The Inherent Value of Third-Party Risk

Image of Third-Party Risk Management

SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Dallin Ingalls shares the inherent value that is associated with a strong third-party risk management framework.

A Bank's customers typically trust that the bank has well-defined security measures to hold and protect their deposits, i.e., the Vault. While there is immense value in preserving a Banks physical asset with a well-designed vault, it is equally as essential to protect a company's customer information, financial information, and reputation through well-defined third-party risk management.
Third-party risk management creates "Vault-like" security for a company when it engages with a third party. A company may choose to work with a third party for several reasons, such as saving, moving, or increasing its efficiency, which may come with its risks to manage, protect, and safeguard. The third-party relationship ultimately becomes an extension of the organization. Understanding that these risks can result in monetary exposure and reputational damage makes its management and monitoring critical to a company's success.
Historically, third-party risk management has been considered a back-office function focused on procurement and contracts. It was "a hoop to jump through," thought many higher-level executives. This may be the case until their company has headlines such as "…to pay $18.5M for 2013 data breach that affected 41 million customers". While each of the 30 different risk categories drives value and protects an organization, some of those risks may have more impact than others.
The reality is that the dangers of engaging third parties are genuine, tangible, and costly. Capturing and understanding these risks has the value that can ultimately save companies from damaging events that could cost the company millions. A study completed by IBM states that the average cost of a data breach in the US is closer to $7.9M and growing. Protecting against these types of risks brings direct monetary value and reputation to the organization, contributing to its success.
The financials of a cyber-attack may be more noticeable and dominate headlines in the short term. Still, the impact of reputation can be far more reaching and long-lasting. One of the most significant challenges a company's board of directors faces is protecting the company's reputation. This is due to its direct tie to a positive company image with obtaining and retaining customers. In the words of Benjamin Franklin, "it takes many good deeds to build a good reputation, and only one bad one to lose it. "Actively working to protect reputation involves constant monitoring and continued training, as well as plans to address adverse events.
Another critical factor in third-party risk management is capturing the initial risk, collecting due diligence, and ongoing monitoring of that engagement. The OCC recommends assigning clear roles and responsibilities through proper documentation and reporting capabilities. A combination of technology, tools, and the right people can lead to effective monitoring. One of the most significant issues in third-party risk management stem from the ever-changing technology landscape. With the methods of attacks and breaches changing, those involved need to stay current with the landscape. A changing environment can also be an excellent opportunity for the practice's future. Monitoring can be simplified through automated delivery of tasks, advanced visuals, dashboard tracking, and eliminating tribal knowledge.
As the practice of third-party risk management continues to involve, a resilient and adaptable team is crucial to the company's success. It can be challenging when the reward of efforts remains mostly in "smooth sailing" and "business as usual," but having proper plans when a risk event occurs can be the difference between open doors and closed doors.
The future of third-party risk management will see changes as the practice continues to mature and develop as it follows new technology and challenges. Capturing and reacting to third-party risk creates opportunities for companies to invest in the integrity of their suppliers and promote "vault-like trust" for its customers. As technology continues to change, the process of third-party risk will also adapt, and the approach may vary.
Still, the company will always own the risk. The future of the practice of third-party risk management will see a migration from reactive risk practices to a proactive and forward-looking approach. Because risk can never indeed be eliminated, it will always remain. It should always be a top priority for a company and its management.

SIG University's Certified Third-Party Risk Management Professional (C3PRMP) program is a globally recognized certification that is the “gold standard” in terms of relevance, scope and content. The C3PRMP program was created by Linda Tuck Chapman, an advisor, educator, author and expert.


Dallin Ingalls, Engagement Manager for Supplier Risk Management, Zions Bancorporation

I am an Engagement Manager in Supplier Risk for Zions Bancorporation. I graduated from Brigham Young University and lived in Indianapolis with my lovely wife and two beautiful daughters. My passion is people, and I'm grateful for the opportunity to work with so many different people and learn something new every day. In my free time, I love to cook, play hockey, disc golf, explore the outdoors, and spend time with my wonderful family. My favorite board game also happens to be Risk.