Top Supplier Risks and What to Do About Them

ESG Risks

ESG risks are those connected to a third party’s environmental, social, and governance practices. In many cases, ESG risks can be hard to detect until they reach the front pages of major news sites, by which time your company’s reputation may already be in danger of being tarnished. ESG risks are on the rise as corporate environmental and labor records face increasing scrutiny from regulators, auditors, and consumers.

Environmental Risk

Environmental criteria evaluate how a firm performs in terms of sustainability, such as energy usage, waste, pollution, and/or natural resource consumption. Many organizations have recently come under fire for poor environmental practices, and companies are increasingly being scrutinized based on how they respond to climate change. Third parties need to be rigorously evaluated based on their environmental practices, and whether the sourcing of their raw materials is sustainable.

Social Risk

In areas such as diversity, human rights, and consumer protection, social criteria assess how a firm handles relationships with workers, suppliers, customers, and local communities. Social responsibility is becoming increasingly important for vendors. Companies should carefully evaluate potential vendors for human rights violations such as modern slavery before signing a contract. Social risk can pose substantial disruptions to organizations that fail to account for it.

Governance Risk

Governance deals with a company’s management, executive pay, audits, internal controls, and shareholder rights. Poor management practices such as tax avoidance, bribery, and lack of diverse hiring practices can severely damage the reputation of a company and the companies that do business with them, both up and down the supply chain.

Mitigating Supplier ESG Risks

ESG risks can be difficult to mitigate due to the multi-faceted nature of the category. As with financial risk, it’s important to include ESG reviews during the initial due diligence process for prospective vendors – prior to signing any contracts.

Also, since multiple ESG-focused regulations are now holding companies accountable for issues like bribery and slavery in their supply chains, it’s critical to conduct relationship mapping and 4^th- and Nth-party risk analysis to uncover any potential supply chain issues that could shed negative light on your organization.

Don’t Overlook ESG During Procurement: For a quick check on ESG risk for prospective vendors (or catching up on existing vendors), consider subscribing to a vendor risk intelligence network. The networks are repositories of on-demand supplier risk reports compiled from completed assessments and external monitoring data. A good network will provide insights across several types of risk, including ESG.

Include ESG Questions in Periodic Risk Assessments: For a more custom look at ESG risk at your existing vendors, you can conduct questionnaire-based supplier risk assessments. With the right TPRM platform, you can automatically map assessment responses to your business requirements, as well as to several industry and government regulations.

Recognize that ESG Risks Can Surface at Any Time: Stay on top of ESG-related events as they surface by conducting continuous third-party risk monitoring across your supplier ecosystem. Risk monitoring solutions can correlate research from thousands of sources to identify everything from negative press to compliance violations affecting your suppliers.

Cyber Security and Compliance Risks

While vendor financial and reputational risks can severely impact your business, supplier risk most often makes headlines when third-party breaches occur.

Data and Privacy Risks

Data breaches can jeopardize personally identifiable data (PII), protected health information (PHI), intellectual property, or any other sensitive information that you entrust to your suppliers for handling or storage. Data breaches can result from concerted attempts by attackers to exploit vulnerabilities in supplier systems, but they can also result from mishandled data. For instance, Morgan Stanley was recently fined $60 million by the OCC for failing to properly oversee and conduct due diligence on a third-party supplier responsible for decommissioning some of the company’s IT hardware.

IT System and Critical Infrastructure Risks

Cyber security breaches can result not only in stolen data, but also in damaged or disrupted vendor computer networks, supervisory control and data acquisition (SCADA) systems, or other IT systems. Ransomware attacks like the Colonial Pipeline breach and the recent Kaseya breach, which affected managed service providers and their customers, are just one example of how attackers can bring your suppliers’ IT operations to a halt.

Compliance Risks

While compliance is a factor for almost all risk categories in this article, most regulations with implications for third-party risk management are focused on data security and privacy. For instance, many government and industry requirements – such as GDPR, HIPAA, CCPA, and others – place strict controls on how and when data can be shared with third parties. Even unknowing violations can result in severe financial and, in some cases, criminal penalties.

Mitigating Cyber Security and Compliance Risks

Compared to financial and ESG risks, exposures from IT security vulnerabilities and/or missing or improper security controls can be more straightforward to identify and address with vendors and suppliers. Below are some best practices to reveal and mitigate third-party information security risk to a residual level that your organization can accept.

Make Friends with Your CISO: Working with your chief information security officer (CISO) and their team is critical to success here. They should be involved at every step of the TPRM process. Familiarizing yourself with cyber security guidelines like those outlined in the NIST report, Key Practices in Cyber Supply Chain Risk Management, can give you a point of reference for collaborating with your security team.

Align with a Framework: Your IT security team should have an established set of guidelines and required controls for any supplier that has access to your systems or data. Aligning with an established IT security framework, such as those outlined NIST or ISO, will save you and your suppliers a lot of headaches vs. starting from scratch. When combined with any applicable compliance requirements, a standardized framework will provide a solid foundation for building your vendor risk assessment questionnaires. Better yet, use a TPRM platform that provides ready-built questionnaires that map to frameworks and regulations out of the box.

Mind the Gap Between Assessments: While periodic questionnaire-based assessments are great for identifying whether your suppliers have the right IT security controls in place, they aren’t a panacea. To get a complete picture of third-party data and privacy risks, you’ll also want to conduct continuous cyber risk monitoring of your critical suppliers. With the right vendor risk monitoring solution, you can comb the public-facing internet, deep web, and dark web to uncover vulnerabilities and evidence of data breaches affecting your suppliers. The cyber risk environment is constantly evolving, so monitoring will help you maintain situational awareness between assessments.

Next Steps for Reducing Supplier Risk

The modern economy has made managing supplier risks not only extremely important, but also very difficult. In many cases, companies are at the mercy of opaque and complex supply chains that are impossible to fully understand. However, by understanding supply chain risk and applying risk management best practices, you can mitigate unacceptable levels of risk and ensure that your supply chains can withstand unexpected shocks.

Prevalent makes it easy to manage third-party and fourth-party risk throughout your supply chain. Our vendor risk management platform unifies automated risk assessment with continuous cyber, financial, and reputational monitoring for a 360-degree view of vendor risk. Request a demo today to see if Prevalent is a fit for you.