In December 2022 a hacking group breached one of Uber’s main suppliers– Teqtivity. Accessing its AWS server, the cybercriminals gained access to over 77,000 of Uber employees’ full names, email addresses, and work locations, as well as specific device data. Effective third-party risk management (TPRM) could have prevented the attack, and that’s why you need to know about how to implement the right controls to protect your business. Read our article to gain more insights and learn how to perform effective TPRM.
At Trustpair, we provide effective account validation that prevents third-party fraud. Contact an expert to learn more!
What is TPRM (third-party risk management)?
Third-party risks are the potential negative effects of partnering with external vendors and suppliers, the organizations linked to them, and so on (all the way up the supply chain). For example, you might face IT problems, because your systems won’t cooperate with a supplier, or even cybersecurity and fraud risks if their platform becomes compromised and exposes yours.
Since every onboarded third-party platform increases the potential risks associated with your teams, TPRM aims to identify and control those risks. By being aware of them, your team is more likely to succeed in their management, and therefore prevent disastrous events.
Why is TPRM important?
TPRM is an integral business process, especially larger businesses, or those operating in regulated industries.
One example that highlights the importance of TPRM occurred with fake medical supply companies cashing in during the pandemic time. Thousands of fake pharmacies were set up to provide ‘covid treatments’, including supplying illegal and unlicensed medicines and services to customers and even other medical centers.
Interpol announced that they closed thousands of these in June 2021. But the damage was already done for some genuine partners, who faced significant reputational impacts, and therefore a drop in financial performance.
If only those genuine businesses had done their due diligence to properly read and investigate, managing the risks associated with their partners beforehand.
Other important reasons to perform TPRM processes include:
- Regulatory compliance: ensure that your third parties meet regulatory requirements and prevent penalties for your business
- Promoting a safe environment: set up internal controls to promote safety during onsite visits
- Protecting confidential information: keep sensitive data out of the wrong hands by controlling third party access
- Maintaining or increasing performance: scale sustainably and identify operational risks associated with the partnership
- Strengthening supply chain relationships: work closely with suppliers to decrease their risk and improve your business relationship
What are the main third party risks?
There are five common categories of third party risks:
Risk | Definition | Example |
Cybersecurity (cyber-risk) | Involving the potential compromise of your online based activity and digital platforms. | In November 2022, T-Mobile admitted that the personal data of 37 million customers had been stolen when one of their third party APIs was breached.
Data like billing address, name, date of birth and email address were all stolen in the cybersecurity leak. |
Operational | Threats to your usual daily tasks, product output and productivity. | An airline company noticed that its brand new replacement part was showing signs of wear and tear.
Upon investigation, the part was found to have been accompanied by forged paperwork from a bogus supplier. As a result, thousands of jet engines had to be inspected and checked, causing problems in the operational side of every aviation provider that had used this supplier. |
Compliance | Risks that ruin your ability to comply with industry regulations. | An anonymous enterprise construction company recently came under tremendous pressure to meet customer shipment demands. They turned to sourcing materials from Iran– going against US regulations.
The US’ Office of Foreign Sanctions and Controls recently settled the case. |
Reputational | Threats to your brand’s perception or company name. | Fraudsters duped US baby product manufacturers between 2013 and 2018 negotiating significantly discounted products– on the basis that they would be sent to Suriname.
Using fake contracts and creating a fake program from the Suriname government, they later sold these products back on the US market, keeping the profits. This caused significant reputational damage for the US vendor associated with these fraudsters, who were later imprisoned. |
Financial | Involving the potential to harm your revenue and profits, or an increase to expenses. | In 2018, Adidas suffered from storage issues in its Asian warehouses.
As demand grew, their suppliers’ inability to produce and store items in China, Cambodia and Vietnam meant that Adidas could not fulfill its North American orders. It’s estimated that the company lost out on between $200 million and $400 million worth of orders, in just the first half of 2018 alone. |
What is the TPRM process?
There are six key steps to effective third party risk management:
- Sourcing
- Onboarding
- Risk assessment and scoring
- Risk monitoring
- Performance management
- Offboarding
Sourcing
While sourcing and selecting new vendors, you should complete a basic risk assessment. Here, you’re doing due diligence to ensure that their overall financial, operational and privacy processes are secure.
Plenty of specialist vendor onboarding software platforms provide programs to automate this, or it could be done manually with a questionnaire.
Onboarding
Once the new third party is selected, you’ll enter them into your vendor database for management. Don’t give them access to parts of your system yet, but think about creating an API in preparation (for security and privacy purposes). Secure vendor onboarding is key in any third party risk prevention program.
Learn more about vendor onboarding in our JAGGAER x Trustpair white paper!
Risk assessment and scoring
This is one of the most important parts of TPRM, since it helps qualify whether you should give third party access to your systems or not. A third party risk assessment should help identify the biggest risks associated with this third party.
Learning each third party’s risk score provides a clear level of risk, and potential impact if the risk turns into an event. Before approving a vendor into the system, you can take steps for internal control to manage and reduce the risk highlighted in assessments.
Risk monitoring
After identifying all the risks, it’s up to your business to monitor how third parties are controlling and managing them. Using third party intelligence services, you can screen cyber intelligence, financial reports, operational changes and regulatory updates, for example.
Third party monitoring technology is required to ensure that the level of risk will not increase above a critical level over time.
Performance management
Performance management refers to checking whether third parties are meeting their business terms with you. Assessing the following factors are all useful in performance management:
- Ability to meet shipping deadlines
- Frequency of correct orders, and remediation for errors
- Adhering to compliance requirements and access rules
Offboarding
Once contractual obligations are met, companies can offboard their vendors as part of the lifecycle. In the context of third party risk, it means cutting access to internal systems, removing accounts and settling outstanding balances.
What are third party risk management best practices?
Some companies have nailed the supplier risk management process, whereas others struggle to contain the risks. We firmly believe that a few TPRM best practices can make all the difference.
Encourage a culture of due diligence
A siloed third party management process can feel disjointed, and companies are more likely to miss out on key risk factors. Instead, standardizing the risk management process across departments will be more effective.
Businesses can create a true culture of due diligence if employees are empowered to document their proof. By enabling staff to act on their suspicions, companies are more likely to be ‘in the know’ about how their third parties operate. They say knowledge is power, and in this case, it can translate into better protection for the financial, reputational, compliance and operational functions of an organization.
Don’t stop at third parties
Third parties are the direct businesses that partner with yours, but have you thought about all of the other platforms, suppliers and vendors that partner with them? These could still expose threats to your organization, and are known as fourth parties.
Unfortunately, fourth parties can present just as much risk to your business as third parties. Especially if they become compromised or make mistakes, as this can have a knock-on effect through the entire supply chain.
The good part about this, though, is that protecting against fourth party risks is super similar to third party ones. The same risk assessment, risk scoring and monitoring methods apply to ensure your firm keeps its eyes wide open against fourth party risks.
Rely on specialist platforms
Purpose-built third-party risk management platforms exist to help businesses streamline the whole process. Some work through the lens of regulatory compliance, while others offer vendor databases to help you track the risks.
Trustpair supports your TPRM efforts through ongoing validation of third-party account information. By verifying details like account number and name match to external records, we effectively prevent third party payment fraud. Plus, you can ensure you’re always paying the right vendors with the right amounts, preventing bookkeeping and invoicing mistakes.
Try Trustpair to prevent your third party risks from leading to financial damage.
Your TPRM recap
TPRM involves the identification, reduction and monitoring of third party risks to secure your cyber, operational and financial security. Encourage a culture of due diligence and get visibility into the entire supply chain to make your TPRM more effective. Moreover, rely on platforms like Trustpair to automate risk reduction.