Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions
Supplier risks are situations or events affecting companies that provide goods or services to your organization, potentially exposing it to financial, operational, or reputational damage. Given the interconnected nature of modern supply chains, your organization likely faces an abundance of supplier risks that it may not have even considered as important until recently.
Identifying risk categories and determining their applicability to your organization is one of the key initial steps in building an effective supply chain risk management program. In this post, we will review the top supply chain risks today and outline steps you can take to mitigate their impact on your organization.
Each company you do business with faces a variety of potential financial risks, any of which can ultimately impact your organization. Financial risks to organizations are typically grouped into four categories:
Financial challenges in these areas can distract a supplier from fulfilling its obligations to your organization, degrade the quality of its services, or even cause it to cease operations altogether – causing a break in your supply chain.
Financial problems can be one of the hardest categories of third-party risk to mitigate – especially when they affect existing vendors with whom you have contractual obligations. That’s why it’s critical to conduct financial risk analysis during the procurement due diligence process, prior to vendor onboarding.
Below are a few best practices for identifying and mitigating third-party financial risks. These tips also come in handy when addressing the other types of risk covered in this article.
Centralize and Standardize Vendor Data: Centralizing vendor data is critical for comparing risk among prospective vendors. A central vendor risk management solution can correlate data from credit checks, public filings and other initial financial research with profiled risk data – such as services to be provided, type/volume of data to be handled, location and industry – to generate standardized risk ratings for each vendor prospect.
Map Fourth-Party Supplier Relationships: Fourth parties (i.e., suppliers to your suppliers), fifth parties (suppliers to their suppliers), and other companies even deeper in your supply chain (Nth parties) can all encounter financial challenges that can ultimately cause disruptions for your business. For instance, the COVID-19 pandemic led to financial adversity for countless organizations, many of which had to shutter or pause operations. This caused major supply chain disruptions everywhere from the food and beverage industry to the auto industry. A TPRM platform can automate relationship mapping, providing visibility into fourth- and Nth-party relationships enabling you to understand and mitigate risk up front.
Go Beyond Credit Checks: Credit checks and public filings are a good first step for understanding a supplier’s financial situation, but it’s important to consider other factors for a broader assessment of a supplier’s financial risk. For instance, mergers and acquisitions, leadership changes, lawsuits, negative regulatory findings, and market changes can all have financial implications. Conducting continuous risk monitoring can help you to flag these and other financial risks as they arise throughout your vendor relationships.
Third-Party Risk Management Explained
Watch this overview to learn how to gain continuous visibility into cyber, business, financial and ESG threats traced to vendors and suppliers.
ESG risks are those connected to a third party’s environmental, social, and governance practices. In many cases, ESG risks can be hard to detect until they reach the front pages of major news sites, by which time your company’s reputation may already be in danger of being tarnished. ESG risks are on the rise as corporate environmental and labor records face increasing scrutiny from regulators, auditors, and consumers.
Environmental criteria evaluate how a firm performs in terms of sustainability, such as energy usage, waste, pollution, and/or natural resource consumption. Many organizations have recently come under fire for poor environmental practices, and companies are increasingly being scrutinized based on how they respond to climate change. Third parties need to be rigorously evaluated based on their environmental practices, and whether the sourcing of their raw materials is sustainable.
In areas such as diversity, human rights, and consumer protection, social criteria assess how a firm handles relationships with workers, suppliers, customers, and local communities. Social responsibility is becoming increasingly important for vendors. Companies should carefully evaluate potential vendors for human rights violations such as modern slavery before signing a contract. Social risk can pose substantial disruptions to organizations that fail to account for it.
Governance deals with a company’s management, executive pay, audits, internal controls, and shareholder rights. Poor management practices such as tax avoidance, bribery, and lack of diverse hiring practices can severely damage the reputation of a company and the companies that do business with them, both up and down the supply chain.
ESG risks can be difficult to mitigate due to the multi-faceted nature of the category. As with financial risk, it’s important to include ESG reviews during the initial due diligence process for prospective vendors – prior to signing any contracts.
Also, since multiple ESG-focused regulations are now holding companies accountable for issues like bribery and slavery in their supply chains, it’s critical to conduct relationship mapping and 4th- and Nth-party risk analysis to uncover any potential supply chain issues that could shed negative light on your organization.
Don’t Overlook ESG During Procurement: For a quick check on ESG risk for prospective vendors (or catching up on existing vendors), consider subscribing to a vendor risk intelligence network. The networks are repositories of on-demand supplier risk reports compiled from completed assessments and external monitoring data. A good network will provide insights across several types of risk, including ESG.
Include ESG Questions in Periodic Risk Assessments: For a more custom look at ESG risk at your existing vendors, you can conduct questionnaire-based supplier risk assessments. With the right TPRM platform, you can automatically map assessment responses to your business requirements, as well as to several industry and government regulations.
Recognize that ESG Risks Can Surface at Any Time: Stay on top of ESG-related events as they surface by conducting continuous third-party risk monitoring across your supplier ecosystem. Risk monitoring solutions can correlate research from thousands of sources to identify everything from negative press to compliance violations affecting your suppliers.
Free Guide: 8 Steps to a Third-Party Incident Response Plan
When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.
While vendor financial and reputational risks can severely impact your business, supplier risk most often makes headlines when third-party breaches occur.
Data breaches can jeopardize personally identifiable data (PII), protected health information (PHI), intellectual property, or any other sensitive information that you entrust to your suppliers for handling or storage. Data breaches can result from concerted attempts by attackers to exploit vulnerabilities in supplier systems, but they can also result from mishandled data. For instance, Morgan Stanley was recently fined $60 million by the OCC for failing to properly oversee and conduct due diligence on a third-party supplier responsible for decommissioning some of the company’s IT hardware.
Cyber security breaches can result not only in stolen data, but also in damaged or disrupted vendor computer networks, supervisory control and data acquisition (SCADA) systems, or other IT systems. Ransomware attacks like the Colonial Pipeline breach and the recent Kaseya breach, which affected managed service providers and their customers, are just one example of how attackers can bring your suppliers’ IT operations to a halt.
While compliance is a factor for almost all risk categories in this article, most regulations with implications for third-party risk management are focused on data security and privacy. For instance, many government and industry requirements – such as GDPR, HIPAA, CCPA, and others – place strict controls on how and when data can be shared with third parties. Even unknowing violations can result in severe financial and, in some cases, criminal penalties.
Compared to financial and ESG risks, exposures from IT security vulnerabilities and/or missing or improper security controls can be more straightforward to identify and address with vendors and suppliers. Below are some best practices to reveal and mitigate third-party information security risk to a residual level that your organization can accept.
Make Friends with Your CISO: Working with your chief information security officer (CISO) and their team is critical to success here. They should be involved at every step of the TPRM process. Familiarizing yourself with cyber security guidelines like those outlined in the NIST report, Key Practices in Cyber Supply Chain Risk Management, can give you a point of reference for collaborating with your security team.
Align with a Framework: Your IT security team should have an established set of guidelines and required controls for any supplier that has access to your systems or data. Aligning with an established IT security framework, such as those outlined NIST or ISO, will save you and your suppliers a lot of headaches vs. starting from scratch. When combined with any applicable compliance requirements, a standardized framework will provide a solid foundation for building your vendor risk assessment questionnaires. Better yet, use a TPRM platform that provides ready-built questionnaires that map to frameworks and regulations out of the box.
Mind the Gap Between Assessments: While periodic questionnaire-based assessments are great for identifying whether your suppliers have the right IT security controls in place, they aren’t a panacea. To get a complete picture of third-party data and privacy risks, you’ll also want to conduct continuous cyber risk monitoring of your critical suppliers. With the right vendor risk monitoring solution, you can comb the public-facing internet, deep web, and dark web to uncover vulnerabilities and evidence of data breaches affecting your suppliers. The cyber risk environment is constantly evolving, so monitoring will help you maintain situational awareness between assessments.
Free Third-Party Risk Monitoring Report
Get a complimentary Prevalent Vendor Threat Monitor (VTM) report for your organization or a third party of your choice.
The modern economy has made managing supplier risks not only extremely important, but also very difficult. In many cases, companies are at the mercy of opaque and complex supply chains that are impossible to fully understand. However, by understanding supply chain risk and applying risk management best practices, you can mitigate unacceptable levels of risk and ensure that your supply chains can withstand unexpected shocks.
Prevalent makes it easy to manage third-party and fourth-party risk throughout your supply chain. Our vendor risk management platform unifies automated risk assessment with continuous cyber, financial, and reputational monitoring for a 360-degree view of vendor risk. Request a demo today to see if Prevalent is a fit for you.
Continually maturing your TPRM program is key to staying on top of ever-evolving third-party risks.
07/24/2023
Leverage these best practices to build a more proactive vendor risk management (VRM) program this year.
07/02/2023
Expand the scope of your TPRM program with these top sources of third-party risk intelligence.
06/22/2023