LUTZ BUSINESS INSIGHTS
third-party risks and how to manage them
ROBERT KEENAN, CHIEF INFORMATION & RISK OFFICER
Since the onset of COVID, an emerging trend in many businesses has been outsourcing to third parties specializing in specific areas that the company needs. Businesses outsource payroll administration, IT support, web development, production, compliance and risk assessment consulting, and human resource responsibilities. The functions are virtually endless.
Outsourcing has been significant in helping organizations tap into specialized, high-quality talent without adding and training new staff. This has also allowed organizations to save on the cost of hiring full-time members. However, working through third parties can also pose risks to your business. This blog will help you understand what to look for to help minimize third-party risks.
What is Third-Party Risk?
Third-party risk is the potential negative impact an organization could face when contracting work from outside vendors. When using a third-party, they ultimately become a reflection of your organization. Therefore, it’s important they need to be aligned with your company’s values and practices.
There are several types of potential threats resulting from third-party relationships, and the first step is to understand all the risks you could face when choosing an outside associate. The following are the common types of third-party risks.
Strategic risk occurs if the third-party has made adverse business decisions in the past or fails to implement the measures required to meet its goals and yours.
The third-party might have a negative reputation due to an incident, scandal, or breach. This perception could impact your organization.
This risk occurs when the third-party fails to perform as anticipated, especially with product or service delivery. This may be caused by human error, technological failure, limited capacity, or fraud.
Compliance risk occurs when the third-party associate does not comply with the governing rules, regulations, and laws related to your industry or company.
In some cases, a third-party vendor may have failed or inadequate systems, people, processes, or other external factors. The inadequacies and complexities within the third-party will be a risk to your organization.
Financial risk implies that the third-party does not have enough cash flow to meet its contractual agreements and financial obligations.
Additionally, cybersecurity incidents and data breaches have also increased, many of which have resulted from third-party affiliations.
Importance of Reducing Third-Party Risks
Third-party risk is not new, but recent events and the reliance on outsourcing by companies have made third-party risk management an important aspect. If proper screening action of potential Third Parties is not taken, organizations risk losing money and customers.
As mentioned earlier, most organizations depend on some third parties in their operations. Though necessary in running a modern business, relying solely on third parties can leave your company completely vulnerable. Third-party risk management should be a continuous real-time process throughout the entire relationship. Businesses should take comprehensive steps during due diligence to ensure that third parties are able to perform the company’s necessary outsourced tasks as well as protect their confidential information and comply with any and all regulations.
Steps of Third-Party Risk Management
There are four third-party risk management best practices that your business can implement to mitigate potential issues.
1. Determine What your Third-Party Risks Are
The first step is to conduct a risk assessment of the third-party to learn whether your proposed relationship is consistent with your overall enterprise risk management strategy. Be sure to hire a trusted advisor to complete this.
It is also important to assess your own risk tolerance level. Some companies hold a wealth of data that requires protection from numerous potential vulnerabilities of engaging a third-party. Examples of high-risk data include human resource information, payment card transactions, and personally identifiable information.
2. Understand their Risk Level and Impact in Vetting
It’s important to select your third-party associates carefully. You should consider their company’s financials, reputation, and performance to see if they align with your business.
3. Take Action to Minimize Risks
If you begin seeing a potential risk after engaging a third-party associate, you should do your best to mitigate exposure. Keep in mind that anything can happen in any organization. Be prepared for unexpected potential threats while approaching an outsourcing arrangement.
4. Monitor the Risks Going Forward
You can work with your risk assessment advisor to monitor your third-party risk management plan. As your business evolves, your plan should be updated to reflect any changes. This should be an ongoing process.
Get Help in Assessing Third-Party Risk
Outsourcing is a potential boon for your business as you get to save money and gain invaluable expertise. At the same time, this kind of arrangement can come with many potential risks. At Lutz, we can help your business identify and manage these threats before they become an issue. If you have any questions or would like to learn more about our Risk Assessment services, please contact us.
ABOUT THE AUTHOR
ROBERT KEENAN + CHIEF INFORMATION & RISK OFFICER
Robert Keenan is the Chief Information & Risk Officer at Lutz with over 20 years of compliance and operational risk experience. He focuses on risk management, compliance, and security for the firm, and will partner with the operations team to drive process improvement and operational efficiencies for Lutz.
AREAS OF FOCUS
- Risk Management & Compliance
AFFILIATIONS AND CREDENTIALS
- Association of Certified Fraud Examiners
- Society of Compliance and Ethics Professionals
- National Society of Compliance Professionals
- Certified Fraud Examiner
- Certified Compliance and Ethics Professional
- BA in Finance, University of Oklahoma, Norman, OK
- MPA, Drake University, Des Moines, IA
- Association of Certified Fraud Examiners - Heartland Chapter, Past Board Member
- 3 Common Business Fraud Risks and How to Mitigate Them
- Top 5 Policies Your Company Should Have Documented
- Does My Business Need a Physical Security Assessment?
- 20 Risk Management Terms Explained
- What is a Comprehensive Risk Assessment? Does My Company Need One?
- How to Avoid Being Negligent When it Comes to Risk
- 4 Tips for a Successful Transition Back to the Office
SIGN UP FOR OUR NEWSLETTERS!
We tap into the vast knowledge and experience within our organization to provide you with monthly content on topics and ideas that drive and challenge your company every day.