What Is Third-Party Risk Management & Third-Party Due Diligence?
Third-party risk management is the process of assessing and controlling reputational, financial and legal risks to your organization posed by parties outside your organization. Third-party due diligence is the investigative process by which a third party is reviewed to determine any potential concerns involving legal, financial or reputational risks. Due diligence is disciplined activity that includes reviewing, monitoring and managing communication over the entire vendor engagement life cycle.
The Risks Are Real
As we see in the news too often, lapses in leadership around managing third parties have damaged organizations by exposing them to massive fines and penalties. According to the 2016 Benchmark Report, one-third of respondent organizations have faced legal or regulatory issues that involved third parties, with 50 percent of these involving average costs per incident of $10,000 or more. Even if the financial penalty can be managed, the reputational impact can have far-reaching consequences for many years. Third-party risk management is a top concern of compliance leaders, but many organizations are still coming to terms with how best to manage their third parties to limit risk and develop programs based on organizational risk assessments. The 2016 NAVEX Global benchmark report found that many organizations think they could be doing a better job of third-party risk management. Only 58 percent reported that they do a good job of complying with laws and regulations, and less than 25 percent rate their overall program as Good. Organizations may be diligent with their ethics and compliance programs, but for many the risk their third parties represent is a Wild West over which they feel like they have little control.
Benefits of a Strong Third-Party Risk Management Program
Managing third-party risk can make a big difference inhow well your organization can identify, manage and limit the liability a third party can represent. Your third party’s risk is your risk. You should have confidence that your program is minimizing that risk for you and your organization.