How to Spot Your Riskiest Vendors: Managing Inherent Risk in Third-Party Risk Programs

Maintaining strong relationships with third parties is critical to business success. Yet too often, does a third party end up being the weakest link in a variety of risk areas.

Every business relationship comes with a certain degree of inherent risk. The amount of risk varies depending on the type of service and the service risk criteria that come with it. For example, outsourcing a critical financial operation, which involves granting access to payment information, carries a much greater inherent risk than outsourcing social media marketing, which typically shouldn’t involve highly confidential information.

Sometimes, even an apparently innocuous vendor relationship can introduce a far higher level of risk than it should. In one case a couple of years ago, a hacker gained access to a database belonging to a Las Vegas Casino via an internet-connected thermometer in a fish tank. A few years earlier, US retail giant Target was hacked via an HVAC system in what, at the time, was one of the largest data breaches ever.

But it’s not just information that is at risk – it’s reputation and business continuity as well.

More than ever, customers and key stakeholders are wary about who they do business with. People are demanding a higher degree of corporate accountability and responsibility, and they’re less likely to buy from an organization which has a poor track record in environmental sustainability or the social wellbeing of those it outsources work to.

Business continuity may also be placed at risk by outsourcing a mission-critical operation to a third party. Many businesses suffered severe disruption when Amazon Web Services, one of the world’s largest cloud-computing infrastructures, went down for a few hours in 2017.

These are just some of the many risk domains which can become apparent when onboarding new vendors.

How to Calculate and Score Inherent Risk Across Your Vendor Ecosystem

While a higher level of inherent risk shouldn’t necessarily preclude new vendor relationships, it does determine the scope of due diligence procurement and risk management teams need to conduct when evaluating potential suppliers. Onboarding a low-risk supplier, for example, should be far quicker and easier than onboarding one which presents a critical inherent risk.

There’s more to quantifying risk across increasingly large supply chains than just asking a few questions. To overcome the challenges of complexity and scalability, enterprises are moving towards a more unified and consistent process which eliminates subjectivity and human error. To do that, they often start with a set of internal yes/no questions in which affirmative answers add a pre-defined number of points to a risk score. Risk scores are then categorized, typically from low to critical, thus determining the level of screening necessary before signing a contract with a new vendor.

With an enterprise-wide framework, scoring of inherent risk and determining which controls should be set in motion during the onboarding process, businesses can streamline this mission-critical process.

Does your business need a standardized system to calculate inherent risk when navigating increasingly complex third-party risk management programs? Download our latest white paper How to Quantify and Manage Inherent Risk for Third Parties to learn the best practices for quantifying and managing inherent risk.