Third Party Risk Management – Why is it required

Companies having a global presence would often be doing business with various third-parties to offer the end product or service. Choosing a wrong third-party could cause very serious finance and reputation loss for your firm.

Third Party – Suppliers / Distributors, Brokers, Partners, Vendors, Customers

Companies should better understand third-parties who are involved in or conduct business on their behalf. To ensure this, and to ensure you choose the right third-party by all means, a well-planned framework for Third Party Risk Management (TPRM) should be established within the organization.

An example of information / background checks you shall do while — hiring a maid or a security guard for home / small office, with whom you would entrusting safety of your home & home assets

As per ISACA

Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties other than your own company.

In TPRM, the aim is to lay down a strong process to monitor and manage third party risk that might affect the firms reputation, assets or financials.

Potential Loss trigger points

–: Parent company reputation

Third Party risks can originate from your vendors / suppliers or the firms you trust with outsourcing a specific process. It has been a common practice that most companies decide to outsource their non-core processes to reduce cost. Even-though it reduces cost overhead, it adds to the risk, the risks of third-party now adds to your list of risks. However when the risk materialize, the parent company’s reputation is on the table. So its important the the company has process to monitor and manage potential risk from all these parties outside the firm.

As with the example of famous data breach of HVAC through systems of third party vendor FAZO. No one remembers FAZO or blames them for the data theft, its HVAC that lost its reputation, landed in legal hazzles, loss of CIO/CFO jobs, financial loss.

–:Theft of Intellectual Property

Protection of high valued research work or other confidential assets is really important when you have to authorize third party access to company systems. The loss of intellectual property accounts more to loss in business than immediate numbers in financials.

–: Confidential Data Theft

Protected Health Information (PHI)
Personally Identifiable Information (PII)

The famous data breach of HVAC, the malware got access to HVAC network via third party vendor (Fazio) systems, through one of the online vendor portals. Unconfirmed figures are:

40,000,000 – Number of credit and debit numbers stolen
70,000,000 – Number of non-credit-card PII records stolen
$54,000,000 – Estimated amount generated from sale of cards stolen
0 – Number of CIOs and CEOs who kept their jobs

–: Legal & Regulatory Actions

Ensuring compliance from third party in a changing legal & regulatory environment might be tough without a streamlined process for Risk Management. Any non-compliance cases from either side would result in legal disputes leading to financial loss in settling fines and penalties.

Peer Collaboration to effectively Manage Third Party Risks
Risk Treatment Methods
Risk, Threat and Vulnerability
Leveraging Third Party Risk Assessment
Dealing the Risk with Smart Things
Resilience over Business Continuity

Resilience Blog