Introduction

Third-party risk management is a critical aspect of any organization’s risk management strategy. With the increasing reliance on third-party vendors, suppliers, and service providers, companies are exposed to a growing number of risks that can impact their reputation, financials, and operations. According to a study by Deloitte, 83% of respondents reported experiencing a third-party disruption in the past three years, resulting in significant financial and reputational consequences.

Despite the importance of third-party risk management, many organizations continue to struggle with implementing effective risk management strategies. In this blog post, we will explore five painful lessons learned from failures in third-party risk management, and provide insights on how to avoid similar mistakes.

Lesson 1: Failure to Conduct Thorough Due Diligence

One of the most common mistakes organizations make is failing to conduct thorough due diligence on third-party vendors and suppliers. Due diligence involves thoroughly researching and evaluating a third-party’s financials, reputation, and compliance history to ensure they are reliable and trustworthy.

According to a study by PwC, 61% of respondents reported that they do not conduct regular due diligence on their third-party vendors. This lack of due diligence can lead to serious consequences, such as partnering with a vendor who has a poor reputation or a history of non-compliance.

For example, in 2017, the online retailer Amazon faced a lawsuit for selling counterfeit goods on its platform. The lawsuit alleged that Amazon had failed to conduct adequate due diligence on its third-party sellers, resulting in the sale of counterfeit goods to consumers. The lawsuit ultimately resulted in a settlement, but not before damaging Amazon’s reputation and causing financial losses.

To avoid this mistake, organizations should conduct thorough due diligence on all third-party vendors and suppliers, including reviewing their financials, reputation, and compliance history.

Lesson 2: Failure to Monitor Third-Party Performance

Another critical mistake organizations make is failing to monitor third-party performance on a regular basis. Monitoring third-party performance involves tracking their compliance with contracts, service level agreements, and regulatory requirements.

According to a study by KPMG, 55% of respondents reported that they do not have a formal process in place for monitoring third-party performance. This lack of monitoring can lead to serious consequences, such as failing to detect non-compliance or poor performance.

For example, in 2019, the healthcare company Quest Diagnostics faced a data breach that exposed the personal data of millions of patients. The breach was caused by a third-party vendor who had access to Quest Diagnostics’ systems. The vendor had failed to implement adequate security measures, resulting in the breach. Quest Diagnostics was ultimately held responsible for the breach, and faced significant financial and reputational consequences.

To avoid this mistake, organizations should establish a formal process for monitoring third-party performance on a regular basis, including tracking compliance with contracts, service level agreements, and regulatory requirements.

Lesson 3: Failure to Address Third-Party Risks

Another mistake organizations make is failing to address third-party risks in a timely and effective manner. Addressing third-party risks involves identifying, assessing, and mitigating risks associated with third-party vendors and suppliers.

According to a study by Protiviti, 51% of respondents reported that they do not have a formal process in place for addressing third-party risks. This lack of risk management can lead to serious consequences, such as failing to detect and mitigate risks.

For example, in 2018, the bank Wells Fargo faced a scandal involving fake accounts created by third-party contractors. The contractors had been hired to sell banking products to customers, but instead created fake accounts without customer consent. The scandal resulted in significant financial and reputational consequences for Wells Fargo, including a $1 billion fine.

To avoid this mistake, organizations should establish a formal process for addressing third-party risks, including identifying, assessing, and mitigating risks associated with third-party vendors and suppliers.

Lesson 4: Failure to Continuously Review and Update Third-Party Risk Management Processes

Finally, another mistake organizations make is failing to continuously review and update third-party risk management processes. Third-party risk management is not a one-time task, but rather an ongoing process that requires continuous review and update.

According to a study by C-suite, 46% of respondents reported that they do not review and update their third-party risk management processes on a regular basis. This lack of review and update can lead to serious consequences, such as failing to address emerging risks and regulatory requirements.

For example, in 2020, the technology company Zoom faced a lawsuit for failing to disclose third-party data collection practices to customers. The lawsuit alleged that Zoom had failed to update its third-party risk management processes to address emerging risks and regulatory requirements.

To avoid this mistake, organizations should establish a process for continuously reviewing and updating third-party risk management processes on a regular basis.

Conclusion

Third-party risk management is a critical aspect of any organization’s risk management strategy. By learning from the painful lessons of failure, organizations can avoid similar mistakes and implement effective risk management strategies. Third-party risk management requires thorough due diligence, monitoring of third-party performance, addressing third-party risks, and continuous review and update of risk management processes.

We invite you to share your experiences and insights on third-party risk management in the comments below.

Third-party risk management statistics:

  • 83% of respondents reported experiencing a third-party disruption in the past three years (Deloitte)
  • 61% of respondents do not conduct regular due diligence on their third-party vendors (PwC)
  • 55% of respondents do not have a formal process in place for monitoring third-party performance (KPMG)
  • 51% of respondents do not have a formal process in place for addressing third-party risks (Protiviti)
  • 46% of respondents do not review and update their third-party risk management processes on a regular basis (C-suite)