Failure to assess and plan for risks associated with third parties can be costly. Of the more than 250 executives surveyed by CFO Research Services, 75 percent were harmed by action or inaction of a third party, resulting in financial loss, supply chain issues and data breaches.
“Companies initially think about risks with high-cost providers. But they may have a $10,000 contract with a small marketing or advertising firm that fails to adequately protect their customer information. Their servers get hacked and experience a breach that in turn raises concerns with their customers and brings reputational and financial risk and penalties,” says Jim Stempak, principal at Crowe Horwath LLP.
Smart Business spoke with Stempak about assessing third-party risk and solutions to limit exposure.
What poses third-party management risks?
Relationships that drive the most risks are:
- Service providers — processing, accounting, computer services, IT, service centers, advertising and marketing, leasing, legal and collections.
- Supply-side partners — production outsourcing, research and development, material supplies and vendors, and software development providers.
- Demand-side partners — customers, distributors, franchises and original-equipment manufacturers.
- Other relationships — alliances, consortiums, joint ventures and investments.
The Japanese tsunami and Hurricane Sandy illustrated this. If something happens to a single-sourced company, what’s the impact on suppliers or business partners?
What are some gaps that expose risk?
A ChainLink Research study found that 70 percent of organizations reported no resilience and risk mitigation standards for service providers. It also noted that risk assessment often focuses on the easiest risks to quantify, such as financial viability and business continuity plans.
With supply-side partners, vendor risk assessments are hampered by a lack of good data and poor visibility into contractor use.
How often should companies conduct risk assessments of third parties?
Risk assessments should be done at least annually for all vendor relationships that are high risk. Those with moderate or low risk can be done on a rotational basis.
In determining high-risk relationships, consider the financial risk penalty if a supplier has a breach. Another risk is reputational, such as a third party compromising private health information found in hospital records. Other high-risk areas are protection of systems and data, and reliability or continuity of operations. Are there contingency plans if a vendor faces a natural disaster or labor strike?
Many organizations don’t address risk management of third-party relationships until a problem arises. Before that happens, establish ownership for the organization’s third-party risk management framework, and responsibility for review and monitoring of individual relationships.
What other solutions address these risks?
First, establish ownership and buy-in, which requires executive leadership and oversight, with clear goals and objectives. Strengthen the overall relationship with the third party. Then evaluate risks by developing a risk profile of the organization that covers financial, integrity and operational issues. This spurs initiatives to audit, inspect, benchmark performance and costs, verify, and gain assurance or attestation.
A third-party risk management program should have:
- Risk measurement and monitoring.
- Performance measurement and monitoring.
- Incident tracking.
- Evaluation of the value received from the relationship.
This information guides decisions about when and whether to renegotiate an agreement. Success depends on customizing the assessment to the relationship, using automation to streamline the process, and analyzing trends of incidents.
In the CFO Research Services study, less than half of companies had a formal process for assessing and managing third-party risks, and 97 percent said at least one aspect of their third-party risk management should be improved. Businesses do their due diligence when entering contracts but tend to take their eyes off of it once a contract is signed.
Jim Stempak is a principal at Crowe Horwath LLP. Reach him at (214) 777-5203 or [email protected]
Website: Learn more about third-party risk management with a webinar, podcast, white papers and more.
Insights Accounting is brought to you by Crowe Horwath LLP