Changing Business Landscape and the Need for Managing Third-Party Risk
Increasingly, organizations are outsourcing components of their business to third-parties that perform functions previously done by the organization in-house. Relying on third-parties exposes organizations to a number of vendor related risks. Recent research by CFO Research Services, in conjunction with Crowe Horwath, identified a number of common risk challenges with outsourcing arrangements across a wide range of organizations they surveyed:
- There is damage being done by third-parties.
- Businesses do not know all the associated third-party risks.
- Risk management for third-parties needs to get better.
Their research report identifies a number of issues for organizations to consider as they evaluate outsourcing arrangements.
Outsourcing is becoming more of the norm than the exception, with two-thirds of survey respondents indicating they interact with third parties on a regular basis while only 4 percent (2 respondents) indicate they rarely or never do. Even more significant is that they expect the use of third parties to grow over time as organizations seek to tap into specialty expertise third parties can provide in a more cost effective manner than when key processes stay inside the organization.
Making the decision to enlist a third-party allows organizations to focus on what they do best and on its critical functions. Third parties can complement the organization offering tremendous strategic advantages. But, selecting the right third party is critical!
Get the Microscope Out and Look at Your Third-Parties
An astonishing 98 percent of respondents in the survey indicate at least one aspect of their third-party risk management needs improvement. Without a doubt, third party vendors in outsourcing arrangements can cause great harm. The challenge is determining where the vulnerabilities reside. Opaqueness surrounding the risks to the third-party vendor is a top area of concern with 31 percent of survey respondents seeking to improve in their own assessments. The research report identifies several areas to consider when improving third-party risk assessments.
Making Third-Party Risk Management Better
Involve the business owners
When talking about third-party risk visibility, organizations must involve the people in the business who work closely with the outsourced vendor to help the organization’s risk identification process. These individuals are often most aware of the workings of a vendor and can help an organization identify its potential vendor related vulnerabilities. Sixty-four percent of the survey respondents use a centralized approach to managing the day-to-day responsibilities of third-party risk. However, only 43 percent of those use an enterprise-wide risk management function that encompasses business owners. It is imperative to get everyone together when discussing third-party risk because each area may have its own way to view risks.
Formalize the process of selecting third-party relationships
The research paper suggests the use of “stress-testing” to test third-party relationships. Ideas revolving around the vendors’ financials, their fit with the organization, their performance, and many other areas that can be measured or observed represent important areas to evaluate before beginning a relationship with a third-party. The report suggests that organizations put the formal process of evaluating potential third-party relationships in writing like any other policy and procedure. The policy should assign responsibility to the process so it does not fall through the cracks.
Keep control over what is possible, but be prepared for what is not
Along with the aforementioned concepts of involving business owners and formalizing a process of third-party risk management, the idea of taking time to identify your third-party risks is imperative to knowing your exposures. As one contributor to the white paper said, “all we can control is how we approach risk:…” meaning that you cannot control the risks of your third parties, but the way you approach the outsourced arrangement may enable you to prepare for their potential exposures.
No one can escape the changing business landscape that has blurred the lines between traditional organizations and created a myriad of interconnected businesses. Change brings new emerging risks. To stay ahead of risks, organizations need to recognize that they need to focus not only on the organization’s own internal risks but now they need to evaluate the quality of risk management at their third party outsource partners. Keeping eyes open to the risks of third parties is now inherently part of any organization’s risk management functions when those organizations outsource key business processes.