Modern organizations face both operational risk and third-party risk. Operational risk refers to the risk of loss that can result from failed internal processes, people, or systems, or from external events; third-party risk refers to the chance of losses that arise from third parties in your supply chain network.
Operational risk and third-party risk can, however, fuse into a single headache – because the same third parties that support your processes, systems, and people also expose your organization to increased operational risks. These risks can have many adverse consequences for your operations, people, customers, and other stakeholders.
In this article we do a deep dive into the meaning of third-party operational risk, and consider how you can minimize and mitigate these risks with proper vendor due diligence and risk assessments.
What Is Third-party Risk Management?
Third-party risk management (TPRM) is a systematic way to mitigate the risks created by third parties such as vendors, suppliers, contractors, partners, outsourcing agencies, and external service providers. These risks include:
- Cybersecurity: The risk of loss due to a cyberattack or data breach;
- Financial: The risk that a third party may cause financial losses;
- Strategic: The risk that your organization may fall to meet its strategic objectives due to a mistake by a third party;
- Reputational: The risk that a third party’s poor reputation may also damage your company’s reputation;
- Compliance: The risk that a third party’s weaknesses or mistakes affect your compliance posture, which can be a disaster if you need to comply with laws such as the GDPR or HIPAA.
Third parties can also increase the operational risks to your day-to-day business. To minimize third-party operational risk, you need a robust third-party operational risk management program. This program can be part of your Operational Risk Management (ORM) or Third-party Risk Management (TPRM) programs.
What Is Third-Party Operational Risk?
Working with third parties leaves your organization vulnerable to many operational risks. For example, a third-party vendor with inadequate cybersecurity controls can expose you to cyberattacks and data breaches. Likewise, fraud at a supplier may result in financial losses for your company, while an error in a third-party system might prevent you from completing customer transactions.
Third parties can also increase your operational risk in other ways:
- Human error that may result in incorrect data entry and lead to revenue losses;
- A design flaw in a third-party component may necessitate product recalls that impact your costs, revenues, and reputation;
- Health and safety concerns may expose your staff to a virus that increases absenteeism and harms organizational productivity;
- The failure of third-party IT systems may undercut your ability to serve customers and earn revenues;
- Third parties affected by natural disasters may disrupt your supply chain and prevent you from getting your product to market.
To mitigate the potential harm of these risks, a third-party operational risk management framework and program are vital. This program will help you govern your third-party network, and continually analyze and control the operational risks that may arise from these relationships. It will also help you streamline your vendor risk management process, including vendor assessments, selection, and onboarding/offboarding.
The Need for Vendor Risk Assessments
A vendor risk assessment (VRA), or third-party risk assessment, is a critical aspect of any third-party operational risk management program. VRAs help you to identify, assess, prioritize, and address the potential security risks associated with vendors.
For example, in 2020 hackers attacked SolarWinds Orion, a popular IT management system used by thousands of companies and government departments. The attackers took advantage of a weakness in the application’s code to spy on many companies including Microsoft, Intel, Deloitte, plus U.S. government agencies such as the Pentagon and the Department of Homeland Security (DHS).
This incident demonstrates how an adversary can leverage weaknesses in a single third-party solution to increase the scale of their attack. Unfortunately, SolarWinds wasn’t an isolated incident. If anything, the number of supply chain attacks tripled from 2020 to 2022.
The need for VRA
In all the supply chain attacks that happened in 2021, the adversary took advantage of a third-party asset – specifically, software. If the victim organizations had assessed the risk profiles of their third parties, they might have avoided the attack in the first place.
This is why vendor risk assessments are so crucial. A VRA can help you identify the security risks associated with each vendor, and how those risks may affect your organization. You can make informed decisions about whether a potential third party is safe to onboard, and whether the possible rewards of working with that vendor outweigh the possible risks. Finally, you can determine which actions you should take to secure your existing third-party relationships.
On the other hand, a failure to conduct VRAs for each third party could increase financial risk and result in financial losses or reputational damage, increase customer churn and compliance risk, and even cause legal issues.
A Step-by-step Guide to Vendor Risk Assessments
According to one 2020 industry benchmarking survey, only 52 percent of organizations factor in operational risk in their third-party risk management programs. To protect your organization from these risks, you need to conduct VRAs. Here’s a step-by-step guide to conduct VRAs for each vendor in your network:
Step 1: Create a vendor catalog
Compiling a list of all vendors can help you keep an eye on the various operational risks vendors bring to your organization. Make sure the list is always updated and supported by information such as:
- What each vendor does;
- Who in your organization manages the vendor relationship;
- If any vendors have access to business-critical assets or sensitive information.
Also determine which vendors are essential to your operations, and whether their sudden departure could cause a material disruption to operational or business continuity.
Step 2: Determine risk criteria
Earlier we explored the many operational risks that third parties can introduce to your organization. Leverage this understanding to develop risk criteria depending on the nature of your organization’s and vendor’s operations.
For example, if you are a healthcare or financial services organization, you likely prioritize data protection. So your risk criteria should drive you to assess vendors based on their data security controls.
On the other hand, if you’re a manufacturer, your operational risk may be high if your vendors are in regions prone to natural disaster, or in countries with weak anti-fraud regulations. In such cases, your risk criteria should guide your assessments of their controls in these areas.
Step 3: Send every vendor a risk assessment questionnaire
Due diligence is vital for every vendor you use or plan to use in future. It involves asking questions and assessing vendor responses to identify their level of risk, create their risk profiles, and establish a decision-making framework to reduce third-party operational risk.
Make sure the questionnaire includes questions like:
- What are your organization’s information security processes and data breach mitigation practices?
- What processes, policies, and procedures do you use for disaster recovery?
- How do you meet and verify your regulatory compliance requirements?
- Which service levels can you meet?
- Who are your references?
- How can you prove your financial solvency?
- When and how often do you inventory your IT assets, including shadow IT assets?
Step 4: Review vendor responses and evaluate risks
Evaluate the responses of each vendor and compare them to the risk criteria you identified earlier. Based on this comparison, you can identify the risks of working with them and assess the severity and impact of each risk. You can perform two types of risk evaluations:
- Qualitative: Create an ordered ranking of risks from highest to lowest impact;
- Quantitative: Use tools like decision tree analysis to produce an expected monetary value (EVM) of each risk.
These evaluations will provide a full picture of potential risk that may arise from each vendor relationship. You can then decide whether to onboard that vendor or not.
Step 5: Automate vendor risk management
The right vendor risk management software can streamline your third-party operational risk management program. Do your research and choose a software tool that includes features to capture real-time risk management metrics, automate vendor risk management, and reduce the need for costly, error-prone human interventions.
Step 6: Continuously monitor every vendor
Ongoing monitoring of vendors can reduce your exposure to third-party operational risks. Combining VRA and due diligence processes with continuous monitoring will allow you to identify and mitigate third-party operational risks before they can cause material damage to your organization or customers.
Simplify Vendor Risk Management with Reciprocity ZenRisk
Managing third-party risk can become exceedingly complex as your vendor ecosystem expands, especially if you rely on manual processes and spreadsheet-based risk management tools. Reduce complexity and minimize uncertainties with Reciprocity ZenRisk.
ZenRisk is an integrated risk management platform to help you identify, assess, and address many third-party operational risks. Get enhanced visibility to understand the impact of each vendor relationship and take informed decisions to minimize the risks of these relationships and maximize the rewards.
To know how ZenRisk can help you stay ahead of third-party operational risks, schedule a demo.