WHY THIRD-PARTY RISK ANALYSIS IS NOW A NECESSITY AT ALL LEVELS
Organisations are heavily reliant on a variety of third parties for improved profitability, faster time to market, competitive advantage and decreased costs. However, despite their undoubted advantages, suppliers create a wide variety of risks that have to be governed and managed. If a supplier is found to be using child labour or dealing in conflict minerals, for instance, the blame and any financial, brand and reputation loss lies with the business which has the relationship with the vendor. In fact, Deloitte calculated that the costs arising from the illegal or unethical actions of a third-party – fines, remediation and reputation damage – can combine to cost businesses 10 times the amount of the initial penalty.
Target’s data breach from 2013 is an example of a high-profile supplier failure. In this case, 110 million people had their personal and financial information stolen because a phishing email compromised a third-party vendor (the company contracted for refrigerator maintenance). Another example is the horse meat scandal that involved multiple UK supermarkets. The scandal saw a supplier fraudulently mislabelling a hybrid beef and horse meat mince as 100 percent beef. Organisations within the financial services industry have also seen significant issues due to downtime of a critical system managed by a third party. In all cases, the companies received heavy criticism for the actions of the vendor.
These examples show us that third-party risk is both industry- and supplier-agnostic, and companies must take the relevant precautions to manage their growing ecosystems. Even the cleaners have access to the documents on desks and could compromise sensitive corporate data; they need to be managed just as much as top level suppliers.
Apr-Jun 2017 Issue