Most organizations view third-party risks through a cybersecurity lens. This is understandable, considering that most third-party outsourcing begins with IT-related functions and therefore requires stringent data and system security controls. Third-party cybersecurity risks are ever present, with the 2022 Verizon Data Breach Investigations Report showing that 62% of system intrusion incidents came through partners, including third parties. When a breach does happen, victim companies end up paying a steep price – hundreds of thousands of dollars to detect and eliminate threats, plus fines for non-compliance and the potential for regulatory actions and lost customer trust.
While risk management and security teams must pay the utmost attention to IT risks introduced by third parties, there are several non-IT risks that – if not promptly identified and addressed – can result in fines, lawsuits and reputational damage to rival even the worst data breaches. This post reviews five of the most significant non-IT risks.
Executive Brief: Managing IT and Non-IT Risks
Discover how to gain a more holistic view of vendor, supplier and partner risks.
Many organizations are ill-prepared for disruptions to their operations. An EY survey of 200 supply chain executives found that 72 percent of companies reported that Covid disruptions had a negative effect on their operations and that only 2 percent responded that they were fully prepared for the challenges.
Operational risks will continue to exist even in a post-Covid world. For example, the Russian invasion of Ukraine halted production at two Ukrainian companies responsible for between 45% and 54% of the world's supply of semiconductor-grade neon used in manufacturing chips.
For risk management professionals, understanding the resilience of their supply chain is critical. This includes evaluations of incident response, business continuity and disaster recovery plans. With a holistic understanding of your suppliers’ capabilities, your organization can better prepare to reduce operational risk from pandemics, environmental disasters and other potential crises.
Regulatory frameworks are growing more complex each year. Most, including HIPAA, PCI-DSS, GDPR, and CCPA/CPRA, are focused on protecting the personal information of customers and employees. A common thread is that all require organizations to understand where risk exists (typically through a risk assessment), maintain a plan for mitigating that risk, and report back to regulators. This extends to risks presented by vendors, business associates, contractors and partners.
To mitigate this risk, you not only need to understand which regulatory standards apply to your organization and its vendors, but also fully assess your vendors’ operations and controls. After all, penalties and lawsuits can be expensive, disrupt operations, and cause reputational damage.
The concept of corporate social responsibility (CSR) is increasingly associated with environmental, social and governance (ESG) practices. These include your company’s approaches to environmental sustainability; its relationships with customers, employees, and communities; and how it deals with executive pay, internal controls, and shareholder rights.
Regulatory pressure is growing as a result of increased awareness. The U.S. Securities and Exchange Commission (SEC) proposed rules requiring “certain climate-related information in their registration statements and annual reports,” including “upstream and downstream value chains.” The European Union (EU) Parliament presented mandates that EU businesses “identify and, where necessary, prevent, end or mitigate adverse impacts of their activities on human rights, such as child labour and exploitation of workers, and on the environment, for example pollution and biodiversity loss.”
Navigating ESG requirements can be challenging for risk executives accustomed to focusing only on IT-related issues. Understanding regulatory and industry guidelines for ESG can help when assessing potential suppliers, vendors or other third parties against your organization’s own policies and customer expectations.
The financial health of vendors and strategic partners is critical when assessing third-party risk. After all, a vendor can only support its clients if it is financially sound. But understanding a vendor’s financial risk goes beyond examining last year’s balance sheet. For instance, customer or distribution partner losses or missed earnings could result in a restructuring or discontinuation of specific offerings. In addition, the loss of key executives could signal a downturn in revenue or an upcoming lawsuit.
While many organizations review financial risk before onboarding a new vendor, risk executives require ongoing monitoring of their vendors and partners to mitigate and manage risk throughout the relationship.
Fair or not, organizations are judged by the company they keep. It therefore makes sense for you to pay attention to the practices of your partners. Reputational harm from doing business with unethical vendors or suppliers can damage your business. Sudden disclosures of unethical actions can also disrupt supply chains as suppliers move or rebuild operations and litigate legal actions.
Risk managers need to monitor public and private sources of reputational information, lawsuits and impending sanctions such as the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury, the UK Sanctions List, and the EU Consolidated List of Sanctions throughout the business lifecycle.
Free TPRM Maturity Assessment
Work with Prevalent experts to get in-depth report on the state of your current TPRM program, plus practical recommendations for how to bring it to the next level.
Prevalent has a new white paper that examines different forms of non-IT risks and describes how to gain a holistic view of vendors, suppliers and partners across the third-party lifecycle. Download the white paper, How to Manage IT and Non-IT Third-Party Risks, to gain guidance on how to:
With this comprehensive guidance, your organization can get control over IT and non-IT third-party risks. Interested in how Prevalent can help? Request a demo and strategy call to discuss your project with one of our experts.