7 Pillars of Third Party Assessments
In the modern economy, the complex network of third parties on which businesses rely results in expanded business risk. While vendor risk management has taken a greater seat at the board table, many organizations still struggle with how to appropriately assess the layers of risk that external partners impose. A useful framework for approaching it is a construct of risk pillars that reflect the strategic risk domains every business confronts.
1. Cybersecurity – Access to sensitive organizational data shared in the normal course of business poses perhaps the biggest risk in third party relationships. The Ponemon Institute’s research report Data Risk in the Third Party Ecosystem notes that 59% of respondent organizations experienced a data breach caused by one of their third parties, yet only 12% were confident they’d learn their sensitive data was lost or stolen by an Nth vendor. As data is the lifeblood of modern business, holding third parties’ data protection practices to account is clearly a top priority.
2. Privacy – Data privacy has become an equally important concern with the rise of multiple privacy laws and regulations and consumer concerns about use of their data. Legal responsibility for data protection rests with the data owner, so even though custody may be shared down the supply chain, the buck stops with the originating party. Make sure your third parties understand the legal requirements to which your company is subject and have mechanisms in place to protect your data accordingly. That includes when they pass it on to other vendors they may use to fulfill their obligations to you.
3. Financial – Third parties must be financially solvent to supply the product or service you’ve contracted with them. Risk lies in the vendor’s financial condition, so assessing creditworthiness is an important step in your decision to engage. Because economic conditions can frequently change, it may make sense to contractually impose requirements (like a loan guarantee) for the third party to ensure they can perform the obligations of the relationship, so you’re not left without an option if they supplier hits a rough financial patch.
4. Brand / Reputational – No company wants their reputation damaged by a data breach, especially one that occurs in their supply chain. Yet instances of these incidents hitting the headlines are frequent. Beyond data risks, third parties involved in customer-focused products or services can also impact your brand, as they create the greatest opportunity for negative emotional consequences. Even your association with a company that’s earned a bad reputation can result in a ‘reverse halo effect’ and backlash to your business (e.g. completing OFAC Sanction searches). Along with data protection mechanisms, consider evaluating each third party in the context of compatibility with your company’s values and practices, and the reputation of their own brand such as for diversity and inclusion.
5. Anti-Bribery / Anti-Corruption (ABAC) – the U.S. Foreign Corrupt Practices Act (FCPA) makes it unlawful for any U.S. citizen or company to make payments or give anything of value to foreign government officials in order to obtain business. Companies are accountable for bribery or other corrupt activities that involve their internal as well as external relationships. Given the global reach of today’s supply chains, American corporations need to address this issue head-on and make sure that their vendors are aware of and adhere to the requirements of this law.
6. Business Continuity / Disaster Recovery – Any number of unpredictable disruptions can cause an interruption to normal business operations – from breaches and cyberattacks to equipment failures, fire, natural disasters or even pandemics. It’s important for the third parties your business depends on to have solid plans in place for sustaining business continuity and recovering from disasters if and when they strike. Ensure your supply chain partners have adequate data backups that include identical security measures. It is important to understand the recovery time in the event of a breach or disruption to the suppliers operations. Prolonged downtime can have a compounding impact on your ability to deliver to your clients.
7. Organizational – This pillar brings risk assessment to operational impacts of the current environment, including forces that are beyond anyone’s control. A perfect example is what’s happening right now due to the global health pandemic. Has your vendor endured a significant amount of turnover given that current disruption? Have they had to reduce staff? How are they managing the sudden need for a fully remote workforce? Are they experiencing other temporary effects that impact their ability to meet their SLAs? Companies with solid business continuity plans should be better able to weather these anomalies. But it’s important to stay on top of vendor well being any time unusual and unanticipated changes occur.
Nobody said supply chain risk management was easy. It’s a lot to manage and the types of risk are continually growing and evolving. Approaching it through the lens of these pillars will help you organize and prioritize your vendor risk assessment. Privva offers extensive flexibility with regard to content creation and development of your vendor risk assessment questionnaire. Developed with the philosophy that risk is contextual, our rich platform streamlines the entire process, from authoring to automatic recurring delivery, helping to meet each risk in a way that aligns to your organization's policies.
Contact us to brainstorm on your requirements or to arrange a demo of our award-winning, SaaS-based platform.