How to Manage IT and Non-IT Third-Party Risks

5 Non-IT Risks to Watch Out For

1. Operational Risk from Supply Chain Disruptions

Many organizations are ill-prepared for disruptions to their operations. An EY survey of 200 supply chain executives found that 72 percent of companies reported that Covid disruptions had a negative effect on their operations and that only 2 percent responded that they were fully prepared for the challenges.

Operational risks will continue to exist even in a post-Covid world. For example, the Russian invasion of Ukraine halted production at two Ukrainian companies responsible for between 45% and 54% of the world's supply of semiconductor-grade neon used in manufacturing chips.

For risk management professionals, understanding the resilience of their supply chain is critical. This includes evaluations of incident response, business continuity and disaster recovery plans. With a holistic understanding of your suppliers’ capabilities, your organization can better prepare to reduce operational risk from pandemics, environmental disasters and other potential crises.

2. Compliance Risk Resulting in Fines and Lawsuits

Regulatory frameworks are growing more complex each year. Most, including HIPAA, PCI-DSS, GDPR, and CCPA/CPRA, are focused on protecting the personal information of customers and employees. A common thread is that all require organizations to understand where risk exists (typically through a risk assessment), maintain a plan for mitigating that risk, and report back to regulators. This extends to risks presented by vendors, business associates, contractors and partners.

To mitigate this risk, you not only need to understand which regulatory standards apply to your organization and its vendors, but also fully assess your vendors’ operations and controls. After all, penalties and lawsuits can be expensive, disrupt operations, and cause reputational damage.

3. Corporate Social Responsibility Risk from Poor ESG Behavior

The concept of corporate social responsibility (CSR) is increasingly associated with environmental, social and governance (ESG) practices. These include your company’s approaches to environmental sustainability; its relationships with customers, employees, and communities; and how it deals with executive pay, internal controls, and shareholder rights.

Regulatory pressure is growing as a result of increased awareness. The U.S. Securities and Exchange Commission (SEC) proposed rules requiring “certain climate-related information in their registration statements and annual reports,” including “upstream and downstream value chains.” The European Union (EU) Parliament presented mandates that EU businesses “identify and, where necessary, prevent, end or mitigate adverse impacts of their activities on human rights, such as child labour and exploitation of workers, and on the environment, for example pollution and biodiversity loss.”

Navigating ESG requirements can be challenging for risk executives accustomed to focusing only on IT-related issues. Understanding regulatory and industry guidelines for ESG can help when assessing potential suppliers, vendors or other third parties against your organization’s own policies and customer expectations.

4. Financial Risk from Supplier Viability Concerns

The financial health of vendors and strategic partners is critical when assessing third-party risk. After all, a vendor can only support its clients if it is financially sound. But understanding a vendor’s financial risk goes beyond examining last year’s balance sheet. For instance, customer or distribution partner losses or missed earnings could result in a restructuring or discontinuation of specific offerings. In addition, the loss of key executives could signal a downturn in revenue or an upcoming lawsuit.

While many organizations review financial risk before onboarding a new vendor, risk executives require ongoing monitoring of their vendors and partners to mitigate and manage risk throughout the relationship.

5. Reputational Risk from Doing Business with Unethical Companies

Fair or not, organizations are judged by the company they keep. It therefore makes sense for you to pay attention to the practices of your partners. Reputational harm from doing business with unethical vendors or suppliers can damage your business. Sudden disclosures of unethical actions can also disrupt supply chains as suppliers move or rebuild operations and litigate legal actions.

Risk managers need to monitor public and private sources of reputational information, lawsuits and impending sanctions such as the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury, the UK Sanctions List, and the EU Consolidated List of Sanctions throughout the business lifecycle.

Next Steps: Read the White Paper

Prevalent has a new white paper that examines different forms of non-IT risks and describes how to gain a holistic view of vendors, suppliers and partners across the third-party lifecycle. Download the white paper, How to Manage IT and Non-IT Third-Party Risks, to gain guidance on how to:

• Associate third-party risk types to IT and non-IT domains
• Align internal teams with the third-party risks that matter most to them
• Map third-party risk types and teams to each stage of the vendor lifecycle

With this comprehensive guidance, your organization can get control over IT and non-IT third-party risks. Interested in how Prevalent can help? Request a demo and strategy call to discuss your project with one of our experts.