The prominence of third-party goods and services in today’s business environment continues to accelerate, putting a premium on the ability of risk and compliance (R&C) professionals to execute their third-party risk management efficiently and effectively.
This is no small task. The sheer number of third parties employed under a typical organization is vast, while the landscape of risk – geopolitical, cyber and otherwise – is exceedingly complex.
Organizations differ in the scope of their reliance on third-party vendors, but the numbers can be staggering. Retail giant Walmart says it has over 100,000 third-party suppliers, noting that those entities often have their own third-party vendors (often called “fourth parties”). A typical hospital has over 1,300 vendors, according to a 2019 study by The Ponemon Institute.
In some cases, the services these third-party vendors provide are absolutely critical for an organization’s core business. There’s a reason – frequently, a third party can provide better, more economical and more resilient services than an in-house alternative. Web hosting, raw materials, even executive leadership – all are areas where third parties provide key services for organizations.
Coequal with the acceleration of vendors is the continued presence of risk related to their adoption.
2022 kicked off with the salient example in the escalating Ukraine-Russia conflict. Almost overnight, grain processors lost access to one of the world’s leading suppliers of commodity wheat. A prominent hub for outsourced programmer work, Ukraine, became a warzone. Russian business interests became the subject of new sanctions. For an organization reliant on third parties connected to the conflict, the word disruption is an understatement.
It is impossible to fully forecast every conceivable event that could generate risk in a third-party vendor relationship. For R&C, the challenge is to ask the right questions – at scale – to inform the business’s navigation of those risks.
Matching the Speed of the Business
R&C professionals are often at risk of being seen as a speed bump – albeit a critical one – in business decision making. Countless hours of discussion involving senior executives and multiple business units may have informed a desire to move forward with a certain initiative, and the relevant risk management division is all that stands in the way before the execution of that plan.
Then again, when something goes wrong – a third-party IT vendor becomes the entry point for a catastrophic cyber breach, for example – the question undoubtedly emerges of whether Risk and Compliance did enough to validate the wisdom of the decision.
This highlights the business value of expedient, robust, third-party risk assessment and monitoring. Spreadsheets and Google searches are too slow to accommodate the explosion of vendors in today’s business environment, and are also not robust enough to adequately identify potential risks.
Even well-resourced R&C programs face a major task in ensuring their risk and governance standards are applied consistently. With the potential for thousands of third-party vendors at a given organization, and different business units exploring and entering those relationships, the challenge can be daunting.
Enter the need for digital transformation. It is increasingly clear that manual, labor-intensive processes are no longer able to keep up with the pace of third-party risk management. This is concerning given the landscape of risks those relationships can represent.
One way to streamline the process begins at the very point of onboarding. Digital solutions can allow vendors to self-register within the criteria established by a third-party risk management program, freeing bandwidth for R&C and helping to ensure the consistent application of risk assessment standards.
Digital solutions can also help ensure the third party does not fall off of the visibility of risk managers in the future. A strong platform will simplify the ability to reassess third parties in the face of specific incidents, and ensure periodic risk reassessments occur.
A Growing Need
Third-party business services will only continue to grow in prominence, yet only 63 percent of respondents to NAVEX’s 2022 Definitive Risk & Compliance Benchmark Report survey said they either “strongly” or “somewhat” agreed that their third-party due-diligence program significantly reduced their legal, financial and reputational risks.
Even for strong third-party risk management programs, digital transformation stands as a major opportunity for strengthening and scaling operations. The need is continuing to grow as organizations outsource more of their business processes, seeking various benefits that may come with new risks.
Third-party services have helped to evolve the way business is conducted, making best-in-class services and supply chains accessible across the globe. It’s up to R&C to ensure that shift is well informed.
NAVEX can help your business manage third-party risk, for more information about NAVEX’s third-party risk monitoring and screening