What is third-party risk, and how is it best managed?

We live in a world that is more interconnected than ever before. Managing any successful business, for example, now means handling a huge number of relationships and dependencies, and crucially these extend beyond the traditional boundaries of our own organizations.

With dependencies come risks, and specifically third-party risks: those that are harder to control and harder to manage, precisely because they emerge from individuals and organizations outside our immediate chain of command.

Third-party risks such as these can pose just as much of a threat to our reputation, financial performance, and operational efficiency as those that emerge from within our own organization. On that basis, it is just as essential to plan for them, identify them early, and respond appropriately. 

The rest of this blog post will provide some practical advice on doing just that.

What is third-party risk?

In simple terms, a third-party risk could be said to have two necessary conditions. It is:

• An event or circumstance with the potential to have a negative impact on an organization,
• That emerges from a third-party individual or organization

That sounds very simple, but covers a huge range of possible circumstances. In a world characterized by ever-more complex supply chains, a reliance on services provided by an increasing number of vendors, and partnership being standard in many business processes (including fully-contracting out many services), it should be understood that third-party risk is everywhere.

Each one of these relationships brings with it the possibility that an organization or individual we work with will do (or not do) something that causes material damage to our own business. 

And just as those risks can come from anywhere, they can take many forms.

Types of third-party risk

The full range of third-party risks is impossible to cover in a single blog post. But we can categorize these risks and discuss examples that will help you know what to look for and be aware of.

Specifically, consider the following types of third-party risk:

• Financial risk. For investment firms, the performance of third parties is literally the difference between profit and loss. Anything that impacts that performance constitutes a financial third-party risk to the business.
• Reputational risk. Our reputations often depend on the performance of third parties. Consider the example of a vendor which stores and processes customer data on our behalf, and suffers a data breach in which our own customer data is lost. It may not be our ‘fault’, but it damages our reputation.
• Operational risk.  When the smooth running of a business requires a number of third parties operating together, risk is inevitable. Consider the failure of a supplier to meet delivery targets, leading to lost revenue and customer dissatisfaction, for example. 
• Regulatory risk. We all need to stay on the right side of the law. But in many cases, we are also expected to ensure the partners, suppliers, and customers we deal with do the same. When they fail to do so, our own business often takes the hit.

As above, this is merely a summary. The true extent of third-party risk in today’s interconnected world is almost infinite. 

That’s the bad news. The good news is that with active scanning to detect these risks on the horizon, and by taking the right steps to counter risk, we can minimize their impact. Let’s talk about how to do that.

Identifying and monitoring third party risk

As we suggested above, the first step towards managing third-party risk is identifying it, and identifying it as soon as possible. As with almost any other situation in life, the sooner we are aware of risk events, the sooner we are able to act to avoid or mitigate them. Speed is of the essence.

Identifying third-party risk, however, is not easy. If we were to summarize the reasons why, they would look something like this:

• There are a huge number of third parties (both individuals and organizations) that we deal with every day
• The nature of those relationships is constantly changing, and
• We have limited ability to ‘see inside’ organizations outside our of own in order to identify emerging risks

Collectively, these three facts lead to one conclusion: it is not realistic to expect human beings alone to monitor for emerging third-party risks. Instead, some form of intelligent risk identification and monitoring solution is required. A solution very like AYLIEN News API, in fact.

The purpose here is to use the world’s news to help us spot third-party risk events early. But this approach must go beyond simple news alerts. To work effectively, it must incorporate:

• Scanning of a huge range of sources, both mainstream and specialist, from all corners of the globe and in multiple languages
• Accurate tagging of categories and entities in every article, which in turn ensures that only the most relevant events are surfaced (more on this below)
• The ability to quickly identify anomalies in the volume of coverage relating to a specific individual or organization, when it rises above the ‘background level’
• Identification of sentiment, and thus sharing whether any specific event is likely to have a positive or negative impact on the business.

The need for accurate tagging is of particular importance. 

Firstly, without intelligent entity tagging (which answers the “what is this story actually about?” question, any monitoring is made exponentially more difficult. Consider, for example, searching for news events relating to the company “Square” by using the keyword “square”. Results will contain irrelevant mentions such as ‘Times Square’, ‘Madison Square Gardens’, ‘Eyre Square’.   This is why AYLIEN uses natural language processing (NLP) to ensure we correctly recognise entities themselves, like Square Inc the company, rather than the words we use to represent them.

Secondly, many industry taxonomies used for tagging of content are inadequate to the task of monitoring third-party risk. Simply put, they are not built for the job, and thus do not identify and tag using categories that describe common risk events. 

AYLIEN News API, on the other hand, introduces Smart Tagger, which tags over 3,000 topical event categories and 1,500 industries to augment the efficiency and effectiveness of identifying risk events, including third-party risks.

With the ability to find, tag and report on risk events, the only question remaining is how to deal with them in a way that minimizes the damage to your own business. 

Managing third-party risk

If you have learned one thing by now, it is that third-party risk is a complex and wide-ranging subject. On that basis, it isn’t possible to cover the right way to respond to every eventuality and situation in this piece. 

However, I can offer some general principles. If these are followed, in many cases you will successfully avoid the worst consequences of third-party risk:

• Avoid it. Prevention is better than cure. When choosing which third parties to work with, take time to perform due diligence. To the greatest extent possible, work with organizations and individuals you can trust, and keep in close contact with them at all times.
• Build in redundancy. When you are dependent on one organization, operational risk in particular is heightened. Try to ensure that individual partners, suppliers or vendors can be replaced, or that if one is not performing another can be brought on stream. This is easier to say than do, but as an objective it is certainly valid.
• Act decisively. There is no benefit to spotting third-party risk early if you do not act quickly and firmly in response. Have the processes in place, and give your teams autonomy, so that you are able to do so. Plan for multiple scenarios in advance so that time is saved in the future.
• Do the right thing. In relation to reputational risk in particular, take responsibility for events, communicate clearly, and look to take practical steps to make amends. Third parties may not be your direct responsibility, but you should act as if they are. Don’t cover up. Take action.
• Be open and transparent. When customers, regulators, employees, or other partners are going to be affected by third-party events, let them know early and communicate constructively. Just as with your own organization, the sooner they know of potential impacts, the more time they have to manage them. Nobody likes to deliver bad news, but the sooner the better.

You can try AYLIEN News API for yourself, for free, with our 14 day trial. And if you're interested in learning more about how it can help you identify and monitor third-party risks, we'd be happy to talk more about it with you.