The Company You Keep: Reducing Exposure through Third-Party Risk Management

Growing up, my mom used this phrase quite often: “You are known by the company you keep.” Today, in the world of outsourcing, offshoring, integration, and collaboration, this adage is all the more important.

The rise of service relationships presents organizations with different risks emanating from the increasingly large and diverse network of external business partners. These new business realities pose a significant challenge for firms, as the negative impact of third-party compliance or security failures becomes increasingly severe, resulting not only in significant financial losses, but also operational disruptions and long-term reputation damage.

Reducing exposure and building relationships

With increased regulatory scrutiny, continuing cost pressures, active investors, and a vigilant public, businesses must have a clear understanding of the risks that are inherent in external business relationships. Organizations are striving towards being risk intelligent, and by recognizing and proactively addressing these third-party issues, business leaders can reduce exposure to risk and achieve stronger relationships with service providers, suppliers, and delivery partners. The ultimate goal: A nimbler, more responsive, and more profitable business model.

Many organizations are increasingly concerned about how they should address the risks inherent in relationships with third parties. Risks beyond the financial include those associated with privacy, information security, social responsibility, and the effect that third-party relationships can have on an organization’s reputation and brand.

4 conversation starters for third-party risk management

As companies grow more dependent on a wide array of third-party relationships, they are acknowledging the need for oversight and monitoring of related risks, as well as verification of their third parties’ self-reporting. Identifying the most critical relationships, establishing a monitoring program, and maintaining open communication are critical aspects of third-party risk management and organizational governance.

Board members can start the conversation today by asking management some targeted questions related to third-party risks:

1. Does our company have a full inventory of its relationships and agreements?

2. Have we performed an assessment of the risks to the business or the brand for each of the relationships we have?

3. Who owns the assessment of risks?

4. What are the key relationship risks and what are the processes we have in place to manage them? Who is responsible for risk management and monitoring?

These questions can serve as a springboard for meaningful conversation. How is your business preparing and maintaining your third-party risk management programs? Do you want to be known by the company you keep?
Bindu Sundaresan Strategic Security Solutions Lead AT&T About Bindu