberattacks. On the other hand, ethics teams care more about ensuring that third parties are using fair labor practices and aren’t involved in any corruption. 

This piecemeal approach is not ideal for several reasons. First, it leads to different stakeholders sending out different third-party questionnaires that focus only on their own trust priorities. This increases the burden on third parties, as they’ll have to fill out multiple assessments, some of which may ask duplicate questions. The different teams typically won’t share the results of their questionnaires with one another, meaning there will be no single, holistic view of third-party risk across the entire organization. If a CEO or board member wants to know if a particular third party is trustworthy, they’d have to track down information from across the different business units. Not only is this a waste of their time, it also creates the potential for blind spots—that is, they’ll have no way of knowing if they have the full picture they need to make informed decisions.  

Furthermore, sending multiple assessments to each third party will slow down the onboarding process, delaying time to value. 

Effective third-party management requires coordination across the business 

Many businesses are starting to realize the value of a unified TPM program. To implement such a strategy, they’ll need to assign an overall head of third-party management, which depending on the organization may be a member of the third-party risk team, infosec, privacy, procurement, or another area of the business. This leader will be responsible for incorporating all the different trust pillars into a single program. Since unified third-party management is still a relatively new approach, there’s not a standardized approach to where it falls within the org chart. In larger companies, the responsibility may fall to someone in a vice president or senior director role, while smaller businesses may run TPRM out of the CISO’s office.  

In either case, the head of third-party management may need to sell senior executives on the importance of implementing the right processes and tools to enable a unified strategy. Their end goal should be to create a comprehensive third-party lifecycle that loops in the right people at the right time. Once again, every business has a different approach to TPM, so the workflow won’t always look the same from company to company. However, it will generally include the following steps: 

• Initial due diligence 
• Assessment 
• Ongoing monitoring 

Due diligence helps determine initial red flags 

For obvious reasons, you wouldn’t want to work with a third party without first performing thorough due diligence. However, not all business leaders realize that third-party management entails much more than just initial due diligence. In fact, due diligence is only the first step that informs exactly how you should execute the subsequent steps in the workflow.   

To perform due diligence, organizations will typically check third parties against compliance data sets to determine if there are any known or potential issues related to the four trust pillars mentioned earlier. These issues could include things like involvement in money laundering or a poor track record on ESG issues. These are all things you’d want to know about before the third-party relationship progresses any further. 

The results of the due diligence process can help determine an initial risk score for each potential third party. In some cases, this process can be automated to remove certain third parties from consideration when the red flags are especially numerous. In other cases, a slightly elevated risk score might signal that a particular third party requires a more thorough assessment. 

Third-party risk assessments help fill gaps 

The goal of third-party questionnaires is to expand on your initial due diligence process, and make sure you fully understand any potential risks before you choose to move forward with a particular third party. As previously mentioned, there are various reasons organizations need to create a single questionnaire for each third party they work with, rather than allowing different teams to create their own questionnaires. It’s equally important that the organization create a custom-tailored questionnaire for each third party, as a one-size-fits-all approach typically won’t deliver the kind of useful insights the business needs.  

The questionnaire should be tailored based on the results of earlier due diligence or based on the type of third party being assessed. Potential red flags identified during due diligence can help determine how detailed the assessment should be and what kinds of questions should be included. In addition, business continuity should be a factor in designing the questionnaire. A mission-critical supplier would require a more thorough assessment because the business has more to lose if that supplier were to fail them. 

Continuous monitoring ensures effective third-party relationships over time 

Third-party relationships will continue to evolve after the initial onboarding phase, so it stands to reason that TPM requires ongoing monitoring. In some cases, risks may change for reasons the third party has no control over. For instance, in the case of third-party risk management for data privacy, the regulatory landscape is constantly developing and changing in jurisdictions around the world. This means that data sharing practices that were once acceptable may now put an organization at risk of a significant non-compliance penalty. 

When such developments do occur, the TPM team needs to reach out to the third party in question with a reassessment to make sure they’re prepared to make the necessary changes. As with the original assessment, the monitoring process should be tailored specifically for each third party. How often you send reassessments and the level of detail in those reassessments should be determined by how critical the third party is to your ongoing business operations. Additionally, solutions such as the OneTrust Third-Party Risk Exchange enable monitoring across risk domains. Organizations can use data in the Exchange to automate the monitoring process, triggering reassessments based on predefined conditions. 

How OneTrust can help 

With the right third-party management solution in place, your business can optimize the value of its third-party relationships while also mitigating your risk exposure. OneTrust Third-Party Risk Management can give you the insights and processes you need to streamline onboarding, automate assessments and monitoring, and ensure visibility across your complete third-party inventory. 

To see for yourself how OneTrust Third-Party Risk Management can help cut across business silos and create a unified, holistic TPM strategy, request a one-on-one demo today.