Why Companies Fail at Third-Party Risk Management and How to Avoid Common Pitfalls

    Created using DALL-E

    The postings on this site are my own and do not necessarily represent FTI Consulting’s positions, strategies or opinions.

    Ah, Third-Party Risk Management (TPRM). The phrase alone is enough to make seasoned executives break out in a cold sweat. And why shouldn’t it? After all, what could be more terrifying than entrusting the survival of your meticulously managed company to an external vendor whose risk management strategy probably consists of little more than crossing their fingers and hoping for the best?

    So, why do companies consistently trip over their own feet when it comes to TPRM? The answer is simple: because managing third-party risk is hard, boring, and, let’s face it, often feels like an exercise in futility. Why bother vetting that small cloud service provider when you could be working on something truly important, like color-coding your email inbox?

    Let’s delve into the reasons why companies fail spectacularly at TPRM and then—because I’m feeling generous—I’ll offer a few pointers on how they might just get it right.

    Why Companies Fail at TPRM

    1. The Blind Faith Approach: Companies love to assume that their vendors are just as invested in protecting their business as they are. After all, why would a vendor put your data at risk when losing you as a client would hurt their bottom line? This is the corporate equivalent of assuming your teenager will clean their room without being asked—possible, but highly unlikely. Vendors, particularly those lower down the supply chain, may not have the resources, incentives, or even the understanding to manage risks as diligently as you would like.
    2. The “Set It and Forget It” Syndrome: There’s a magical belief in the corporate world that once you’ve conducted an initial risk assessment, you’re done. It’s like buying a gym membership and expecting to get fit without ever stepping on a treadmill. Risks evolve, vendors change, and that exhaustive questionnaire you made them fill out three years ago is now about as useful as a VHS tape in the age of streaming.
    3. The Box-Ticking Mentality: Let’s face it, TPRM can feel like a chore. So, what do many companies do? They treat it like a formality, a check-the-box exercise that’s more about satisfying the compliance department than actually managing risk. The problem? A false sense of security is worse than no security at all. And let’s be honest, how many vendors have been approved simply because the executive sponsoring them didn’t want to lose the tee time with their golf buddy, the vendor’s CEO?
    4. The Overconfidence Delusion: “We’ve got a contract; what could possibly go wrong?” Ah yes, the belief that a few legal clauses will shield you from all harm. Contracts are important, but they’re not magical talismans. When things go south—whether it’s a data breach, a supply chain failure, or a regulatory hiccup—a contract won’t help you mitigate the damage in real-time. It will, however, provide hours of fun as you litigate over whose fault it was while your business burns.

    How to Do Better at TPRM

    Now that I’ve thoroughly trashed the common approaches, here are a few ways you can elevate your TPRM game—if you’re serious about it, that is.

    1. Trust, But Verify (And Then Verify Again): Stop assuming your vendors are up to the task just because they have a snazzy website and a solid sales pitch. Implement a continuous monitoring process. Yes, this means regularly checking in, auditing, and reassessing your vendors. It’s about as much fun as watching paint dry, but hey, at least you won’t be caught off guard when the vendor’s idea of “data security” turns out to be a padlocked filing cabinet.
    2. Dynamic Risk Assessments: Forget the one-and-done approach. Risks are like gremlins—they multiply when you’re not paying attention. Regularly update your risk assessments, especially when there are changes in your vendor’s business operations, the regulatory landscape, or your own business environment. Think of it as a health check for your vendor relationships—one where a clean bill of health today doesn’t guarantee anything tomorrow.
    3. Go Beyond the Contractual Comfort Zone: Sure, contracts are essential, but they’re not foolproof. Establish strong relationships with your vendors based on transparency and communication, not just legal jargon. It’s like marriage counseling but with fewer feelings and more spreadsheets. Make sure everyone is on the same page when it comes to risk management responsibilities, and don’t shy away from tough conversations.
    4. Build a TPRM Culture, Not a Checklist: The most successful TPRM programs are those where everyone—from the C-suite to the interns—understands the importance of managing third-party risks. This requires more than just policies and procedures; it calls for a cultural shift. Think of it as getting everyone in the company to care about TPRM as much as they care about the office coffee machine. It’s a challenge, but if you can pull it off, you’ll be miles ahead of the competition.
    5. Prepare for the Worst, Hope for the Best: A strong incident response plan is your safety net when things inevitably go wrong. Test it, update it, and make sure your vendors are part of it. It’s like having insurance—you don’t want to use it, but you’re glad it’s there when the metaphorical house burns down.

    In conclusion, TPRM doesn’t have to be the stuff of nightmares, but it does require a dose of reality. Stop treating it like an afterthought, and start giving it the attention it deserves. After all, the next big scandal could be just one vendor slip-up away. So, unless you want to be the next headline, it’s time to get serious about third-party risk management. And who knows? With a little effort, you might even sleep better at night.

    Related Tags

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You May Also Like