Back to blog

3 Areas to Mitigate Third Party Risk

Procurious NewsSupplier Relationship ManagementSupply Chaintechnical procurementTechnologyCategory ManagementStrategic SourcingSupply Chain ManagementLeadership and ManagementContract Management
Apr 27 2022, 5:56 AM3 min read

Third Party Risk could take you out in ways you hadn’t planned! Here are 3 areas of third-party risk to address – and how to get it right

Global events, such as the Ukraine-Russia conflict, are driving increased risk levels in nearly every organisation’s supply chain. Often, companies fail to take action on this risk until it’s too late – a third-party breach has occurred, and their data is long gone, or a critical supplier experiences a service interruption, and the organisation has no backup. As a result, organisations scramble to maintain resiliency with a reactive approach, but it’s typically too little, too late.

The best protection against third-party risk is to get it right from the start. You can develop third-party risk management best practices to navigate today’s minefield of risk no matter your organisation’s resources.

For a complete deep dive into best practices for managing supplier risk, join ProcessUnity and Procurious on April 27th for a webcast, Are Your Suppliers Putting You at Risk? And what to do about it.

Vendor Risk Management 

It goes without saying that third-party risk management is a critical function of any organisation. Creating a strong foundation with standardised processes for every stage of the vendor lifecycle will help you gain more insight into the health of your vendor population.

The foundational steps to the vendor risk management process include:

  • STEP 1: Identify your vendors and establish an inventory
  • STEP 2: Define your company’s risk appetite
  • STEP 3: Determine inherent risk & classifications
  • STEP 4: Establish assessment questionnaires
  • STEP 5: Create an assessment schedule
  • STEP 6: Define who owns the process
  • STEP 7: Outline a contingency plan should an issue arise

Work with your team to develop complete, repeatable processes for each stage. With an end-to-end process in place for the VRM lifecycle, you’ll be able to mitigate your third-party risks proactively.

Ongoing Vendor Monitoring 

Possibly the most crucial aspect of the third-party risk lifecycle is ongoing vendor monitoring. This stage is also the longest, as it takes place throughout the relationship.

The objective of ongoing monitoring is to verify your vendor’s security routinely. It will help you ensure reliability, integrity and security throughout your vendor population.

Key risk areas to monitor for changes include:

  • Mergers & acquisitions
  • Negative news
  • Business continuity events (natural disasters)
  • Regulatory changes
  • Financial Health
  • Cybersecurity ratings
  • Business process changes
  • Sustainability (ESG)

It’s important to remember that you don’t need to monitor these areas at the same depth and frequency for every vendor. To make the process more efficient for both your team and your vendors, assign vendors to criticality tiers and assess accordingly. For example, a vendor in the ‘high risk’ tier should be assessed more frequently and deeply than a vendor in the ‘low risk’ tier.

Cybersecurity

Cybersecurity risk is now one of the biggest risks organisations face – both directly and indirectly through their vendors. Hacking groups are more frequently targeting an organisation’s third parties as a ‘back door’ to their harder-to-breach systems. This threat was most recently demonstrated in the Lapsus$ hacks, which exposed hundreds of customers’ data through third-party applications.

There are a few cybersecurity risk areas organisations should evaluate with their third parties to gain better visibility into their policies, procedures and controls:

  • Compliance Risks: Depending on your third party’s service type or location, they are likely to have different compliance requirements than your organisation. Get familiar with the regulations and standards applicable to your third parties, then understand the steps to compliance.
  • Operational Risks: Your organisation might rely on third parties to provide a service essential to your day-to-day operations or IT infrastructure. Understand the controls third parties have in place for safely operating with these aspects of your organisation. Verify that the third party has adequate controls for addressing vulnerabilities in their own IT infrastructure.
  • Information Security Risks: Whether they’re handling your organisation’s sensitive data or their own, third parties must have controls in place for data protection. Understand the complete lifecycle of your highly sensitive data within your third parties. Clarify how long your third parties maintain this data and ensure that they are contractually obliged to destroy it after your business relationship concludes.

Think of cybersecurity as a collaboration point between your organisation and its vendors. Utilise ongoing vendor monitoring to foster communication around cyber risk throughout the relationship.

Conclusion

The bottom line is that your suppliers’ risk is your risk, and you can’t take a back seat when managing it. The best approach to third-party risk management anticipates risks before they occur.

Take a deeper look into these risk areas with ProcessUnity and Procurious on April 27 for their webcast, Are Your Suppliers Putting You at Risk? And what to do about it. Register here.

Previous article
Coretta Bessi profile photo
Coretta Bessi
Apr 26 2022, 4:40 AM
4 min read
How To Become the CEO of Your Own Career
Bravo
Next article
Kirsty Braines profile photo
Kirsty Braines
Apr 28 2022, 12:50 AM
4 min read
Stop Hedging Your Bets – Integration is Key to a More Resilient Supply Chain
In The Press