5 min

Strengthen Supply Chain Resilience with Third-Party Risk Management Strategies

Organizations that outsource critical processes must consider several emerging threats or risk unintended consequences. Robust third-party risk management (TPRM) programs that gauge third-party risks have become an essential piece of the puzzle.

It’s no secret that engaging third parties can be a great way to reduce costs or supplement your organization’s current capabilities. After all, it can often be more cost-effective or strategic for a business to engage with a competent outsource service provider (OSP) than it would be to build out a non-core capability.

With constant supply chain disruptions due to any number of global issues, such as pandemics, cybersecurity breaches or national disasters, organizations today need to be prepared for any potential threat to their operations, reputations and revenues.

However, organizations, especially those at the mercy of large supply chains or those that outsource critical processes, must consider a number of emerging threats when engaging OSPs — or run the risk of unintended consequences.

A robust third-party risk management (TPRM) program is no longer a “nice-to-have” option; it’s an imperative. In addition, TPRM and oversight is also receiving more scrutiny from regulators like the Securities and Exchange Commission.

So, what should organizations keep in mind to strengthen their supply chain resilience when bringing an OSP on board?

Understanding Third-Party Risks and Obligations

There may be any number of reasons that your business chooses to outsource capabilities to a third party. For example, many organizations may find it more cost-effective to use a third-party payroll service solution than to create their own payroll department. Or, perhaps your organization is relying on an OSP to benefit from its expertise in an area like cybersecurity for incident response (IR) or managed detection and response (MDR) capabilities.

Public companies — especially those in highly regulated industries — are often expected to have agreements in place to ensure that they can demonstrate appropriate oversight of critical OSPs. Failure to do so can result in consequences including litigation and potential regulatory action such as fines and penalties. 

Because of the interconnected nature of supply chains, expected oversight may extend not only to your directly contracted third-party vendors, but also to any additional OSPs your third party may engage as well. For example, a SOC 2 report is a common way for an OSP to demonstrate internal controls over select cybersecurity controls. However, whether the report references a subservice organization and whether that subservice organization has satisfactory controls in place, is not always highlighted.

Recently, a well-known financial services firm hired a third party to dispose of computer equipment including hard drives that contained customer data. When the devices that stored the customer data ended up being sold on the internet without the customer data removed from them, the SEC attributed this data breach to a lack of monitoring of the third-party hired to dispose of the computer equipment. As a result of TPRM oversight failures, this financial services firm was fined tens of millions of dollars for failing to protect its customer data. 

This is one of the many reasons that it’s so crucial to verify that the third party your organization engages is reputable and transparent. You must confirm that the OSP has acceptable internal controls in place and employs appropriate cybersecurity hygiene to help minimize risk to your organization.

Identifying and Assessing Risks

Whether you’re a small business or a large enterprise, the foundation of any successful risk management strategy fundamentally lies in the identification and assessment of potential risks within your supply chain.

Doing your due diligence as an organization means conducting comprehensive evaluations of each of your OSPs. Questionnaires are one great way to capture critical information from your vendors before you bring them on board, accounting for factors such as:

  • Geographic locations
  • Financial stability
  • Regulatory compliance
  • Supply chain practices
  • Cybersecurity posture and handling of sensitive information

This same assessment should be conducted for all OSPs, regardless of size. Even a third-party cleaning service for your physical offices should be subject to the same evaluation. If your cleaning crew will have access to your server room or any room that contains sensitive material, for example, anyone who has access to that room should be vetted via a background check before they’re allowed to start work.

Capturing this data from your OSPs, then assessing which ones pose the least risk to your organization is one of the most effective ways to manage risks from your third-party vendors and suppliers.

What To Look for in a Third-Party Risk Management (TPRM) Solution

As your organization grows, it’s likely that your list of third-party vendors will grow with it. Establishing key performance indicators (KPIs) and regularly assessing vendors' adherence to these metrics should be critical to your overall risk management strategy — but evaluating each vendor individually will not always be the most cost-effective or timely option.

In this case, an integrated risk management (IRM) solution may be the best way to track and rank your third-party risks. An IRM solution is a platform that allows organizations to maintain a list of OSPs. These solutions are designed to help break down silos within organizations to better understand the nature of the services that third parties are providing and assess where they stand from a risk-management standpoint.

Best-in-class IRM solutions can:

  • Act as a central repository for vendors across your organization
  • Maintain and track relevant monitoring controls over OSPs
  • Receive threat and other real-time information that can impact critical OSPs
  • Report on potential vulnerabilities from third-party vendors and suppliers
  • Automate the questionnaire intake process
  • Capture and communicate digital monitoring results for critical OSPs
  • Score vendors’ risk by comparing recent recorded questionnaire answers to previous responses

Leveraging technology-driven tools like IRM solutions will allow your organization to track performance in real time and identify potential issues and risks before they spiral into significant problems.

Where Should You Start with Your Third-Party Risk Management Strategy?

At a time when supply chains span across borders and may involve several OSPs, effective third-party risk management is more important than ever.

An expert partner with deep expertise in cybersecurity and data privacy risks in response to the current threat landscape as well as the rigorous requirements of regulators can help you leverage technology-driven solutions to fortify your supply chain risk management capabilities and assess your current third-party risk management maturity level.

Story by Larry Burke

Larry Burke

CDW Expert
Larry Burke, CPA, CGMA, CITP, is a principal with the Global Security Strategy Office of Focal Point. He serves as an executive leader providing governance, risk and compliance advisory and assurance services, mostly to large global organizations operating in industries under various regulatory and industry frameworks including SOX, NIST, ISO, COBIT, COSO and FTC consent orders. He also serves a