As we enter 2020, the current pace of regulatory change is unprecedented. Governments the world over are implementing new regulations and in the United States there are a range of new regulations from federal and state authorities which all seem to have a requirement related to third-party oversight.
Of course, these new regulations are being driven by the increased data privacy and cyber risk which all companies, no matter how big or small, are facing today. Complicating the matter more is the reality that companies no longer can just focus on their internal risks but also the risks from your third parties and your fourth parties (the larger ecosystem of the vendors of your vendors).
That’s why most companies are turning to third-party risk management experts and technology providers to help them implement policies, programs and tools to mitigate these risks and ensure compliance.
Let’s take a look at 6 of the hottest topics we’re seeing in the market in the hope that it will help you enter 2020 with your eyes wide-open ready to optimize your third-party risk management program.
1. Taking fourth-party risk seriously
You’re probably working with a growing number of third-parties. In the modern business world, it’s all but inevitable. However, are your third parties also working with their own third parties? If so, that’s a fourth party and you need to worry about their activities and the risks posed as well.
These days, fourth party risk mitigation is something every company should implement. As such, it’s important to ensure your third-parties have a comprehensive approach to managing the risk with their vendors, your fourth parties and risks they might present.
2. Third-party concentration risk
If you’re overly reliant on a particular third party, it’s going to increase your risks. Investors diversify their portfolios in order to reduce risk. Likewise, it’s often best to diffuse your risks among a number of third parties. Identify which vendors and which risks would have the most impact on your company’s core operations and ensure you mitigate that risk with continuity plans and additional vendors providing similar or duplicative products or services.
3. Continuous risk monitoring
The days of only doing due-diligence on an annual or bi-annual basis just doesn’t work any longer. Quarterly or annual updates on risk-related issues is not enough. Instead, risk management needs to be a continuous and on-going process. There is an emerging sector of data intelligence and monitoring tools which should be integrated into every third-party management program to ensure you have a comprehensive and real-time approach to mitigating risk with your third and fourth parties.
4. Vendor management automation
Increasingly, companies are using automation to manage and provide oversight throughout the full lifecycle of their relationship with their vendors. Doing so reduces risks and with automation, many tedious manual tasks are streamlined and, if possible, eliminated by leveraging the system. This ensures your employees can focus more on their oversight responsibilities and rely on reminders and other workflow improvements to do their jobs more effectively which results in improved risk mitigation.
The banking industry was a pioneer in automation, which allowed many banks to greatly increase productivity while reducing risks. Now, other industries are following suit. Industries heavily impacted by regulations, such as the insurance industry, healthcare, utilities, and companies that collect a lot of data, have been especially aggressive in adopting vendor risk management automation.
Fortunately, there are a number of great vendor management automation tools available.
5. Modernizing contractual standards
The contracts of yesteryear are often no longer enough given the current regulatory environment. For example, new data privacy regulations mean that old contracts don’t provide enough protection and oversight when it comes to managing data. Contractual gaps could increase your exposure to 3rd and 4th party risks.
Consider data breaches. In many states, companies are required to notify authorities and consumers in the event of a data breach. Yet what if a 3rd or 4th party is responsible for a data breach? Have you outlined in your contracts that they must notify you (so you can then notify relevant parties)?
If not, outside contractors may fail to report the data breach, but you could ultimately be held responsible. That’s why it’s best to audit contracts and to modify them when and where necessary. It’s smart to start with your highest risk vendors and work your way down.
Finally, one of the most important tools in your third-party risk toolkit is insurance. Like auditing and updating your contractual standards and existing agreements, you should also work with your insurance risk consultants to review and update your coverage requirements with your third parties to ensure that the growing risk from those relationships is effectively mitigated in their insurance coverage on your behalf.
It is also highly recommended to do a thorough review of your direct insurance coverages to ensure you have the comprehensive protection you need. One of the emerging areas of coverage is Cyber Insurance so make sure to include that in your planning process.
The Year Ahead
While these topics weave together as a cautionary tale, our team at Vendor Centric enters 2020 with a great deal of excitement and passion for what lies ahead. We know that this work is not easy but hope that these hot topics help you as you develop your plans, priorities and budgets. We are always here to help but know that with the right approach and resources we can all engage in effective third-party risk management.
Happy Holidays and have a very Blessed 2020!!
Author: Paul Schrantz
Job Title: Director of Business Development & Client Success
Organization: Vendor Centric