Managing Third-Party Risk

Managing Third-Party Risk

Today, most organizations are outsourcing critical business operations to third parties. While internal business activities present a level of risk, third-party relationships can significantly increase the level of risk an organization is facing. The quantity, cost and difficulty of performing due diligence on third parties makes managing third-party risk especially challenging. Earlier today we published a white paper on this topic, which lays out the five steps to managing third-party risk.


Third-party security breaches can cost organizations hundreds of millions of dollars and be devastating to the business. Reputational harm and litigation can take years to overcome. These risks are impacting organizations daily; however, many companies rely on hundreds or thousands of outside third parties to make their business succeed. The sheer volume of these relationships creates a complex ecosystem among internal parties, and between the organization and the third parties themselves.


To remain competitive, organizations must balance risk management against the cost of mitigating third-party risk. Several key steps to building a successful program to manage third-party risk include:


1. Assigning third-party risk ownership to the appropriate department or external group.
2. Providing sufficient resources for and prioritizing third-party risk management.
3. Understanding the fundamentals of information risk management.
4. Implementing a five-step process for managing third-party risk.


Don’t allow your organization to be devastated by a security breach at a third party. Doing nothing is not an option. Perform the proper level of due diligence to protect your company from being a victim of a third-party breach and the resulting litigation. Recent breaches and other security events highlighted the necessity of implementing a third-party risk management program. Done properly companies can find the balance between risk and cost—freeing up your organization to focus on its objectives and growth.


In my next blog post, I will discuss measuring inherent risk (the exposure from a third-party relationship) and how to categorized that into a risk tier, so you can perform the right level of due diligence for the third party.