The use of third parties is nothing new — companies have worked with suppliers, outsourcers, licensees, agents, and the like for years. What has changed, however, is the frequency and scale of third-party use and the regulatory focus on how organizations are managing third parties to address the inherent risks.
Kristian Park, partner and leader of the Contract Risk and Compliance practice of Deloitte LLP in the United Kingdom, discusses the escalation in third-party risk and the ways organizations should be mitigating it — but often aren’t
Q: Why is third-party risk escalating?
A: A few factors are in play. First, volume. During the recession, we saw many organizations push more of their business out to third parties in an effort to reduce internal costs across the extended enterprise. Higher volume, of course, can mean higher risk. Second: scrutiny. Regulators have become more focused on how companies are managing outsourcing and third-party risk in general, and the fines for violations have reached hundreds of millions of dollars. With those fines has come a third escalating factor: reputational impact. When millions of consumers are personally affected by a third-party system failure or security breach, or when a well-known company is heavily fined or repeatedly called out with regulatory MRAs (matters requiring attention), the reputation of the involved organizations can suffer. The free-flowing nature of information also plays a role here: decades ago, a disruption in a local country would likely have stayed local; today it can quickly become a global issue. As a result of the escalating risk — and the escalating fallout when risk becomes reality — boards are paying more attention and asking more questions. The fact that in most cases, even in leading global organizations, it’s rare for someone in the organization to have an overarching view of who the company is doing business with or the risks these third parties impose on the business is a tremendous concern. Today, like never before, boards are considering thirdparty risk a top strategic risk. However, that hasn’t yet translated into clear accountability for third-party risk oversight, either from a single owner or a function. The Chief Procurement Officer has frequently been asked to lead this role, but that can lead to skewed emphasis on supply, rather than a broader enterprise-wide view considering alliance relationships, distribution partners, and the like.
Q: What’s been the traditional approach to managing third-party risk and where is there room for improvement?
A: Third-party risk has typically been addressed in a siloed fashion, with individuals in the organization looking at specific risks, usually within the supply chain. For example, in the banking sector, the focus might be on the IT department and the data protection issues and risks of sharing data with third parties. In the consumer products sector, the focus might be on risks to product quality and safety, with an eye to both protecting end users and safeguarding the company’s reputation. While organizations have been right to be proactive in managing risks to certain functions or aspects of the business, many haven’t pulled back from this narrow view to examine the broader business exposure — the holistic view that’s essential to understanding overall risk exposure resulting from third parties and managing it enterprise-wide. It’s interesting to see how different levels of management within the organization have differing perspectives. For example, Chief Procurement Officers will often tell me third-party risk is being managed and is under control. Managers below them will likely say they’re not 100% sure, but they know that certain risk areas are covered. Leaders above, such as others in the C-suite and the board, are usually much less optimistic and perceive third-party risk as a serious problem that’s not being properly addressed.
Q: What are leading companies doing to manage third-party risk?
A: Many companies are on a journey, and while some are further down the path toward robust third-party risk management, there are many that have not yet arrived. The first step is often the biggest stumbling block — getting visibility into who the company is doing business with. Once companies have some visibility, they start to think about how to manage the risk associated with these third parties they’ve identified, concentrating their efforts on those that pose the highest risk. It’s more of a proportional response rather than a holistic one. A thorough approach typically includes a framework and defined process for assessing third-party risk, such as a questionnaire that goes out to third parties and a means to score potential risks based on their responses. There would be strong governance in place to define next steps once a risk is identified, including guidance not only for remediating it but also deciding if it should be accepted and how to properly manage it if it is. There would be clear ownership of third-party risk, and people in the organization with a risk management background. We see organizations who have taken many of these steps, but what typically holds them back from fully implementing them enterprise-wide are technology limitations. As a result, we see even very large global companies trying to manage this with spreadsheets. It’s not that the technology solutions don’t exist; it’s the effort and cost required to deploy them that’s holding many companies back.