Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

How to Manage IT and Non-IT Third-Party Risks

Third-party risk comes in many forms. Use this guidance to gain a comprehensive view of vendors, suppliers and partners.
Scott Lang
VP, Product Marketing
July 12, 2022
Blog third party cyber risk 0622

Most organizations view third-party risks through a cybersecurity lens. This is understandable, considering that most third-party outsourcing begins with IT-related functions and therefore requires stringent data and system security controls. Third-party cybersecurity risks are ever present, with the 2022 Verizon Data Breach Investigations Report showing that 62% of system intrusion incidents came through partners, including third parties. When a breach does happen, victim companies end up paying a steep price – hundreds of thousands of dollars to detect and eliminate threats, plus fines for non-compliance and the potential for regulatory actions and lost customer trust.

While risk management and security teams must pay the utmost attention to IT risks introduced by third parties, there are several non-IT risks that – if not promptly identified and addressed – can result in fines, lawsuits and reputational damage to rival even the worst data breaches. This post reviews five of the most significant non-IT risks.

Executive Brief: Managing IT and Non-IT Risks

Discover how to gain a more holistic view of vendor, supplier and partner risks.

Read Now
Feature how to manage it non it third party risk

5 Non-IT Risks to Watch Out For

1. Operational Risk from Supply Chain Disruptions

Many organizations are ill-prepared for disruptions to their operations. An EY survey of 200 supply chain executives found that 72 percent of companies reported that Covid disruptions had a negative effect on their operations and that only 2 percent responded that they were fully prepared for the challenges.

Operational risks will continue to exist even in a post-Covid world. For example, the Russian invasion of Ukraine halted production at two Ukrainian companies responsible for between 45% and 54% of the world's supply of semiconductor-grade neon used in manufacturing chips.

For risk management professionals, understanding the resilience of their supply chain is critical. This includes evaluations of incident response, business continuity and disaster recovery plans. With a holistic understanding of your suppliers’ capabilities, your organization can better prepare to reduce operational risk from pandemics, environmental disasters and other potential crises.

2. Compliance Risk Resulting in Fines and Lawsuits

Regulatory frameworks are growing more complex each year. Most, including HIPAA, PCI-DSS, GDPR, and CCPA/CPRA, are focused on protecting the personal information of customers and employees. A common thread is that all require organizations to understand where risk exists (typically through a risk assessment), maintain a plan for mitigating that risk, and report back to regulators. This extends to risks presented by vendors, business associates, contractors and partners.

To mitigate this risk, you not only need to understand which regulatory standards apply to your organization and its vendors, but also fully assess your vendors’ operations and controls. After all, penalties and lawsuits can be expensive, disrupt operations, and cause reputational damage.

3. Corporate Social Responsibility Risk from Poor ESG Behavior

The concept of corporate social responsibility (CSR) is increasingly associated with environmental, social and governance (ESG) practices. These include your company’s approaches to environmental sustainability; its relationships with customers, employees, and communities; and how it deals with executive pay, internal controls, and shareholder rights.

Regulatory pressure is growing as a result of increased awareness. The U.S. Securities and Exchange Commission (SEC) proposed rules requiring “certain climate-related information in their registration statements and annual reports,” including “upstream and downstream value chains.” The European Union (EU) Parliament presented mandates that EU businesses “identify and, where necessary, prevent, end or mitigate adverse impacts of their activities on human rights, such as child labour and exploitation of workers, and on the environment, for example pollution and biodiversity loss.”

Navigating ESG requirements can be challenging for risk executives accustomed to focusing only on IT-related issues. Understanding regulatory and industry guidelines for ESG can help when assessing potential suppliers, vendors or other third parties against your organization’s own policies and customer expectations.

4. Financial Risk from Supplier Viability Concerns

The financial health of vendors and strategic partners is critical when assessing third-party risk. After all, a vendor can only support its clients if it is financially sound. But understanding a vendor’s financial risk goes beyond examining last year’s balance sheet. For instance, customer or distribution partner losses or missed earnings could result in a restructuring or discontinuation of specific offerings. In addition, the loss of key executives could signal a downturn in revenue or an upcoming lawsuit.

While many organizations review financial risk before onboarding a new vendor, risk executives require ongoing monitoring of their vendors and partners to mitigate and manage risk throughout the relationship.

5. Reputational Risk from Doing Business with Unethical Companies

Fair or not, organizations are judged by the company they keep. It therefore makes sense for you to pay attention to the practices of your partners. Reputational harm from doing business with unethical vendors or suppliers can damage your business. Sudden disclosures of unethical actions can also disrupt supply chains as suppliers move or rebuild operations and litigate legal actions.

Risk managers need to monitor public and private sources of reputational information, lawsuits and impending sanctions such as the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury, the UK Sanctions List, and the EU Consolidated List of Sanctions throughout the business lifecycle.

Free TPRM Maturity Assessment

Work with Prevalent experts to get in-depth report on the state of your current TPRM program, plus practical recommendations for how to bring it to the next level.

Get Started
Datasheet tprm platform nov 2019

Next Steps: Read the White Paper

Prevalent has a new white paper that examines different forms of non-IT risks and describes how to gain a holistic view of vendors, suppliers and partners across the third-party lifecycle. Download the white paper, How to Manage IT and Non-IT Third-Party Risks, to gain guidance on how to:

  • Associate third-party risk types to IT and non-IT domains
  • Align internal teams with the third-party risks that matter most to them
  • Map third-party risk types and teams to each stage of the vendor lifecycle

With this comprehensive guidance, your organization can get control over IT and non-IT third-party risks. Interested in how Prevalent can help? Request a demo and strategy call to discuss your project with one of our experts.

Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo