Outsourcing is a huge part of the professional landscape these days, and it makes sense. Getting a specialized outside perspective can be great for your project and the bottom line, but when left unchecked, that extra help can cause its fair share of issues when left unchecked. That’s why this “third-party risk management” concept is more popular than ever.
Everyone you know outsources some aspect of their project or business—for good reason. But like any other use of resources, some risks can surprise and terrify you, and those come part in parcel with third-party expertise.
This post will explain third-party outsourcing, the risks involved, and how you manage this very specific type of uncertainty. We’ll cover
- What is Risk?
- What Risks Are Caused By Third Parties?
- What is Risk Management?
- What is Third-Party Risk Management?
- The TPRM Lifecycle
- Uses of Third-Party Risk Management in PM
- Why Third-Party Risk Management is SO Helpful
- Drawbacks of Third-Party Risk Management
What is Risk?
Risk is the result of any event that has an uncertain outcome. Risk looked like a sabertooth tiger and questionable berries in the hunter-gatherer days. These days it can include crossing the road, investing in a property, changing careers, and more.
While the immediate danger has lessened a bit, risk is still everywhere. Most of our life is spent mitigating, controlling, exploiting, or avoiding hazards.
The other caveat of risk is that there are two distinct types.
- Threats
- Opportunities
No matter how uncertain, each event can have a positive outcome (opportunity) or a negative one (threat). In a project setting, you might have a contractor finish their work within the budget and ahead of schedule, which breeds the opportunity to continue to capitalize on that time. You might also have a team member fall ill, putting the project behind schedule and making the budget questionable.
No matter your setting, risk can turn the tides in ways you’d never even think to expect, which makes the whole concept of risk management that much more critical.
What is Risk Management?
Risk management can seem like trying to predict the future and managing smoke, but that couldn’t be farther from the truth. Most functions of business that you are familiar with originate from someone attempting to curb the uncertainty that always seems to haunt businesses.
Law departments came from someone looking to prevent lawsuits before they ever happen. PR firms have come from someone attempting to control the narrative before there are events that can ruin that narrative. Quality control was born from someone’s attempt to mitigate issues with production.
Today, everything we understand to be a crucial aspect of business started with someone deciding that prevention was better than reacting to that specific issue.
That preventative piece can’t be ignored.
Risk management is best used as a preventative measure. You sit down with the relevant parties and try to predict everything that can go wrong. You also look for everything that can go right. While running from fire to fire is easy, risk management helps create and control good outcomes. Both aspects are needed.
Where Third-Party Risk Management Comes In
Risk management, in most businesses, is used to control internal and external risks the business can reach. And with all the pros in that practice, there are also cons.
Many risk management processes are manual and take up a lot of time, money, and energy. Due to the lack of automation available, they also tend to be unscalable. You can’t increase your team workload because the process is labor-intensive and generally sensitive.
Depending on the department, project, and company, risk management efforts are usually tucked away, happening in front of a small set of eyes, and those eyes don’t have any specialization. They live disconnected from the rest of the project or business.
And when the problems start stacking up, business and project leaders turn to new solutions like third-party risk management.
What is Third-Party Risk Management?
Over the last few decades, there’s been a huge uptick in organizational reliance on outsourcing. Business leaders and project managers alike recognize that having an expert handle a specific aspect of your business is extremely helpful. But it’s also true that the more you have going on, the more there is to manage.
Most management and leaders find themselves in a position where the team can’t keep up with all the third parties used. Most processes happen through email, spreadsheets, and other tools that can easily become a silo.
There is too much surface area in those processes. The baton is handed off so many times that workflows become something more like a professional game of telephone. It’s just the truth of adding resources, people, and other conditions to the landscape of a business. Each of those opens the business up to more risk. The same goes for a project.
Third-party risk management allows the organization (or management team) to make risk-informed decisions related to third parties. It also allows them to reduce the risk to a tolerable level. For clarification, these “third parties” can also be called vendors, suppliers, partners, contractors, or service providers.
The main focus of this concept is fully understanding the third parties you use, how they are used, and what safeguards are in place. For project management, third-party risk management is especially useful.
Why Third-Party Risk Management is SO Important?
You might not understand why all these explanations are needed. Third-party risk management is just risk management that looks at “third parties,” right?
Yes. That is true. But it ignores how crucial and central outsourcing has become to businesses. In recent years, the idea of adding departments or hiring team members to handle single tasks has become a luxury. The cost of that kind of expansion can put a project under these days, which is why the practice has become so popular.
Bring in an expert for a period of time. Keep them as a resource to use when the time comes, but save the cost of keeping them on payroll 24/7—something that is almost impossible in a project setting.
Outsourcing can invite innovation, promote business growth, and support the team by opening the project up to new perspectives. But, as with anything, too much reliance can be an issue, especially when they are left to their own devices.
And it’s true a good vetting process is important, but that doesn’t help much after you pass that point.
As a result, third-party risk management is more important than ever. The pandemic taught us that we can’t get too comfortable. We have to remain versatile and flexible to the changes each day brings so that when the big stuff happens, when a more significant storm comes, we are ready to bear it.
Risks Caused By Third Parties
Every facet of a project is vulnerable to some kind of uncertainty. Third parties like suppliers, contractors, and vendors are no exception. But the type of uncertainty they create is a bit more niche than most other groups due to the detached nature of their work.
Some of the specific types of risk they present include
- Operational risk – your project, your team, and the day-to-day functions can all rely heavily on outsourced services, which means that any issue your help faces could negatively impact your progress.
- Legal risk – internal activities can be monitored and held to a standard that your leadership team has to approve, while other teams may not have those same standards or monitoring in place, which can open the whole collaboration up to legal trouble.
- Financial risk – when supply chain, legal, or operational issues result in a bill, third-party vendors might relax on other aspects of their business to pay that bill, making them vulnerable to more financial impacts.
- Security risk – the more hands information passes through, the more vulnerable it becomes, which means that bringing in a third party can create security risks as it relates to your job site, your data, or your project’s information.
- Transactional risk – delivering a service or a project is something that goes wrong all the time because people don’t stick to the schedule, mismanage task details, and more, which makes the project, the timeline, and the budget vulnerable.
- Reputational risk – by using a third party, you practically staple your reputation to theirs, which can either end with a positive result for your project’s reputation or a negative one.
Third-Party Risk Management Lifecycle
As with any process, there’s a good deal of flexibility. You can expand, shrink, and shift parts until the whole thing fits your project, but when we discuss the third-party risk management process, these are the parts we are referring to.
- Onboarding
- Creating a tier system
- Assessing the risks
- Generate the findings
- Remediate issues
- Reporting the events and related results
- Monitoring third parties
- Retiring the vendor, contractor, or supplier
Each is explained in greater detail below.
1. Onboarding
You have to be sure that the people you work with are a good fit for your project, your team, and your needs. They have to move through a vetting process and be allowed to continue. We recommend that you create a vetting standard as a preventative measure. Make sure that they are the right third party.
Once you’ve done that, we recommend that you consider, discuss, and document the following.
- What type of data will they access?
- How sensitive is that data?
- How will access be granted?
- What location will their work take place in?
- What issues or opportunities could be a result of their location?
- Are they providing a critical service? If so, what are they?
- What is the history of the security of the project?
- What business continuity plans does the vendor, contractor, or supplier have in place?
- What regulatory bodies does your organization require they comply with?
- What is their financial situation?
The more thorough your questioning and planning, the easier this process will be.
2. Your Tier System
This step is also called a tiering assessment. Basically, you decide how closely your vendors are watched by deciding how often they are assessed.
Compare the onboarding information collected from each of your outsource groups. Try to order them from the least risk prone to the most. You might only create two categories, such as “critical” and “normal.” Whatever kinds of risk you are most concerned with are the ones you should base your tiers on.
3. Assessment
Each party you outsource to has its own landscape that it’s attempting to navigate. Your project is just a tree in that picture—not the whole world. Because of that disconnect, you need to regularly assess your vendors, contractors, and suppliers for risks that can threaten (or enhance) your project.
As mentioned in the previous section, the amount and frequency of assessment your contractors face depends on the tier they were placed in.
4. Sort Your Findings (And Use Them)
You’ve been doing a lot of poking up to this point, so you might need to take a breath at this point. Questions have been churned up in this process that will need to be answered.
We recommend that this phase is dedicated to clearing up any confusion. Allow the third party to respond to your findings and address any questions.
5. Remediation & Responses
This stage of the third-party risk management process looks like a lot of back and forth with your contractors. Everyone gets on the same page regarding the risks, tasks are generated and assigned, topics are discussed, and proof of all of this might be necessary.
We recommend that all the communication be documented and stored to be accessed later.
This stage might also include each group assessing and then accepting some risk.
6. Report As Needed
This stage is included just to be sure that you document the findings and place them somewhere that is
- Readily available
- Easily viewable
- Accessible by all stakeholders
How far you take this stage depends on the internal landscape of your project.
7. Monitor
No matter the tier you assign to the third party, you’ll need to assess the risk they pose again. Any changes will need to be documented. If the state of the issue, opportunity, or the party itself changes, some action must be triggered.
The action can involve
- A tier change
- An assessment
- A response plan
This step is included to help you prevent further development of the risk you addressed throughout this process. Setting up a system is not enough; you also have to use it.
8. Retire
At some point, your relationship with every exterior party is going to end. Before that end comes, you need to establish a process for withdrawal.
This stage works best if you consider the following.
- Is this relationship closed, or will there be use in the future?
- Will their access be necessary at a later date?
- How is access revoked?
- How will the state of their access and what they can access be documented?
The great thing about this step of the lifecycle is how it gives you a choice. You can end your relationship with this group on a good note that leaves the channel open or closes this chapter completely.
The Use of Third-Party Risk Management in Project Management
If you are familiar with normal risk management practices, this whole topic might seem a little redundant. You sit down, think about what issues your vendors and contractors could cause, make plans to address them, and then move on to the next thing.
And while that technically covers the basics, it overlooks the deep-seated reliance we have on outsourced applications and services and how much of a problem that reliance could be.
While the benefits of any type of risk management heavily outweigh the disadvantages, the uses of this practice—specifically in project management—can save your project.
The main uses of third-party risk management include
- Cost reduction
- Regulatory compliance
- Risk reduction
- Spread knowledge
- Increase confidence
The most critical use of third-party risk management is cost reduction. Vendors can destroy your budget if you’re not careful. By creating a system that monitors resources used by third parties, you can be sure that the return on that investment is proportionate. You can protect your budget from being taken advantage of.
Another huge piece of this puzzle is regulatory compliance. If a contractor takes a situation (especially one regarding security or data security) outside of protocol, they will have to face the music. The potential problems and opportunities can land right back on the project’s head.
The other use of this practice is keeping everyone on the same page regarding the things that threaten both the project and your relationship with your vendors, contractors, and suppliers.
Tips For Using Third-Party Risk Management
These principles are extremely useful, but only when used right. That’s why we have a few tips to keep in mind for using third-party vendors, suppliers, and contractors while ensuring things stay on track.
1. Prioritize
Which tasks are the most exposed to risk? Who is handling those tasks?
Decide whether or not you will
- Share confidential business information
- Share any employee data
- Share data across borders of states or countries
- Serve a critical business function with each third party
2. Use Automation Where You Can
Traditional risk management processes can be both time-consuming and labor-intensive. Third-party risk management is no exception.
Use the tech you have to make this whole ordeal as easy and visible as possible.
3. Think Beyond JUST Security Risks
Financial, reputational, and transactional risks can sneak up on you, but security risks are the ones everyone pays attention to. When working through third-party risk management, keep track of more than that.
4. Visibility Saves Money
When people understand the vision, the goals, and the risks that can threaten a project, you give everyone involved another layer of protection. You increase buy-in and awareness exponentially by being transparent and communicating what to look for, how the issues can develop, and how your third-party risk management system works.
5. Develop Your Standard
Third parties come and go, but your project remains. You need to know what behaviors you accept. More importantly, you need to know what you don’t accept. And in line with the “transparency tip,” the more people understand this standard, the better off your project will be.
Ignorance Can Cost You
Third-party risk management is becoming more and more necessary as projects become more reliant on outsourcing. That also means that disruptive events are more and more likely to derail your operation.
Whether there are internal outages, external outages, vendor issues, or organizational changes that can affect the security of the whole project, you’ll be glad that you took these measures. Because as risk-ridden outsourcing can be, getting outside help saves money, gives you access to the specialization you wouldn’t have otherwise, and can help grow your business tremendously.
It’s not crazy to think that almost every business relies on some form of outside help, which means that taking protective measures is imperative.
Here at A.McBeth, Inc., we are big fans of learning. Learning new ideas, perspectives, and practices is a huge part of growth—for you and your career.
