THIRD PARTY RISK MANAGEMENT: EVOLVING VENDOR, OPERATIONAL AND STRATEGIC RISKS
R&C: Could you provide an overview of the kinds of vendor, operational and strategic risks associated with third-party relationships? How have these risks evolved in recent years?
Matthews: The risks associated with third-party relationships are extensions of any of the risks that a company experiences in its day-to-day operations, including financial, compliance, technology, information and cyber security. In addition, the use of a third party introduces the need for overseeing an external operation as if the third-party products and services were being done by internal operational units. The following scenarios exemplify how third-party risks are evolving. First, cyber security risk is top of mind across all industries, as firms seek to protect their information and services. In fact, the velocity of change is at an all high, with a number of high-profile ransomware attacks highlighting the reputational damage that can be done. Second, there is a general increased reliance on third parties as business operations evolve and digitalise. Ensuring that these increasingly complex services can be reliably delivered is driving the focus of management on operational resilience. A recent survey pointed out that three quarters of third party risk management (TPRM) executives identified their biggest reputational impacts come from a failure of third parties to deliver services in line with expectations. Third, there are increased regulatory requirements related to consumer protection, privacy, and environmental, social and governance (ESG) issues, which highlight the fact that companies can outsource anything but remain accountable for regulatory compliance. Another challenge comes from the increasing use of subcontractors or fourth parties and how to manage them indirectly, especially where the service involves other risk factors such as regulatory and compliance or cyber security risks.
Jan-Mar 2022 Issue
KPMG