How to Build a Third-Party Risk Management Framework

But with those opportunities come new challenges, including:

• Higher scrutiny: Whether it’s new customer acquisition or data access, businesses are expected to be accountable for every procedure and not just talk the talk. You have to walk the walk and show that you’re implementing risk compliance for finance, privacy, ESG, operations and so much more.

• Supply chain complexity: Globalization has led to teams across the board constantly needing to upskill themselves in new regulations. And with wars (i.e. Ukraine-Russian war, Palestine-Israel war), a recession and labor shortages, supply chain requirements have been changing rapidly and creating a lot of uncertainty for businesses.

• Increased reporting: The people at the top (i.e. CEOs and board members) are expecting more coverage and documentation from the teams they manage. This means creating more paperwork and resources, which leads to more time and money spent on getting everything in order. 

So, what types of risk does a third-party risk management framework help to address?

• Operational risk: This is when a vendor could potentially disrupt business operations and is usually managed through Service Level Agreements (SLAs). It’s useful to have more than one backup vendor in this case so any risk is mitigated and doesn’t slow down operations.

• Legal and compliance risk: This is when a third party could damage a company’s compliance with local regulations and industry standards. Think of regulations like the Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS).

• Cybersecurity risk: This is when data breaches happen through cyberattacks and fraud schemes. This risk can be managed with due diligence for new vendors and regular monitoring of your vendor lifecycle.

• Financial risk: This is risk associated with dwindling cash flow and revenue. For instance, you may not be able to sell several products because your supplier has a materials shortage, which creates a further damaging your supply chain.

• Reputational risk: This risk comes from public backlash against a third party. The reality is that your own company’s reputation can be damaged by the faults of your suppliers. It’s a ‘guilty by association’ effect. If your suppliers are engaged in unethical activities, such as fraud, bribery, corruption, data breaches or the use of forced or child labor, your brand can easily come under fire. 

And once you consider all this, there are several advantages to building a strong third-party risk management framework. These benefits include:

• Building resilience against unforeseen circumstances
• Being able to adapt more effectively to changes in the market and industry
• Reduced liability because your business is protected against potential lawsuits, fines and damage claims.
• Increased trust and loyalty from stakeholders, customers, investors and partners
• Stronger competitive advantage because you’ve shown that you’re reliable, compliant with regulations and committed to being a socially responsible business

An interesting case study on third-party risk management is Nordstrom. In our Financial & Bankruptcy Outlook: Retail report, we shared key data and insights about why Nordstrom is in favorable financial health. For instance, Nordstrom has had consistent revenue growth from 2019 to 2023. Plus, Creditsafe data shows that the retailer’s DBT has consistently been below the industry average since March 2023. And in the last few months, things have improved even more as its DBT dropped from 11 in July to 4 in October.

But that doesn’t mean the retailer has been without its challenges. While it’s good to see Nordstrom’s DBT has been very low, our data shows that the value of its delinquent payments (91+ days) increased for four consecutive months from May to August 2023. On top of this, Nordstrom CEO Erik B. Nordstrom shared his concerns about record-high levels of theft and a rise in credit card delinquencies during the company’s Q2 2023 earnings call. These challenges could result in higher credit losses in the second half of 2023 and into 2024.

This goes to show you that just because a business seems to be doing well in one area, that doesn’t mean things are perfect. Risks can always arise. That’s why it’s so important to have risk management protocols at every level to prevent financial losses and other problems from slowing revenue growth. 

We spoke with Bill James, Enterprise Sales Director at Creditsafe, as he has extensive experience in helping companies manage their risks. He shared 10 key components for an effective third-party risk management framework.

1. Risk Identification and Categorization: Define and classify different types of risks (financial, compliance, operational, cybersecurity, ESG, geo-political, location and people) that might arise from third-party relationships. Identify potential risk sources across the entire vendor ecosystem.

2. Due Diligence and Vendor Selection: Establish criteria for vetting and selecting vendors. Conduct thorough due diligence, considering factors like financial stability, reputation, compliance history, cybersecurity posture and adherence to industry standards.

3. Contractual Agreements and Risk Allocation: Develop clear, comprehensive contracts that outline responsibilities, liabilities, performance metrics and compliance standards. Allocate risks appropriately between your business and the third party.

4. Ongoing Monitoring and Assessment: Continuously monitor vendor performance, financial stability and adherence to agreed-upon standards. Regularly reassess risks and update assessments based on changes in the vendor landscape or business needs.

5. Cybersecurity and Data Protection: Assess the vendor's security measures, data handling practices and potential vulnerabilities. Establish standards for data protection, access controls and incident response so you can be compliant with relevant regulations such as HIPAA.

6. Contingency Planning and Resilience: Develop contingency plans and strategies to address potential disruptions or failures from third-party vendors. This includes backup plans, alternative suppliers and escalation procedures.

7. Compliance and Regulatory Adherence: Make sure vendors comply with relevant regulations and industry standards. Regular audits or assessments may be necessary to confirm ongoing compliance.

8. Internal Policies and Training: Educate employees about the importance of third-party risk management. Establish clear internal policies and procedures for engaging with vendors and make sure employees understand and adhere to them.

9. Reporting and Escalation Protocols: Implement clear reporting mechanisms and escalation paths for identified risks. Make sure that appropriate stakeholders are informed promptly and there are established protocols for addressing and mitigating risks.

10. Continuous Improvement: Regularly review and refine the third-party risk management framework based on feedback, emerging risks, industry changes, and lessons learned from incidents or audits.

As Bill James explains, “By integrating these elements into a cohesive third-party risk management framework, you can better manage and mitigate the risks associated with your relationships with third-party vendors. This will enhance your overall operational resilience and protect your interests.”

Bill also has a lot of helpful tips to share about third-party risk management and the importance of credit risk.“In the context of B2B third-party risk management, credit scores often play a significant role in assessing the financial stability and reliability of these external entities.