Look Closely For Hidden Risks With Third Parties 

16-Feb-15 09:55

Third-party relationships are a staple of the modern economy. So are the risks that come from those relationships. One example: Tech Target reported that third-parties are the cause of the majority of cyber breaches. And it’s not just cyber security that can be at risk. Writing in Risk & ComplianceMagazine, consultants from KPMG cited several other third-party risks as well, including privacy risks, transaction risks, technology risks, credit risks, compliance risks, and risks to reputation.

Oh, and then there is the potential of a complete business shutdown. While not quite a traditional third-party issue, the current situation at 29 US West Coast shipping ports provides a glimpse of potential disaster for buyers and suppliers from actions of other parties that they can’t completely control. A labor dispute between shipping lines and the dock-workers union, which has been going on for some eight months now, threatened to shut the ports over the weekend beginning 14 February 2015, stranding electronics, clothes, apparel, toys, car parts and other products on ships forced to idle in the harbors. And that’s not to mention the agricultural products awaiting export. Officials say about a billion dollars a day of cargo go through those ports.

So, the importance of monitoring third-party organizations, and possible fourth-parties as well, is obvious. Consulting firm McKinsey & Company suggests the starting point is to compile a list of all third-parties, outline their potential risks, then rank the risks for priority action.

It’s also a good idea to to conduct the kind of in-depth audit of suppliers that Apple has conducted. The company found that some suppliers used third parties to recruit foreign workers, who had to pay a fee to actually work. Armed with that knowledge, Apple is taking steps to end what it called “bonded servitude” within its supply chain.

Greg Dickinson, CEO of Hiperos, a third-party-risk-management company, says it’s essential to gather all the information you can on your third parties in one computerized place for analysis. That was helpful to an insurance company, he says, that used a third-party for claims processing. When the third-party wanted to relocate to another country Hiperos rated it as high risk, so procurement asked the company to document its risk-mitigation strategy. Meanwhile, the company learned that it was illegal to take the data outside the country.

Take a close look at your third parties. Then, look again. You may uncover potential problems. At the least, you’ll know more about who you’re dealing with. As consultancy Aberdeen has said, there’smore opportunity to track third parties today--and more of a requirement to do so.