How to Manage Third-Party Risks

Your relationship with third parties comes with countless risks: they can breach the terms of your contract, suffer a data breach or incur business disruptions affecting your supply chain. 

These occur a lot more often than you might think. A 2021 Ponemon Institute report found that 51% of organisations experienced a data breach caused by a third party in the previous three years. 

Many of those incidents severely affect the organisation’s customer service, finances, reputation or regulatory compliance.

In this blog, we help you understand the risks associated with your supply chain and explain how you can protect yourself.

What is third-party risk? 

In a data privacy context, third-party risks are a weakness in the way an organisation you work with handles sensitive information.

This includes employee and customer data, financial information and business-critical systems.

There are six different types of third-party risk: 

1) Compliance risk 

These are events in which a third party’s actions affect your compliance with laws and regulations, such as the GDPR (General Data Protection Regulation) and PECR (Privacy and Electronic Communications Regulations). 

It also includes compliance with internal policies and frameworks, such as ISO 27001. 

2) Information security risk 

This describes events in which someone in your supply chain threatens the confidentiality, integrity or availability of the information you use.

For example, criminal hackers might break into an organisation’s systems and steal sensitive data or plant malware on its systems. 

However, information security risks aren’t always the result of malicious actors.

An employee may accidentally send data to the wrong person or fail to password-protect a database containing sensitive information. 

3) Strategic risk 

Strategic risks arise from decisions your board makes regarding business objectives.

In this context, choosing the wrong third party to perform specific tasks could result in significant problems.

For example, a marketing firm that you hire may breach data privacy requirements, which would leave you – as the data controller – potentially liable for regulatory action. 

Another example would be a software provider that gains a considerable market share and increases its price.

The organisation is either stuck paying this price or faces disruption while finding an alternative provider.

4) Reputational risk 

If an organisation you work with does something that damages its reputation – whether it’s suffered a data breach, handled a security incident poorly or infringed upon people’s data privacy – your reputation will also suffer. 

5) Operational risk 

Operational risk encompasses any event in which your business processes are disrupted due to a third-party security incident. 

This includes cyber-attacks and infrastructural damage, such as a fire or flood that damages the third party’s systems.

6) Transactional risk 

Transactional risks are events in which an organisation in your supply chain could damage your organisation’s financial performance. 

For example, if a third party suffered a cyber-attack and could not provide goods to you on time, your revenue may well be affected.

Third-party risk management best practices

Securing the data supply chain can be a challenge. Under the GDPR, data controllers are liable not just for their compliance but also for that of third-party processors.

Contracts and questionnaires, while valuable components of any due diligence process, are necessarily limited.

They will be best suited for low-risk third parties, while audits are necessary for those that pose a greater risk.

Read Third-Party GDPR Audits – Conducting due diligence to find out how to get started. 

How should organisations address third-party risks? 

You can identify, assess and control third-party risks by implementing a TPRM (third-party risk management) framework. 

A TPRM framework should use standardised, risk-mitigating contractual terms and provisions, including the agreement to conduct risk-based monitoring and to give the organisation oversight regarding the way sensitive information is handled. 

Here are four tips to help you create a TPRM framework. 

1. Perform due diligence on third parties 

Creating a TPRM framework will be much easier if you perform due diligence on potential partners before committing to a relationship. 

Doing so helps you see what data protection and information security practices they have in place and how much work is required to get their set-up to an acceptable standard. 

If your due diligence process reveals major gaps, you may implement control measures such as annual audits or additional contractual terms.

Alternatively, you might decide that you’d be better off working with a different organisation. 

 2. Consider fourth parties 

Just as your business can be affected by incidents that occur at third parties, so too can your third parties be affected by organisations they work with. Such organisations are known as fourth parties. 

Although you don’t need to be as rigorous in assessing fourth parties, you should gather and manage information on those organisations as part of the third-party ecosystem. 

If you discover anything concerning, you again may decide that you’d be better off finding a different partner. 

3. Get board-level support 

For your TPRM framework to be successful, you must have board-level support. The board is responsible for ensuring that the organisation has the tools and resources to tackle data protection and information security risks. 

The person leading the framework’s implementation should work with the board to secure the necessary investment. They should also be expected to provide regular progress updates to the board. 

4. Evaluate the effectiveness of your TPRM framework 

You must regularly review your TPRM framework to ensure that it’s working as intended and identify improvements. 

This should include an evaluation of your policies, codes of conduct, processes, controls, audits and compliance practices. 

The evaluation process should take place annually or whenever you make any major changes to your organisation. 

Assess your third parties with DQM GRC 

As we’ve outlined in this blog, there’s a lot that goes into third-party risk management. For those looking for more help, DQM GRC’s Supply Chain Audit service is the ideal solution. 

Our team of experts will design an audit programme around the third party’s risks and controls, and help you assess how effective its security mechanisms are. 

You’ll also receive a report that identifies areas of good practice and highlights deficiencies, supported by recommendations to resolve or mitigate them.  

Additionally, we can provide bespoke consultancy and templates to help you design, create and implement a TPRM framework.

A version of this blog was originally published on 28 May 2021.