There are myriad advantages in play when a company brings aboard a third-party partner to handle critical business tasks, like technology, human resources, manufacturing, and compliance.
After all, having an expert handle a necessary business task on an ongoing basis is no luxury, it’s a necessity.
Besides the “Three Es” – expertise, experience, and economy – third-party outsourcing firms bring a much-needed human element to an enterprise – they take the pressure off business leaders and allow them to do what they do best – run their companies with their entrepreneurial vision intact and free them to figure out great ways to grow their companies.
There is, however, one downside risk linked to third-party partners, and company managers need to fully understand that risk.
The downside risk is third-party incidents (think supply-chain failure, data privacy breach or disruption to IT services). Deloitte has certainly taken a close look at the issue, noting that at larger companies, third-party “failures” averaged $1 billion per incident in the past five years.
That’s up from $50 million back in 2015, Deloitte reports. Additionally, 17% of organizations had faced a high-impact, third-party risk incident in the past three years, up from 11% of organizations in 2019, Deloitte notes.
Clamping Down on Third-Party Incidents and Making Partnership Works
High-impact third-party risk incidents relate to incidents with a severe impact on customer service, financial position, regulatory compliance and/or reputation, the Deloitte reports.
“Despite an increase in incidents, companies are not yet investing sufficiently in managing third-party risk,” says Kristian Park, Deloitte global leader for extended enterprise risk management. “The COVID-19 pandemic has only highlighted the need for investment in risk management.”
“Companies experienced a wide range of third-party incidents at the peak of the pandemic including supply chain, logistic and financial failures, as well as data breaches resulting in fines – all of which can have a significant impact on customer service, regulatory compliance and reputation.”
“Given a growing dependence on critical third-party relationships, it’s key that companies act now to protect themselves and their extended enterprise,” she added.
The way forward in improving risk management options when working with third-party companies, and that process starts with several process and actions steps that make life easier for client companies and for outsourcing partners.
Assign a specific company source. In the Deloitte report, analysts say that third party risk management is seen as an operational, and not a C-level or board of directors issue.
Ideally, companies should shift that process-oriented view and make a single management/supervisory source – a board of directors, a compliance officer, or even the CEO – responsible for third-party risk management.
When a company puts a board or C-level officer in charge of third-party risk management, then third-party management becomes a return-on-investment issue, which is a more “sustainable” way to build a third-party risk management model, Deloitte notes.
A direct risk management manager is ideally equipped to bring leadership expertise to the issue, like shared team assessments that spread risk management awareness around the company, along with centers of excellence, managed service models, and emerging technologies that make managing third-party relationships more accountable, more productive and more efficient.
In fact, Deloitte reports that “more than half (53%) of organizations are using centers of excellence and 38% have shared service centers” when managing third-party risk management scenarios.
Build managed services that emphasize risk management intelligence. Data shows that companies fall short in effectively understanding how third-party relationships best work. They fall further astray in not prioritizing key third-part partnerships like contract terms and monitoring third party risk assessments before both parties sign on the dotted line.
Front line company managers should emphasize risk intelligence in all of the above areas, leveraging managed service utility models that streamline the effective shared exchange of data that can mitigate third-party incidents, and keep the partnership flowing productively.
According to Deloitte, 53% of survey recipients aim for a “coordinated and consistent approach” to third party risk management across the company. “Investments in managed services and shared assessments and utilities drive efficiency by reducing the need to increase headcount and reduce capital expenditure,” the survey states.
Build a risk assessment template. Checklists are always a good idea, and that’s double the dose for companies looking to strengthen third-party risk management initiatives.
That’s where a good risk management template can help.
By adding key items to the checklist, like creating questionnaires that clarify a company’s risk appetite, building third-party vendor classification methods that help with assessment, and learning how to assess third-party providers not just by performance, but buy their attention to company risk, businesses can better streamline and implement more effective third-party partner assessment programs.
Getting a Grip on Third-Party Risk Management
By adopting these measures, companies can better address third-party risk management – a key, yet under-the-radar issue for companies looking to avoid regulatory, operational and financial hurdles on their way to greater growth.