The importance of Third-Party Risk Management - session 1

Risk has an important impact on the success of the outsourced projects of your IT department or even on the viability of the whole Organization. IT Service Integrators and third-parties are engaging much more resources in the execution of a proper due diligence of their liabilities than their clients. As a result clients often come unprepared at the negotiation table, not knowing that the vendor has a strong focus of contingency in their negotiation.


(By Jan Vanderstraeten)

In the next 2 weeks we shall post blogs about the importance of Third-Party Risk Management. In an extra blogpost we shall publish the entire paper.

After reading these blogs you will understand why there is a need to perform a real-time research on your risks and you will  be able to create a risk dashboard reporting the potential risks, which may arise within the digital transformation of your Organization.

 

1. Introduction

Current economic conditions are forcing clients to maximize cost savings and efficiency gain by going for lean production and offshoring. The price that organizations are paying for this plunge of cost is the intensification of the risk profile of the Organization and increase of vendor reliance.

A global recession heightens the risks of instability in a variety of destination geographies, forcing clients to become more adept at shifting workloads from place to place.

Extending the enterprise via the use of third parties has allowed companies to focus on core competencies, pursue growth and digital innovation, improve time to market, improve customer digital experience and reduce their technology costs. While there are many benefits for using third parties, there are also added risks. IT Outsourcing is often associated with reduction or even loss of control of service delivery. By introducing third party to support the organization in critical processes, it brings along different types of risks to which the organization may not have been previously exposed, such as concentration risk, location risk or legal/jurisdiction risk.

When issues arise today, the likelihood is far greater that they will snowball quickly. If your Organization discovers the use of forced labour in a company's extended supply chain, the damage of the company's brand can spread across social media before the company can verify its vendor's connection. A formal risk assessment that is data driven to consider risk likelihood, impact and velocity can produce a more meaningful set of priorities than one that focuses exclusively on risk likelihood and impact.

Strong risk management across the extended enterprise can be best achieved by embedding third-party risk management (TPRM) functions firmly into the fabric of the business and its operations. Organizations that perform TPRM well should benefit by reducing risk and increasing agility and resiliency—enabling them to pursue growth while also reducing areas of vulnerability.

But how is risk defined? Which unexpected events do jeopardize IT projects? You will discover them by continuing to read the next chapters.

 

2. How do we define risk?

Risks can be defined as uncertain events which have an impact on the realization of the contract or even on corporate strategic objectives.

Risks can arise from outside factors such as economic changes or variations of legal frameworks and policies (e.g. Brexit).

Compliance risks relates to compliance with laws and regulations, governance codes, voluntary certifications and the frameworks and agreements made internally within the Organization. The consequences of non-compliance are increasing, both in financial impact and in impact on the reputation of organizations.

 

3. Risk Calculation

The estimated value of a Risk depends on two main factors: (1) Impact and (2) Likelihood. Both factors are important to determine the prioritization of the Risk. What is the probability that a risk occurs? Almost certain? Or is the chance that the risk will arise rather low? And if the risk occurs what is the impact for the Organization?

The measurement of risk is calculated as follows: Risk = Likelihood x Impact.

Create a tailored cost estimate of the different risks to provide a call for action.

 

4. Impact

Impact can be defined as marked effect or influence after the uncertain event has taken place.

The impact of a risk is difficult to measure. Some of these risks initiate a tangle of direct and indirect costs, with some accruing in the direct aftermath and others occurring years after the actual event.

 

We have the following categories of impact:

  • Disaster: Very severe impact on the Organization as a whole. Customers and/or investors have a negative view about the Organization’s future.
  • High: Very important impact on some of the parts of the Organization. E.g., High loss of revenue in a certain country.
  • Medium: Some impact on some parts of the Organization. Mitigation plan needs to be put in place.
  • Low: The risks can easily be mitigated. Limited impact.

  • Miner: Negligible risk with barely impact.

     

5. Likelihood

Likelihood refers to the possibility of a risk potential occurring measured in the following qualitative values:

The following categories can be distinguished:

  • Almost certain (80-100 %): There is a probability that this risk will occur in a year or 80-100 % chance it will occur.
  • High (60-80 %): There is a probability that this risk will occur in a 3 year period or 60-80 % chance it will occur.
  • Medium (40-60 %): There is a probability that this risk will occur in a 5 year period or 40-60 % chance it will occur.
  • Low (20-40 %): There is a probability that this risk will occur in a 10 year period or 20-40 % chance it will occur.
  • Negligible (0-20 %): There is a probability that this risk will not occur in a 10 year period or 0-20 % chance it will occur.

You are free to use deviations of the mentioned percentages in these different categories of likelihood. However it must be made clear that there is a difference between these categories.

 

Examples of reasons to drive the likelihood:

  • Medium number of external and or uncontrollable factors
  • And / or medium complexity of tasks
  • And / or medium diverse views of stakeholders
  • And / or medium dependency of more than 2 projects
 
Figure 1: Risk Prioritization Matrix

Figure 1: Risk Prioritization Matrix

Source: Linda Tonkes, Gert-Jan Valsveld CATS CM version 4 Succescontractmanagement, 4th edition, Van Haren Publishing, ’s-Hertogenbosch, 2020, “Risicomanagement matrix”, p. 112

In their version of Risk Prioritization Matrix Linda Tonkes and Gert-Jan Valsveld use only two levels of impact severity and probability (High-Low). In their version of the Prioritization Matrix the  impact categories in this report ‘Disaster and High’ can be considered as ‘High’. The categories ‘Medium, Low and Miner’ (Impact) and ‘Medium, Low and Negligible’ (Likelihood) can be considered in their model as ‘Low’ Impact/Likelihood.

6. Unaddressed risk can be unpredictable

If a third party can't give an appropriate oversight of their proper safeguards and controls, the Organization can be exposed to increased fiscal, operational & contractual, regulatory or reputation risk.

The most recent and famous example was the COVID 19 vaccine contract which the EU negotiated with one of the vaccine manufacturers. The "at best effort" clause created a higher risk for the EU to obtain their contractual target, i.e., to get the EU population vaccinated in the shortest delay.  Broken processes, not taking effective action when issues arise, not monitoring remediation activities can be more costly than addressing the risk up front.

 

7. What is your Organization putting at risk?

The following risk factors can have an important impact on the success of your project or Organization:

  • Strategic Risk: Risk of unsuitable sourcing decisions by the Organization due to a lack of third-party alignment with the Company's business strategies and objectives.
  • Contractual Risk: Risk that the Organization does not receive products and/or services in line with its expectations due to incomplete or insufficient third-party contract provisions, or a third party’s inability to meet contract terms and conditions.
  • Discontinuity of service/product risk: Risk of the Organization’s operations being disrupted by the ineffectiveness of a third party’s business continuity program, or by the third party’s inability to provide services to the Organization for an extended period of time. Risk when a third party decides to stop the production of a certain product or the delivery of a certain services.
  • Risk of Reputation Damage: Risk of brand damage to the Organization due to a third party’s inability to meet the Organization’s expectations and/or compliance. E.g., whereas a company could have a strong focus on its sustainability reputation, a huge pollution incident of their third party can hurt the public opinion about the Organization's brand.
  • Financial Viability Risk: Risk of disruption to the Organization's operations due to a third party no longer being able to provide products/services as it’s unable to generate profit or maintain necessary capital for supporting its ongoing operations. Risk elements as size of the third-party company, growth rates, profitability, liquidity, capital structure, access to capital, market position, geographic territory and depth of the management needs to be taken into account.
  • Credit Risk: Risk of a financial loss to the Organization that arises when credit exposure is caused by a third party holding, settling, or issuing a guarantee to the Company; or creating a liability for the Organization when the third party is not adequately managed.
  • Compliance/Legal Risk: Risk that the Organization is not in compliance with laws, ethical standards, or its own policies/standards/procedures because a third party does not have adequate compliance management controls over its products/services/tools.
  • Information Security Risk: Risk of inappropriate disclosure, corruption, or destruction of the Organization’s confidential information due to a third party’s failure to provide appropriate security and privacy controls over the institution's information.
  • Transactional/Operational Risk: Risk of a financial loss to the Organization and/or an adverse impact to the Organization’s product/service delivery due to inadequacies in a third party’s internal processes/people/tools and/or other third-party issues, e.g., no back to back terms and conditions with the third party subcontractor.

  • Geopolitical Risk: Risk of disruption to the Organization’s operations due to economic, social, and political conditions and events in a country that may adversely affect a third party’s operations or viability.

     

Examples of regulatory laws:

  • U.K. Data Protection Act
  • EU General Data Protection Regulation (GDPR)
  • US International Safe Harbor Privacy Principles
  • Consumer protection agencies —digital rights
  • Guides: European Union Agency for Network and Information Security (ENISA)
  • Industry: Payment Card Industry (PCI) Security Standards Council guidance

 

8. Risk Mitigation Plan

Despite risk functions identify and prioritize the potential risk categories, they don’t have any influence on the effective arising of the risk.

So you may ask yourself: “What to do if your vendor goes bankrupt? What are the actions to be taken when the identified risk occurs?”

Risk Management measures are divided into two groups: preventive and repressive measures. In the preventive measures there are again two options. The risk leader can find ways to reduce or even eliminate the risk. Second the risk function can try to mitigate the impact on the contractual objectives.

Repressive risk management measures are implemented after the risk has occurred and then only measures are possible to reduce the magnitude of the impact or restore the initial situation completely. The reconstruction of a burned-down building, using the funds of the insurance company, is in fact a repressive risk management measure.

The risk function consults with the contract owner about the risks that the risk leader has identified and the appropriate measures that he/she will implement and how the communication with the third party about the risks and the measures will take place. The decision to waive a measure is also an option. This depends on the risk appetite of the Organization in general and the cost-benefit balance. The contract owner then accepts the risk. All decisions are recorded for approval. The contract owner shall in good cooperation support the risk function in the final decision of the action.

 

9. Who takes the role as third party risk function in your Organization?

Risk management is often seen as the role of auditors and lawyers only. However, in early precontractual discussions these functions are rarely invited at the discussion table with the third-party. Therefore we don’t limit the role of the risk function in this report only to the compliancy officers of your Organization. We think that any representative of your Organization who takes a seat at the table together with a third-party, needs to be aware as from the beginning of the potential risks of that third-party.

The following roles often assume the risk function duties in a third-party discussion:

  • Sourcing & Vendor Manager (SVM)
  • Contract Manager
  • Legal Counsel & Auditors
  • Service Manager
  • IT Architect
  • IT Business Partners
  • Business Managers
  • External Auditors

Now you know what kind of contingencies can jeopardize your success and who needs to create a risk awareness, continue to read the next blogpost and learn how to improve your Organization’s TPRM capabilities.

 

10. References in this blogpost

Linda Tonkes, Gert-Jan Valsveld, CATS CM version 4 Succescontractmanagement, 4th edition, ’s-Hertogenbosch, Van Haren Publishing, 2020

Gerco Rietveld, Inkoop een nieuw paradigma, 3rd edition, Den Haag, SDU uitgevers, 2010

Walter Hoogmoed, Edward Appert, Deloitte: Managing third party risk in financial services - Key considerations for the extended enterprise, 2014

Want to take control of your third-party risks?

Talk to our experts

Contact us
1