Fundamentals of Risk:

Third-Party Risk

Overview
This research provides a foundation on the latest trends affecting third-party risk
management. Risk management leaders can share the material with risk owners and
leadership to increase awareness of third-party risk and next steps for how their
organizations can manage it.

Key Findings

This research covers four areas:

■ The importance of managing third-party risk.

■ The current third-party risk landscape.
■ Third-party risk governance and top regulations.
■ How enterprise risk management (ERM) can approach third-party risk
management.

The Importance of Managing Third-Party Risk

Third-party risk is any risk due to the use of external parties to assist or wholly perform
activities necessary to the operations and strategy of the business. Common third
parties include consultants, contractors, agents, vendors, suppliers, distributors and
joint partnerships. Third parties encompass a wide scope of relationships (see Table 1).

© 2019 Gartner, Inc. and/or its affiliates. All Rights Reserved. 1

201652549
Table 1: The Scope of Third Parties

Category Examples
Vendors IT service vendors, on-demand service
providers, maintenance, off-shore service
providers, etc.
Agents International intermediaries, domestic
agencies, local advertisers/marketers, etc.
Contractors Temporary employees, subcontractors,
etc.
Consultants Auditors, lobbyists, management
consultants, etc.
Suppliers Branded and white branded material
suppliers, manufacturers, etc.
Distributors Dealers, resellers, foreign and domestic
distribution firms, etc.
Joint Ventures Business partnerships, international joint
ventures, franchisees, etc.

Source: Gartner

Third-Party Risk in Numbers

Companies are increasingly dependent on vast networks of third parties. The median
large enterprise contracts with 3,000 third parties. In a 2018 survey of senior
leaders, 53% of respondents report increased dependence on third parties.[1] Yet,
companies are in a poor position to manage these third parties. Only 28% of
organizations continuously monitor third parties throughout engagement cycles. And
extended enterprise risk management, an approach that predicts and manages the
risk associated with an extended enterprise composed of the company and third
parties, has only been integrated by 20% of the companies according to a global
Deloitte survey.[1]

Third-party risk can have severe consequences. Quality incidents cost 5.1% more
when caused by a third party. The cost to resolve data breaches increases by around
$700,000 when a third party is involved. Large enterprise organizations lost up to $1.6
million for incidents affecting infrastructure hosted by third parties.[2]

While these consequences are severe, good risk management can help. Eighty-seven
percent of organizations with advanced third-party management practices report no
issues with compliance with laws and regulations, compared to 29% of organizations
with reactive third-party risk management practices.[2]

© 2019 Gartner, Inc. and/or its affiliates. All Rights Reserved. 2

201652549
Key Magnifier: The Increasingly Extended Enterprise
One of the key magnifiers of third-party risk is an extended third-party network
across the enterprise (see Figure 1). Companies are increasingly using third parties
for a variety of purposes to help drive business performance and gain competitive
advantage. The sheer volume of third parties makes it difficult to monitor the level of
risk exposure these risks pose to the organization.

Figure 1: Typical Large Enterprise Third-Party Network

Organizations operate in a complex ecosystem of third parties that they depend on

to drive business performance. Perfect monitoring of all third parties is impossible
with limited resources. Determining how to prioritize risk-monitoring efforts for these
numerous third parties is the primary challenge.

© 2019 Gartner, Inc. and/or its affiliates. All Rights Reserved. 3

201652549
Key Magnifiers: Low-Value, High-Risk Third Parties
Most companies prioritize their monitoring and due diligence activities to third parties
with the highest contract value (see Figure 2). However, there are often low-contract-
value third parties that pose a disproportionate amount of risk to the firm and are
overlooked due to this approach.

Figure 2: Range of Third Parties by Contract Value

Creating risk-based assessments of third parties can help screen and prioritize which
third parties should receive enhanced monitoring and due diligence.

The Third-Party Threat Landscape

Third-party incidents are prevalent in the news today and have a major impact on a
company’s reputation. Organizations from all industries are subject to the threat of
third-party risk and there are serious costs both financial and other that can result
when not managed properly.

© 2019 Gartner, Inc. and/or its affiliates. All Rights Reserved. 4

201652549
There are several current examples of companies facing consequences due to the
actions (or inaction) of third parties:

■ Equifax
■ Uber
■ Southwest
■ Wells Fargo
■ General Cable
■ Facebook

Causes and Effects of Third-Party Risk

Some of the common causes of third-party risk management failures include
infrequent monitoring, unclear risk ownership, noncompliant engagement and poor
visibility into a third-party network. Figure 3 shows examples of each cause. These
threats can impact your organization on an operational, financial, reputational and
strategic level.

Figure 3: Common Causes and Effects of Third-Party Risk

© 2019 Gartner, Inc. and/or its affiliates. All Rights Reserved. 5

201652549
Pitfall: Risk Management Involved Too Late
Another common pitfall of third-party risk management is getting involved too late in
the process. Third-party risk management activities are often incorporated too late to
influence the decision to engage with a third party. Earlier involvement can help guide
this selection process and reduce risk exposure from the outset (see Figure 4).

Figure 4: Ability to Control Third-Party Risk Along the Engagement Process Timeline

The ability to control third-party risk is the highest when the company has many
options and evaluates risk variability at this stage in the process.

Pitfall: Burdensome Controls and Requirements

Increased third-party risk management does not always entail risk reduction.
Increasing third-party controls and requirements improves risk reduction to a certain
point, but the addition of more controls and requirements leads to process avoidance,
outweighing marginal gains to risk reduction. Overly complex and burdensome
processes result in unclear ownership and coordination of third-party information
between stakeholders, therefore encouraging process avoidance. A streamlined risk

© 2019 Gartner, Inc. and/or its affiliates. All Rights Reserved. 6

201652549
oversight process with clear governance structures will foster process adherence and
effective management.

Third-Party Risk Governance and Regulations

Third-Party Risk Management Ownership

Typically, ERM is not directly responsible for third-party risk management activities.
Instead, ERM partners with other functions to provide support and assistance (see
Figure 5).

Figure 5: Business Function Participation in Third-Party Risk Management

© 2019 Gartner, Inc. and/or its affiliates. All Rights Reserved. 7

201652549
Even though ERM doesn’t typically own third-party risk management, there are many
avenues through which ERM can support third-party risk management (see Figure 6).

Figure 6: ERM’s Role in Supporting Third-Party Risk Management

Regulations Relevant to Third-Party Risk Management

Regulations relating to the usage of third parties are becoming a priority for
governments worldwide. The liability of the original company for the misconduct of
their third parties is a predominant theme among these pieces of legislation, sparked
largely by the global financial crisis of 2008.

An overview of regulations affecting third-party risk management standards:[3]

■ U.S.: OCC 2013 — 29 Bulletin — Defines a third-party relationship as any business

arrangement between a bank and another entity by contract or otherwise. Key to

© 2019 Gartner, Inc. and/or its affiliates. All Rights Reserved. 8

201652549
 this legislation is the phrasing that a bank’s use of a third party does not diminish
the responsibility of its board of directors to ensure activities are conducted in
compliance with applicable laws
■ U.S.: Foreign Corrupt Practices Act 1977 — Contains two key components: (1)
requiring organizations to establish transparent accounting principles and (2)
providing explicit regulations to prohibit bribery of foreign officials to assist in
securing or retaining business. Often cited in cases involving third parties due to
a failure to establish controls to monitor this activity in third parties.
■ U.S.: Dodd-Frank Wall Street Reform and Consumer Protection Act 2010 — Holds
banks accountable for any third-party misconduct that occurs during a transaction
between the financial institution and customer. Pressures banks to evaluate third-
party risk profiles and maintain evidence of risk management. In 2018, the Trump
administration rolled back regulations on all banks but those with more than $250
billion in assets.
■ EU: General Data Protection Regulation 2018 — The EU’s most comprehensive
legislation affecting organizations’ use of customer data. Crucially, organizations
are responsible for many of the key elements of the regulation, such as data
portability and breach notification timing, for their organization as well as third
parties.
■ Australia: Australian Prudential Regulation Authority Act 1998 — Outlines the
regulatory objectives of the Australian Prudential Regulatory Authority. Ensures
all outsourcing arrangements involving material business activities are subject to
appropriate due diligence, approval and ongoing monitoring.

Approaches to Manage Third-Party Risk

ERM has the opportunity to assist third-party risk management in a few different ways,
illustrated by the examples below by Jarden, ExxonMObil, Johnson Controls and M&T
Bank.

Case in Point: Focus Business’s Attention on Risk

(Jarden)

Jarden created a third-party risk poll, asking business partners about their third-
party risk management processes. The company aggregates these results to enable
fresh thought on risk management methods and activities. Read the full case study.

© 2019 Gartner, Inc. and/or its affiliates. All Rights Reserved. 9

201652549
Case in Point: Assess Third Parties Based on Risk
(ExxonMobil)

ExxonMobil created a risk-based selection tool, taking into account both qualitative
and quantitative measures not typically reviewed during the standard third-party
engagement process. Read the full case study.

Case in Point: Incorporate Risk Management Early

(Johnson Controls)

Johnson Controls provides strategic decision support by involving risk management

early in the third-party engagement process and challenging assumptions for the
engagement’s business case. Read the full case study.

Case in Point: Automate Third-Party Monitoring

(M&T Bank)

M&T Bank created a web application that streamlines due diligence by automating
survey administration, risk scoring and corrective action planning, thus providing a
cost-effective approach to risk management. Read the full case study.

Conclusion
Risk managers should be aware of the importance of managing third-party risk and
the current landscape in which it exists. Risk managers tasked with third-party risk
projects should assess third parties based on risk and incorporate risk management
early in the process.

About This Research

This research draws from publicly available external research on third-party risk
management and the State of the ERM Function Survey, conducted with over 150
heads of ERM.

© 2019 Gartner, Inc. and/or its affiliates. All Rights Reserved. 10

201652549
Endnotes
[1] Deloitte 2018 Third Party Governance and Risk Management: Focusing on the Climb
Ahead

[2] Navex Global 2017 Ethics and Compliance Third Party Risk Management
Benchmark Report

[3] General Data Protection Regulation (GDPR) requirements: deadlines and facts,
CSO.online 2018; United States Office of the Comptroller of the Currency, H.R. 4173
Congress.gov. Note: This analysis uses publicly available information.

© 2019 Gartner, Inc. and/or its affiliates. All Rights Reserved. 11

201652549