Today Eric talks about third-party risks and some ideas for every organization to think about when thinking about third-party risk.
First, we encourage everyone to think outside the box and contemplate the actual third-party risks that their specific organization faces. We often think third-party risk just applies to organizations that operate overseas or have anti-corruption risks. Third-party risks are much broader and organizations should take time to consider it.
Second, Eric talks about how third parties are the “perfect storm” for risk. It’s hard to imagine any organization these days that doesn’t have third-party risk. Additionally, we talk a little about how third parties are logistically hard to monitor. Eric points out that despite these difficulties, organizations are liable for the actions taken on their behalf.
Third, there is a way to reasonable manage the risk organizations of all sizes and types face from third parties. Have a plan. Be consistent. Apply your limited resources based on a risk analysis. Guiding principles for due diligence include getting as much information about the third parties as you can, understanding the business rationale and establishing the ongoing relationship parameters.
Eric also talks a little about tiering or ranking risk. We list off several factors that you can consider when ranking the risk of a third party.