About the author
Phoebe Jordan
Managing Director | TPRM
Phoebe Jordan is the Managing Director, Third-Party Risk Management. She first joined the company in 2014 as an intern in the Sub Custody Team. She introduced third-party risk management to Thomas Murray, and currently has responsibility for sales, marketing and product across our third-party risk solution.
What is third-party and vendor risk management, and why is it important?
Vendor and third-party risk management (TPRM) is vital in protecting your organisation, your people and your wider community. Whether working with partners, suppliers, contractors or professional bodies, you need to analyse each of your relationships to see where you could be vulnerable. This analysis is the foundation of operational resilience – in other words, your ability to keep functioning during a crisis.
Treating your third parties as though they are departments within your own organisation is a sensible approach to risk management. Make yourself responsible for the actions that they take on your behalf and you can avoid nasty surprises, hefty non-compliance penalties and reputational damage.
Here are the key areas in which it can protect your organisation, along with real-world examples of where robust risk management could have made a big difference.
Data security
Third-party vendors often have access to your sensitive data, intellectual property, or critical systems. If these third parties have weak security controls or are compromised, you could become collateral damage. Robust due diligence includes an examination of the security posture of your suppliers and partners.
CASE STUDY Hackers go everywhere thanks to GoAnywhere
In March 2023, threat actors exploited a vulnerability in the file transfer service GoAnywhere that enabled them to attack dozens of GoAnywhere’s users.
Full details of the wide-ranging attack may never emerge. That’s because some affected organisations may not know they’ve been hit. The threat actors (widely thought to be the Russian-based Cl0p group) have not demanded a ransom, so it seems they are simply stealing and hoarding information.
Those that confirmed a breach via use of GoAnywhere included banks and the City of Toronto.
Regulatory compliance
Many industries have specific regulatory requirements that govern customer data, privacy, and security. Organisations are ultimately responsible for ensuring that the actions of their vendors meet the compliance thresholds of their own industries. Failure to manage third-party risks adequately can lead to significant fines, legal consequences (including, in some cases, imprisonment), and reputational damage.
Complicating this picture is the fact that existing regulations are constantly revised, and new legislation is emerging all the time.
Regulators take a dim view of organisations that run their supplier relationships on trust or, worse, let their third parties operate without oversight.
CASE STUDY Regulator calls British Gas’s aggressive third-party to heel
A news reporter with The Times went undercover with debt collectors from Arvato Financial Solutions as they forced their way into the homes of British Gas customers who had fallen behind on their soaring energy bills. The UK government described the resulting 2023 report as, “deeply shocking and concerning” and summoned British Gas executives to a meeting with the Energy Minister.
Ofgem, the UK’s energy regulator, launched an investigation after public outcry over the ‘force fitting’ of prepay gas meters. Although the agents were acting legally, that did little to counter footage of elderly people and parents of newborns trying in vain to stop locksmiths from breaking in their doors. Ultimately, Ofgem changed its rules to prevent further force fitting.
Chris O’Shea, the CEO of British Gas’s parent company Centrica PLC, said, “The allegations around our third-party contractor Arvato are unacceptable and we immediately suspended their warrant activity.”
Business continuity
It is rare for an organisation to function effectively without a network of third-party vendors for its critical services, products, or components. Problems with a third-party’s operations can harm your organisation’s ability to maintain business continuity.
Effective third-party risk management helps identify and mitigate potential disruptions, establish contingency plans, and ensure the availability of essential services or resources.
CASE STUDY Weathering the storm: Ensuring a drug supply from Puerto Rico
In the 1960s and 70s, pharmaceutical companies were drawn to Puerto Rico by a now-expired US federal tax incentive. Even today, many pharma and biotech companies have manufacturing plants in the territory, making Puerto Rico a key part of the world’s drug supply chain. That supply chain was put at risk in 2017, when Hurricane Maria devastated the island.
Although robust contingency plans to deal with extreme weather events were in place, the reality of the situation demanded flexibility from crisis management teams. Amgen, to take one example, had assumed that operations could resume once the power was restored – but had reckoned without a collapse in communication systems and internet connectivity, which made tracking down employees and finding business continuity plans on internal networks nearly impossible.
In the days after the storm, employees at Amgen’s HQ in California had to print out copies of the standard operating procedures, then send them to Puerto Rico on a corporate jet.
Reputational risk
There are two main ways in which third parties can hurt your reputation.
Firstly, your stakeholders are paying more attention to ESG (environmental, social and governance) issues. They are looking at your supply chain to see if you are doing business with disreputable organisations, or with firms that don’t advance your stated ESG aims.
Secondly, and on a related note, a third-party with poor governance can directly harm your organisation’s reputation. Governance failures in a third-party that can reflect negatively on your organisation include:
• a serious, yet avoidable, security breach;
• violations of its (or your) compliance obligations;
• ethical misconduct – particularly among senior people over an extended period of time. This could be anything from embezzlement to bullying and harassment.
Proactive third-party risk management helps minimise reputational risks if you carefully select vendors and partners, monitor their activities, and address potential issues promptly.
CASE STUDY Say bye-bye to the CBI: Cutting ties with a toxic organisation
The CBI, a UK business lobby group, announced on 18 September 2023 that it was within days of collapse. At one point, the CBI had claimed to represent 190,000 members employing around 7 million people, but in 2023 its membership quit in droves.
Earlier that year, the Guardian reported on a widespread culture of sexual harassment at the CBI, and claims by two women that they had been raped by their colleagues at CBI social events. Mere weeks after the reports appeared, its director-general resigned over a separate misconduct allegation made by a female colleague.
This extreme governance failure left most organisations with a clear decision – protecting their own reputations meant breaking away from the CBI. Among the many terse public statements made by departing members was that of real estate agency JLL: “We are terminating our membership of the CBI with immediate effect ... In light of the distressing allegations, which continue to point to a culture that isn’t aligned to our values, our relationship with the CBI has become untenable.”
Supply chain resilience
Modern supply chains are complex and interconnected, with multiple tiers of suppliers and vendors. Disruptions or failures at any point in the supply chain can make it difficult – or impossible – for an organisation to deliver products or services. Managing third-party risks helps identify vulnerabilities, diversify supplier sources, and establish robust contingency plans to improve supply chain resilience.
CASE STUDY When supply chains go sideways: The saga of the Ever Given
Committed landlubbers developed a keen interest in international shipping when the Ever Given—an ultra-large container vessel (ULCV)—was blown sideways across the Suez Canal. For six long days in 2021, the enormous ship was tugged and pulled, and the banks of the canal were dug and drilled, as crews worked frantically to free it.
While many online commentators saw humour in the Ever Given’s undignified predicament, others saw a disaster: the growing queue of ships waiting to enter the canal, but going nowhere with their billions of dollars’ worth of cargo.
Maritime analyst Cormac McGarry points out that the world’s reliance on ULCVs makes them prime targets for threat actors of all kinds. Speaking to Foreign Policy magazine, he said, “The broader concern with megaships is that we are pouring highly concentrated volumes of our critical supply chains into vulnerable positions, so we are losing the spread of risk. It leaves businesses more exposed to singular, isolated events. And it’s not just wind that threatens to stop these ships.”
Financial impact
You can suffer a significant financial loss if even one of your third parties experiences a security breach, an operational failure, or is found to be in violation of its compliance obligations (including those it has because of its connection to your organisation).
The costs associated with incident response, breach notification, legal actions, customer compensation, and reputational damage can be substantial. Continuously monitoring your third parties and vendors to identify and address risks as they emerge is key to minimising your financial risks and maintaining your organisation’s financial stability.
CASE STUDY Target hit as collateral damage after third-party breach
The US retail giant Target was dragged into years of legal wrangling and expensive settlements after credentials stolen from a third-party vendor allowed threat actors to gain access to Target’s gateway server.
The attack happened in 2013, but Target was still in court – and paying costly legal fees – four years later. According to its own financial reports, the total cost of the data breach to Target was in excess of US$202m.
At the time, the Target breach was one of the biggest ever to hit a US retailer. Hackers stole the credit and debit card information of up to 40 million Target customers. Many of those individuals joined a class action that was resolved with a confidential settlement.
Target also lost a number of its senior leaders as it scrambled to manage the fallout. Casualties included its CEO, president and board member, Gregg Steinhafel, who resigned from all three roles after 35 years spent working his way up the ranks.
The judge demanded that Target adopt “advanced measures” to protect sensitive customer data. This included recruiting an executive to oversee a comprehensive information security program, and hiring an “independent, qualified third-party” to run a comprehensive security assessment and encrypt payment information so as to make it useless if stolen.
Competitive advantage
A strong and mature risk management programme can provide a competitive advantage. Customers and business partners want to work with organisations that take data security, privacy, and risk management seriously. A considered approach to dealing with risk can differentiate you from competitors.
Apart from contributing to building trust and credibility with your clients, customers, and wider community, it can also give you an edge over competitors when your industry or sector faces common challenges.
CASE STUDY A lightning strike in Albuquerque: Ericsson’s dropped call
On a dark and (presumably) stormy night at the dawn of this century, lightning struck a high-voltage power line in New Mexico. Power surges across the state triggered a fire at a Royal Philips Electronics manufacturing plant in Albuquerque. And so it was that, in March 2000, a risk management crisis lurched into life.
Nokia and Ericsson both sourced radio chips for their mobile phones from Philips, chips that were made at the New Mexico plant. However, the two companies reacted differently to Philips’ reassurances that supply would resume within a week or so.
Ericsson took the time frame at face value. As a major Philips customer, it was content to settle for being near the front of the queue when normal service resumed.
Nokia, on the other hand, treated what Philips was framing as an inconvenience as an existential threat to its business. Nokia insisted on involving a team of its own engineers and executives in formulating Philips’ alternative solutions, even as a Nokia procurement team was successfully securing all available chip supplies from other providers. And around the world, Nokia’s design teams co-ordinated their work on redesigning its chips so that they could be produced in other Philips plants and by other manufacturers.
Too late, Ericsson realised that it had missed out on any opportunity it had had to protect its bottom line – in 2000, its mobile phone business reported a second-quarter loss of US$200m.
Nokia, by contrast, reported a market share increase of 3% for the same quarter.
Legal and contractual obligations
Your organisation’s relationships are (or should be) governed by contracts or service level agreements (SLAs). Proper risk management ensures that your vendors and other third parties meet the contractual requirements related to security, data protection, compliance, and performance. This can protect your own legal interests, facilitate dispute resolution, and mitigate against the legal risks associated with so many vendor relationships.
Before breaking a contract with any of your third parties, make sure you’re on solid legal ground. Even in seemingly clear-cut situations, complex arguments can arise over technicalities in the wording of your agreement, and what kind of remedies are available to your supplier. Not everyone can afford to do what Meta did in September 2023, when it paid £149m to break its lease on a London office building.
You can also further your own environmental, social, and governance (ESG) aims by incorporating specific clauses into your agreements with your vendors and third parties, which require them to align their practices with your ESG strategies.
CASE STUDY ESG: Welcome to the fine print
ESG clauses are becoming more common in third-party and vendor contracts and SLAs, but the wording needs to be tailored for your own organisation and its specific risks.
If you have a large organisation with a particularly complex supply chain, your clauses may need to require what lawyers call ‘pass through’ – that is, obliging your third parties to pass along your own ESG requirements to their third parties and vendors. These entities are sometimes called ‘fourth parties,’ but since they have suppliers of their own it may be more helpful to think in terms of ‘multi-party risk.’
Enforcing pass-through clauses of this kind can be difficult without continuous monitoring and accurate reporting. You will also need to ensure that you can audit your extended supply chain if these sort of clauses are going to be worthwhile.
Automation is for everyone
The world of risk is evolving and becoming more sophisticated. It only makes sense that your risk management strategies and tools should change to meet these new challenges.
A spreadsheet and a laborious, inefficient manual process that creates more risks than it addresses are now things of the past. Whatever the size of your organisation, and whatever the maturity of your risk management programme, we can help you to adopt leading-edge solutions that meet your specific needs. Get in touch to find out more about what we can do to protect your organisation.