Posted July 11, 2018
There’s a lot of talk in the industry about protecting your company from third-party vendor risk, especially with the implementation of new regulations that hold organizations accountable for third party cybersecurity. While the OCC, FDIC, and the Federal Reserve all agree that vigorous due diligence and on-going third party monitoring are crucial to reducing your third party risk, it’s the wild west when it comes to agreement in practice.
Compounding this matter is the fact that the term ‘risk’ is quite broad. So broad in fact, that no two regulators categorize risk in precisely the same way. So how can organizations solve for ‘X’ risk if we have no clear definition of risk.
The key is to develop and implement a third party risk management program with processes and metrics to assess and manage risk expectations.
Third-Party Vendor Risks to be Aware Of
When starting this process, it is good to outline the categories of risk. Here are some types of risk that are good to know due to frequency of occurrence:
- Reputational risk—Whether a third party provider deals directly with customers or offers a service that can indirectly impact customers, it’s your reputation on the line if the third party drops the ball.
- Operational risk—When a third party provider is integrated into internal processes, such as through the use of a cloud-based, customer relationship management solution, it increases operational complexity and risk.
- Transactional risk—From insufficient capacity that prevents transactions from being completed to security lapses that lead to unauthorized access and misuse of data, transaction risk is one of the most commonly encountered—and highly publicized— risks a financial institute faces.
- Credit risk—While credit risk is most frequently considered in terms of a third party’s own financial condition, credit risk also stems from the use of third parties for loan origination, underwriting, or business solicitation.
- Compliance risk—As more laws, rules, and regulations are put into place to protect consumers, the level of compliance risk also increases. Non-compliance due to lapses by a third party provider does not indemnify a financial organization against penalties.
- Strategic risk—If a third party provider fails to meet the terms of a contract or return on investment.
- Country risk—Whenever a financial institution engages a third-party provider based in a foreign country, it is exposed to potential economic, social and political conditions related to the provider location.
- Legal risk—The activities of a third party provider can expose a financial institution to legal expenses and possible lawsuits.
Managing Third-Party Risk
Staying ahead of all these types of risk requires more than a scorecard. Organizations need to partner with a company that provides relevant intelligence – properly aggregated, contextualized, and correlated – to your organization. It also wouldn’t hurt to have access to an analyst who can discuss the implications and potential for multiple risks on your business.
With LookingGlass’ Third Party Risk Management solution, organizations receive a 360-degree view into your vendors’ risk profile, which establishes a baseline of risk for each of your vendors, and then offers continuous third party risk monitoring so you are prepared for any kind of third party risk.