Most business leaders can probably agree that their organizations need third-party vendors to maintain or improve their operations. In your organization, you might have a few customer-facing third parties that provide products or services on your behalf, as well as other third-party vendors that serve back-office functions, like software solutions or IT support.
All these third-party vendors provide value, but they also expose your organization to different types of third-party risk that need to be managed. If you struggle to understand certain concepts like compliance, reputation, and cybersecurity, it can help to review examples of third-party risks that could impact your organization.
6 Examples of Third-Party Risks
Below are six third-party risks to be aware of and examples of each:
- Compliance risk: This risk appears when a third party fails to comply with laws and regulations that govern the products and services your organization provides to customers.
Example of third-party compliance risk: Your organization has a third party that provides loan services. The third party created a marketing campaign that advertised lower interest rates on future loans for consumers who repaid on time. However, thousands of customers filed a complaint, stating they weren't eligible for lower interest rates despite a history of on-time payments. Your third-party vendor violated the Equal Credit Opportunity Act and is subject to regulatory penalties from the CFPB. Even though your third party is the one that violated regulation, your organization can still be held liable for any fines and fees, leaving you exposed to compliance risk. - Strategic risk: The third party presents a strategic risk when its actions or decisions don't align with your own organization's objectives.
Example of third-party strategic risk: After creating a new product, your organization requires a third party specializing in its delivery or distribution. As you perform your due diligence on a selection of third-party vendors, you discover that they all use the same type of technology to automate a particular function. However, two of those third parties you're vetting use outdated technology with a history of issues. Selecting a third party that uses aging technology would present strategic risk to your organization. - Operational risk: A third party can present internal and/or external operational risks, which can prevent the third party from conducting business as usual, and in turn, interrupt your organization’s normal operations. Internal risk can relate to the third party's own ineffective or failed processes, people, controls, or systems. External risk can be caused by outside events like natural disasters, cyberattacks, or acts of terrorism, which are beyond the control of the third party.
Example of third-party operational risk: Your organization relies on a third party to provide virtual customer service. Your customers regularly use this chat feature outside of your regular working hours, so it’s essential that this vendor remains operational. However, this third party is in an area known to have recurring natural disasters like hurricanes, flooding, or wildfires. Even though they have business continuity and disaster recovery (BC/DR) plans, the third party hasn't tested them in over a year. They may be unaware of new risks or issues that could make their plans ineffective. As hurricane season approaches, your organization will be facing operational risk because of your third party's untested BC/DR plans. - Cyber or information security risk: Cyber and physical security risks are under the umbrella of information security risk. Cyber risk is present whenever your third-party vendor accesses, transmits, or stores your organization’s sensitive data or has access to your privileged networks or facilities. A third party’s vulnerabilities can put your organization's data at risk of events like cyberattacks and breaches. These vulnerabilities can be anything from an unsecured server configuration or weak policies regarding on-site visitors.
Example of third-party information security risk: A third-party vendor is used to manage your customers' passwords. The third party shifted to a hybrid work model over the past few years. During an ongoing due diligence review, you discover that their information security policy has no mention of virtual private networks (VPNs) or multi-factor authentication (MFA) for remote access. As a result, your organization is exposed to information security risks and potential data breaches that can affect your customers. - Financial and credit risk: A third party's financial health can significantly affect its ability to retain qualified staff, invest in an effective cybersecurity program, and consistently provide quality products and services to your organization. Financial and credit risk is often the result when a vendor doesn’t have sufficient investor funding, cash, or credit.
Example of third-party financial and credit risk: When performing due diligence on a potential new third party, your organization reviews its financial records and discovers that they have no available credit and less than six months' worth of operating cash. An unstable or unhealthy financial profile may indicate that the third party cannot provide products and services to your organization's expectations and may go out of business during the contract term. - Reputation risk: Third parties can impact your organization's reputation in many ways through poor service, lawsuits, data breaches or even misrepresenting its relationship with you. Your customers won't differentiate between your organization and a third party, so managing this risk is essential to protect your valuable reputation.
Example of third-party reputation risk: Imagine that your vendor is responsible for mailing out medical bills to your customers. These bills are covered by HIPAA regulations because they contain protected health information (PHI), such as illnesses and medical procedures. The vendor recently experienced a printing error and sent dozens of bills to the customers’ next-of-kin. Understandably, your customers are upset and have filed a lawsuit against your organization for violating HIPAA laws which prohibit revealing patients' health records without consent. As a result, your reputation is severely damaged because of your third party's actions.
Note: You may notice that some of these third-party risk examples have overlapping risks, such as reputation and compliance, or financial and operational. An effective third-party risk management program should address all the risks that are present within a third-party vendor’s products and services.
3 Best Practices to Manage Third-Party Risk
Now that you have a better understanding of some third-party risk examples. Let's review some best third-party risk management practices:
- Perform risk-based due diligence: After determining the third-party vendor's inherent risk and criticality, you can proceed with collecting and reviewing due diligence. For critical or high-risk third parties, you'll want to review additional documentation such as BC/DR plans. Due diligence is not a one-time activity done only before you sign the contract; it should also be repeated on a predictable schedule throughout the third-party relationship.
- Schedule ongoing monitoring: Third parties need to be monitored for risk and performance throughout the relationship, not just at the beginning. Regular performance reviews, risk assessments, document collection, and monitoring will help your organization stay on top of existing risks and identify new or emerging risks.
- Report to the board of directors and senior management: Regulatory guidance requires that the board and senior management be involved in vendor risk management. By keeping them informed of third-party risk management activities and issues, they'll be better prepared to set the "tone-from-the-top" and establish clear goals for your organization.
Third parties often provide significant value by delivering additional products and services or supplementing the capabilities of an organization. They can also present many risks that need to be appropriately managed. Identifying and managing these third-party risks will help your organization create and sustain valuable third-party relationships.
Related Posts
Inherent Risk Types Involved in a Vendor Risk Assessment
Every vendor relationship comes with some risk. Sometimes, it can feel overwhelming to identify and...
Questions to Ask Your Third Party for Fourth-Party Due Diligence
When it comes to third-party risk management, dealing with your fourth-party vendors can be tricky....
Low and High-Value Vendors
While third-party risk management (TPRM) doesn't usually generate revenue, it does enhance the...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.