Академический Документы
Профессиональный Документы
Культура Документы
Third-Party Risk
Overview
This research provides a foundation on the latest trends affecting third-party risk
management. Risk management leaders can share the material with risk owners and
leadership to increase awareness of third-party risk and next steps for how their
organizations can manage it.
Key Findings
Category Examples
Vendors IT service vendors, on-demand service
providers, maintenance, off-shore service
providers, etc.
Agents International intermediaries, domestic
agencies, local advertisers/marketers, etc.
Contractors Temporary employees, subcontractors,
etc.
Consultants Auditors, lobbyists, management
consultants, etc.
Suppliers Branded and white branded material
suppliers, manufacturers, etc.
Distributors Dealers, resellers, foreign and domestic
distribution firms, etc.
Joint Ventures Business partnerships, international joint
ventures, franchisees, etc.
Source: Gartner
Third-party risk can have severe consequences. Quality incidents cost 5.1% more
when caused by a third party. The cost to resolve data breaches increases by around
$700,000 when a third party is involved. Large enterprise organizations lost up to $1.6
million for incidents affecting infrastructure hosted by third parties.[2]
While these consequences are severe, good risk management can help. Eighty-seven
percent of organizations with advanced third-party management practices report no
issues with compliance with laws and regulations, compared to 29% of organizations
with reactive third-party risk management practices.[2]
Creating risk-based assessments of third parties can help screen and prioritize which
third parties should receive enhanced monitoring and due diligence.
■ Equifax
■ Uber
■ Southwest
■ Wells Fargo
■ General Cable
■ Facebook
Figure 4: Ability to Control Third-Party Risk Along the Engagement Process Timeline
The ability to control third-party risk is the highest when the company has many
options and evaluates risk variability at this stage in the process.
Jarden created a third-party risk poll, asking business partners about their third-
party risk management processes. The company aggregates these results to enable
fresh thought on risk management methods and activities. Read the full case study.
ExxonMobil created a risk-based selection tool, taking into account both qualitative
and quantitative measures not typically reviewed during the standard third-party
engagement process. Read the full case study.
M&T Bank created a web application that streamlines due diligence by automating
survey administration, risk scoring and corrective action planning, thus providing a
cost-effective approach to risk management. Read the full case study.
Conclusion
Risk managers should be aware of the importance of managing third-party risk and
the current landscape in which it exists. Risk managers tasked with third-party risk
projects should assess third parties based on risk and incorporate risk management
early in the process.
[2] Navex Global 2017 Ethics and Compliance Third Party Risk Management
Benchmark Report
[3] General Data Protection Regulation (GDPR) requirements: deadlines and facts,
CSO.online 2018; United States Office of the Comptroller of the Currency, H.R. 4173
Congress.gov. Note: This analysis uses publicly available information.