Third-Party Risk Management: Navigating the Perilous Seas of Outsourcing

Jason Butler
, Industry Subject Matter Expert

Introduction

In the modern business landscape, outsourcing to third-party vendors has become a staple strategy for organizations seeking to streamline operations, reduce costs, and focus on core competencies. Engaging third parties can offer significant benefits, but it comes with an array of risks that tend to be underestimated or misunderstood. This misconception arises from the belief that third-party experts will inherently manage every aspect of the outsourced function with the same dedication and diligence as if it were in-house. In reality, managing third-party risk is a crucial responsibility that organizations must shoulder to safeguard their interests.

The assumption that third-party vendors will handle business continuity planning (BCP), software patching and updates, employee management, and performance management among other things is optimistic and ignores the layered complexity of risk management. This is particularly poignant when reflecting on early career experiences, where one might presume that outsourcing absolves them from ongoing oversight responsibilities. However, as seasoned professionals understand, delegation does not mean abdication. A robust third-party risk management (TPRM) program is essential to maintain the integrity, security, and efficiency of outsourced operations.

 

Elements of a TPRM Program

A comprehensive TPRM program consists of several key components:

Vendor Identification/Selection Phase:

At the outset, organizations must identify potential vendors through a structured process that ensures the third party aligns with the organization’s strategic objectives and value system.

Risk Assessment/Due Diligence Phase:

A thorough due diligence process is conducted to scrutinize a vendor’s capabilities, compliance with relevant regulations, and risk profile. This crucial step often suffers from lax attention, leading to a surface-level understanding of potential risks.

Risk Mitigation and Acceptance Phase:

Once risks are identified, the organization must decide whether to accept, mitigate, or, in limited cases, transfer these risks, potentially in the contract execution phase.

Contract Execution and Onboarding:

With a clear understanding of the risks involved, organizations can negotiate contracts that reflect their risk appetite, detailing mitigation and transfer strategies where possible.

Ongoing Monitoring:

Regular monitoring of third-party performance against agreed benchmarks and re-assessment of risks is essential to adjust the risk management strategies as needed.

Vendor Off-boarding:

Finally, the process must also encompass the systematic disengagement from third-party relationships, ensuring all risks are adequately closed out, and sensitive information and assets are secured.

 

The Risks

Focusing on due diligence and ongoing monitoring, there are several categories of risk an organization must consider:

**Reputational Risk:**

Vendors must uphold standards that won’t tarnish the hiring organization’s reputation. Adverse associations can have lasting impacts, as evidenced by controversies involving Bud Light and UFC, Kanye West and Adidas, or more recently American Express with their fine from the Office of the Comptroller of the currency for inadequate controls over a third-party vendor.

**Financial/Compliance Risk:**

Third-parties should have the financial stability and compliance postures to prevent issues that could lead to lost revenue or regulatory penalties, as highlighted  by Metropolitan Commercial Bank’s (MCB) improper oversight of a third-party program manager used for COVID-19 prepaid cards.  This led to MCB being non-compliant with Bank Secrecy Act (BSA) requirements, along with a $15 million fine.

**Operational Risk:**

Organizations should plan for scenarios where vendors may become unable to perform contracted services. An example of this risk materializing is the case of Pano Logic, a company that abruptly ceased operations, leaving clients without support.

**IT/Security Risk:**

The IT infrastructure and security policies of third-party vendors must align with the organization’s standards. Vendor-related data breaches, such as the 2013 Target hack initiated through a third-party HVAC subcontractor, underscore this necessity.

 

Conclusion

In concluding, several best practices should guide the TPRM process:

  • Implement a consistent, objective, and quantitative method to assess and manage risks.
  • Engage subject matter experts to gain insight into specialized areas of risk, supplementing the organization’s internal expertise.
  • Never underestimate the importance of regular assessments in ongoing monitoring to catch any evolving risks.
  • Heed the red flags, and act diligently to investigate and resolve any suspicious activities or inconsistencies.

 

Undoubtedly, the journey of managing third-party risk is intricate and demands an unyielding commitment to vigilance. Organizations must build and maintain robust TPRM programs that not only consider immediate risks but also the ever-evolving landscape of threats that may emerge in the partnerships they cultivate. In doing so, they navigate the perilous seas of outsourcing, fortified with the strength to turn third-party engagements into opportunities, rather than liabilities.