The Pitfalls of Oversimplifying Third-Party Risk Management
June 13, 2019
It used to be that vendor management meant little more than a firm handshake and a signed contract. In today’s world, however, treating third-party risk management (TPRM) as a mere box to be checked is a dangerous oversimplification that puts businesses at reputational, financial and legal risk. Whether you are a lender, broker, bank or securities dealer, hidden within your operations are hundreds or even thousands of contractors and subcontractors, each with access to sensitive information. Getting an accurate picture of this spider’s web can seem like an overwhelming task, but the dangers of unmitigated risk are too great to ignore it. It is critical to stop applying a one-size-fits-all approach to vendor management, and start treating these business relationships as living things that require diligent and ongoing attention.
Know your vendor
Oversimplifying TPRM is a double-edged sword: financial institutions can go wrong by wasting resources on low-risk vendors or by not taking a close enough look at high-risk vendors. The starting point for any risk assessment must be to figure out which vendors are which, and the answers might be surprising. The infamous Target data breach of 2013—in which hackers stole data from 40 million customer credit and debit cards—originated in stolen login credentials from Target’s HVAC vendor. A thorough TPRM protocol would have told Target that this HVAC company’s data security wasn’t adequate, and they could have mitigated this risk by limiting the company’s access to sensitive customer data. Instead, Target was blamed and forced to settle for $13.5 million in damages.
TPRM can’t be conceived of as an annual, kick-the-tires assessment to keep regulators happy. This attitude does nothing to help mitigate risk. Furthermore, regulators increasingly expect financial institutions to prove that they are keeping ongoing track of vendor compliance with state and federal laws, in order to fulfill their responsibility of managing third-party risk. One simple best practice to fulfill this obligation is to meet with vendors regularly to get a sense of their performance. In addition, it’s vital to perform periodic monitoring via third-party sources such as the Better Business Bureau (BBB) and the Consumer Financial Protection Bureau (CFPB).
Having a holistic, comprehensive view of a vendor’s operations is the only way to determine what level of risk this vendor represents and whether it lines up with your risk appetite. Most importantly, the insights gleaned from knowing your vendor must be put to work. If a vendor management department operates within an organizational silo, it can neither accurately assess nor mitigate risk. Instead, this process must work across all business lines, including accounts payable and procurement.
Treat your vendor as an extension of your business
The best way to manage vendor relationships is to treat each one with the same level of care as an internal department. At the end of the day, that’s essentially how they function, as vendors perform a duty or process that your business would have managed internally had it not been deemed that the benefits of outsourcing outweighed the risk.
Once you think of a vendor as an extension of your operation, treat them like any potential new hire. As with any applicant, you will want to run a background check, perform an entrance test, and check references. All of these practices fall under the heading of pre-contract due diligence, and the deeper you’re willing to look, the more you can make a strategic assessment about the vendor. Looking beyond the price a vendor quotes can provide a sense of the real financial risk a vendor poses.
As mentioned above, BBB records and CFPB complaints are excellent resources to see if a vendor has a pattern of unsatisfied customers. In addition, pull publicly available financial records such as commercial credit reports to look for any issues. In cases where vendors fail financially, they can leave financial institutions on the hook to pay subcontractors, so don’t take a vendor’s reputation at face-value and assume it is too big to fail.
Beyond simply learning if a vendor is in regulatory compliance or financial trouble, it’s crucial to get a sense of whether a vendor shares your organization’s values and is ready to grow alongside you. Look at a company’s leadership team and their social media presence, as well as conduct a search for negative media or any pending litigation. A track record of bad behavior has the potential to impact the reputation of your business, especially at a time when consumers have high ethical standards for the companies they work with. Above all, be sure that this vendor will treat your business as a priority, and has the structure to handle your needs as you grow.
The age of digitalization has made financial institutions able to partner with vendors more effectively than ever before, but with increased data sharing comes increased risk. Headline-grabbing data breaches across multiple industries—from social media to credit reporting—have proven that when vendors make mistakes, the businesses they work with are guilty by association. To protect your business and reap the benefits of vendor relationships, financial institutions must be willing to engage in true oversight, and take real action. After all, the time to avoid a pitfall is before you fall in it.