Meeting the challenges of third-party risk management

Organisations are increasingly relying on third parties to achieve their strategies and objectives. As these relationships become an even more integral part of how organisations conduct business, it’s essential that businesses understand – and properly manage – the risks that come along with third parties.

After all, when an organisation can’t deliver on its commitments to customers or employees, those customers or employees won’t care if a third party is to blame. If the third party causes an organisation to miss a deadline, fail to satisfy expectations or quality specifications, suffer a data breach, or otherwise drop the ball, the organisation itself will be held responsible and accountable. The third party’s reputation and business could possibly be hurt, but your business definitely will be. As an example, the public is more likely to fault a car manufacturer over the recall of millions of vehicles for air bag defects than the manufacturer of the defective air bags.

Understanding third parties and their risks

Third-party relationships encompass a vast network of relationships across all organisations, including:

  • suppliers (raw materials, production inputs, other goods, equipment vendors, contract manufacturers)
  • demand-side partners (distributors, advertising firms, sales representatives, social media providers, product resellers)
  • service providers (transportation and logistics, business services, IT services, customer-facing vendors)
  • other relationships (partnerships, agents, regulatory agencies, joint ventures, foreign-based providers).

Whilst many organisations monitor the performance of their materials suppliers effectively (in terms of quality, timeliness, defects etc.), other third parties are rarely subjected to the same level of scrutiny of their performance. This lack of oversight leaves organisations exposed to significant risk in terms of business disruptions, data leaks, and regulatory non-compliance.

These days data breaches are among the most publicised and concerning risks associated with third parties, yet how many of us fully understand what our distributors, sales agents, IT or cloud service providers are doing with our sensitive sales, customer or employee information or what their IT security and data privacy procedures are?

Examples of other third-party issues we commonly see include logistics suppliers incorrectly completing import/export documents; distributors and resellers having arrangements with competitors; contractors with access to sensitive corporate data, but having no confidentiality agreements in place.

Crowe Horwath has developed a framework for managing third-party relationships as depicted below which considers the initial assessment, evaluation and ongoing management of third parties used across an organisation.

©2015 Crowe Horwath LLP

If you would like more advice on effectively managing your third-party service providers or have concerns over the third-party arrangements in place at your organisation, please contact Martyn Solomon, Senior Internal Audit Manager or your local Crowe Horwath advisor.