Third-Party Risk Never Sleeps
As you consider the evolution of managing the risk associated with your third-party vendors, you can go back in a time machine where many business relationships started with a hand-shake.
If we go back to these earliest days of doing business, things were at a much different pace and the farmers, traders and business owners could have never imagined our high-tech world and the risks we are experiencing in 2019.
Some of the most challenging risks relate to data privacy and cybersecurity. With third parties having access to your most sensitive data (PII) and many having their systems linked into one or more of your critical business systems, you need to ensure your third parties have the required security and controls in place to mitigate these risks.
There are still many companies that don’t have a formal due diligence process for their third-party vendors. Not only should you complete a risk and due diligence assessment before you sign a contract with a new vendor, you need to reassess these vendors at a frequency that aligns with the risk appetite of your company.
For high risk vendors with access to your systems and protected customer data, you should be reassessing them at a minimum on an annual basis if not more frequently.
Risk Monitoring and Data Intelligence Services
There is an emerging best practice in the third-party risk management sector to implement ongoing risk monitoring and data intelligence services. These solutions provide continual monitoring of critical risks to notify you with updates about risk factors and news about your third parties to enable you to actively manage these risks. This has been aided by the emergence of a new category of technology and data intelligence solutions specifically created to address continual monitoring and mitigation of third-party risk. Below is a summary of the different categories of these solutions:
Cyber Risk Monitoring
Tools and services deployed to perform point in time and continual monitoring of a third-party’s digital systems and ecosystem to identify companies of any security threats, vulnerabilities or lack of controls about the cyber risks associated with their third parties.
Financial Health Risk Monitoring
Subscription services and one-time reports which provide real time updates about the financial health and risk factors of third-party vendors.
Restricted Party Sanctions Screening
Tools and services which can automate the screening of sanctions lists like OFAC, SAM and over 600 restricted party lists from government institutions world-wide.
Business Verification & Background Checks
Subscription services and one-time reports to verify businesses legal registration and background checks on employees and third-party contractors.
License and Certification Verification
Subscription services and one-time reports to verify professional licenses and certifications for employees and third-party contractors.
Ongoing Due Diligence of Third Parties
As you create a plan for due diligence of third parties, both before you execute a contract with them and at a frequency that aligns with your company’s risk appetite, consider integrating one or more of these monitoring and data intelligence solutions. By adding this to your third-party risk management program you will ensure you have made a thorough investment in the risk mitigation practices to best prepare and protect your company from third-party risks.
Author: Paul Schrantz
Job Title: Director of Business Development & Client Success
Organization: Vendor Centric