Assessing the Risk of Third Parties
In a recent report, Stay Ahead of Growing Third-Party Risk (free, but registration required), research and consulting firm Gartner analyzes the state of risk associated with third-party companies—those companies an organization hires to complete projects or otherwise support operations.
The report focuses on two findings from a survey of corporate legal and compliance leaders. First, the scope of work of third-party companies has evolved over time, with 80 percent reporting that organizations use third-parties to perform new-in-kind technology services and two-thirds reporting using an increasing number of startups and business model innovators as third-party service providers.
Projects involving these types of contractors typically have an evolving scope that adapts as discoveries are made and opportunities are identified. Often this leads to the third party needing to add to its expertise by contracting with another company, creating a fourth-party arrangement. These companies have access to data, analytics, business models, potentially physical access, and a host of other potential touch points.
Couple that with the other finding, which is that organizations typically perform compliance and due diligence activities before a third party is hired and then when a contract or project must be recertified, and there is an obvious risk.
The report makes three recommendations for compliance officials:
- Streamline due diligence to focus on critical risks
- Establish internal triggers to monitor for change
- Create controls and incentives to monitor for change