How to uncover the risks of third-party relationships in your supply chains

Many times, organizations vet their third parties, including contractors and vendors primarily using surveys, which depend on accuracy and honesty in their responses. But how likely is any organization to self-report bad news such as a finding of non-compliance or data breach?

Businesses depend on surveys and other traditional vetting processes — despite the problems they can create — for various reasons. Perhaps they don’t know how or where to find data that would provide a more accurate picture of third-party risk. Or they may not have the resources to collect information on hundreds, thousands — or hundreds of thousands — of business partners.

Whatever the reason, risks to their organization continue to snowball as these enterprises take on more vendors, suppliers, resellers, and contractors.

The price of TPRM blind spots can extend beyond minor glitches or supply-chain delays to costly, potentially business-crippling threats. These threats include data breaches, ransomware, cloud environment compromises, and privacy violations that could send an enterprise spiraling into non-compliance.

At least one-third of our US survey respondents said that, in the past year alone, they’d experienced significant disruptions due to third parties: software supply chain disruptions (47%), cloud breaches (45%), third-party platform exposures and outages and downtime (41%), or data exfiltration (39%).

All eyes on the data-driven TPRM prize

Regulators are paying close attention to third-party risks, and how companies deal with them. Recent guidance from the US Department of Justice emphasizes the importance of using data to help improve compliance programs. And memos from the Biden administration underscore the federal government’s focus on fighting corruption and improving cybersecurity.

Your third parties’ business practices reflect on your company, too. Investors looking at Environmental, Social, and Governance (ESG) factors will likely want to know that your third parties are operating lawfully and ethically. And to track and report ESG activities, your company must monitor its third-party risks.

Aware of these concerns, PwC and Microsoft sought a solution to the third party problem using new and emerging technologies: artificial intelligence, automation, and data analytics.

Like the lion’s share of enterprises, Microsoft was primarily using surveys to get information on its vendors — more than 250,000 of them. Keeping tabs on the risks they posed, from onboarding all the way through the end of each contract, proved expensive and time-consuming, not to mention rife with blind spots.

These concerns aren’t limited to any one enterprise or industry: they affect most, if not all. But the support of today’s technologies can quickly and accurately give an enterprise a clearer and more expansive view of its third parties — saving time and money, and improving compliance.

Finding the riskiest needles in the third-party stack

Seeking a better way to vet and monitor third-party relationships, PwC developed Third Party Tracker. This solution mines surveys and internal and external information to help determine which vendors pose the highest risk to your enterprise.

The software uses a risk-scoring methodology with parameters that can be customized for your business. Third Party Tracker analyzes data that helps answer specific questions, including: Has it had issues in the past such as data breaches, adverse media reports, or findings of non-compliance? How does it fare with ESG concerns such as sustainability and human rights? In a sense, TPT can help you begin to understand the trustworthiness of your third parties on matters that are important to your business.

Third Party Tracker also considers individual factors such as the amount of business your enterprise is doing or plans to do with the third party and the level of access it has to your networks and data.

Microsoft used Third Party Tracker to identify the riskiest entities among its channel resellers. By focusing its due-diligence efforts on these high-risk entities — rather than applying them to all 250,000+ — the company saved millions of dollars. Eliminating false-positive alerts saved the company additional time and money.

Strengthening the chain

With a list of high-risk third parties in hand, your company can then determine how to best address each. Are any too risky? You may curtail or even end your dealings with them. Or you may opt for on-site audits, or instill controls to mitigate risks. And you may wish to change how you onboard and assess your third parties.

Should your third parties’ risk levels rise or fall, you won’t need to wait until the next survey to find out. Third Party Tracker flags when risk scores change so you can get ahead of problems before they happen. Before: And the data it provides helps you talk to your board about the risks so it can exercise better oversight.

Given today's technologies, there’s no reason to remain in the dark about risks. Companies that report being more cyber-secure in the last two years are 11x more likely to understand their third-party risks. Having this knowledge can also create stronger bonds of trust between your business and its third parties and give you the confidence to forge ahead — together — in today’s highly competitive market.