The recent collapse of Silicon Valley Bank (SVB) has startups and small businesses alike talking about third-party risk. Couple that fresh concern with an increased reliance on tech services over the past few years, and you have more and more people wondering what third-party risk entails—and how to reduce it for their businesses.
Below, we explain what third-party risk means, why it matters to your business, and how you can minimize your company’s risk.
What is third-party risk?
Third-party risk is the likelihood that your business will experience an unwanted event when you partner with or outsource tasks and services to third parties. A third party is any separate company or individual that provides software, supplies, services, or items to your business. Third parties can include software-as-a-service (SaaS) providers, vendors, suppliers, staffing agencies, consultants, contractors, and financial institutions.
These groups and individuals often have access to sensitive business data, like your company’s financial details, your customers’ personally identifiable information (PII), internal business metrics, company sales and inventory numbers, and operational processes.
Though you might be diligent about your business’s cybersecurity and protection measures, the third parties you work with may not be. Even if a third party you work with has secure systems and protective measures in place, they’re still subject to some degree of risk—just like your operation is.
What is counterparty risk?
While third-party risk applies to a wide variety of providers and scenarios, counterparty risk is more specific. Counterparty risk is the likelihood that a company or individual involved in a credit, investment, or trading transaction will default on their contractual obligation.
Counterparty risk exists in relationships with lenders and banks, as well as vendors and suppliers. With the SVB collapse, the bank defaulted on their contractual obligation to provide their banking customers with the money they withdrew; this is an example of counterparty risk.
Why does third-party risk matter?
Third-party risk can cause significant problems to your business, including disrupted operations, dissatisfied customers, and financial losses. As more companies rely on outsourcing to achieve business objectives, reduce costs, and save time, third-party risk is becoming a larger issue.
According to 2023 data from Clutch, 83% of small businesses surveyed said they will maintain or increase their spending on outsourced businesses this year. Though third parties can increase operational efficiency and contribute niche expertise to your business, they also increase your exposure to potential problems.
In Prevalent’s 2022 Third-Party Risk Management Study, 55% of organizations surveyed experienced a compliance violation, 54% experienced a supply chain disruption, and 45% experienced a security incident.
If you don’t effectively manage third-party risk, your business could struggle with daily operations, reputation damage, fractured tech infrastructure, and supply chain headaches. At best, you lose customers and revenue opportunities; at worst, you could face hefty lawsuits and major financial setbacks.
Types of third-party risks
Not all risk is alike. Some risks produce the same consequences, but each risk has different trigger points and levels of severity. Here are the most common third-party risks:
Cybersecurity risk
Cybersecurity risk refers to the likelihood of exposure or loss resulting from a cyber attack, data breach, or another security breach. Cybersecurity problems can affect your business’s technology, customer data, and reputation.
Every third party that relies on technology to store sensitive data or complete important transactions or tasks necessary to your business’s functions is subject to cybersecurity risk. However, cybersecurity risk is especially high in relationships with software vendors and financial institutions.
Let’s say, for example, that you use a SaaS provider for inventory management. That SaaS provider didn’t put the necessary protocols in place to safeguard their systems, and wound up dealing with a string of cyberattacks. As a result, you were locked out of your business’s account and couldn’t access important details about your supply levels, order processing, and sales.
Operational risk
Operational risk refers to the likelihood that a third party will disrupt or compromise your regular business operations. Operational risk exists with any third-party provider, but occurs most often with vendors, suppliers, contractors, and consultants.
Imagine, for example, that your main inventory supplier operates in an area prone to natural disasters. If your supplier can’t fulfill your inventory order because of a hurricane, you’ll experience delays in your inventory and order fulfillment. You might have to postpone or cancel customer orders as a result, losing valuable sales and customer trust.
Legal or regulatory risk
Legal or regulatory risk is the likelihood that a third party will negatively affect your business’s compliance with local, state, federal, or industry regulations and laws. You have to worry about legal risk with all third parties, but it’s especially important to watch out for if you’re part of certain sectors, like financial services, healthcare, or government organizations.
Let’s say you sell USDA-certified organic food and beverage products. However, unbeknownst to you, one of the vendors you work with hasn’t renewed its organic certification. Their negligence puts your business at risk of selling and marketing products that aren’t certifiably organic under the USDA’s criteria. You could face lawsuits, customer boycotts, and negative press as a result.
Reputational risk
Reputational risk is the likelihood of a third party influencing public opinion of your business in a negative way. Reputational risk exists alongside all the other types of third-party risks but is especially common in relationships with software vendors and financial institutions or vendors.
As an example, imagine you rely on a credit card processing vendor to process your customers’ transactions. When that vendor fails to update their own security software, they experience a data breach, meaning information is stolen from their system. Your customers’ PII, including their credit card details, is now exposed. Not only can you lose customers and future sales opportunities as a result, but you’ll also have to rebuild your reputation as a trustworthy business.
Financial risk
Financial risk is the likelihood that your business will suffer a financial loss because of a third party. Financial risk overlaps with all the other types of risks and can happen with any third party you work with.
Here’s an example: You decide to hire a marketing specialist to create and run a holiday marketing campaign that will reach new customers and escalate demand. However, when that specialist falls behind on the deadlines they promised you, you and your team have to scrap something together at the last minute.
As a result, you don’t reach the large number of customers you were anticipating, and your sales and revenue drop accordingly. Missing the crucial holiday window to boost your revenue for the year sets you behind going into the next quarter.
How to minimize third-party risk
To some degree, third-party risk is inevitable when you work with people outside of your business. However, there are helpful steps you can take to minimize third-party risk and protect your business from potential problems.
1. Review your current vendors and create risk profiles for them
Assessing your vendors’ individual risk levels is the first step in mitigating third-party risk in your business. You may decide to replace certain vendors, reevaluate your contracts with others, or approach them to ask questions about their risk management practices.
Start by making a list of the various organizations and individuals you work with, including contractors, SaaS providers, suppliers, vendors, and financial institutions like banks, lenders, and credit card companies.
In a private and secure spreadsheet, note the following:
- The services or functions you use each vendor for
- The various business systems, services, data, and physical locations each vendor has access to
- The vendor’s cybersecurity program and protocols
From there, rank each vendor according to their value, necessity, and risk level. For example, you might determine that a freelance graphic designer you work with brings a lot of value to your marketing, but isn’t critical to your business’s everyday functions. And because that designer only has access to your internal business brand guide, they pose an extremely low risk.
On the other hand, a point-of-sale (POS) software provider brings tremendous value to your business, is essential to your everyday operations, and also poses a high risk, since they have access to your customers’ PII. The more critical a vendor is to your business and the higher their risk level, the more often you need to reevaluate their security practices and operational systems.
2. Vet new vendors thoroughly
Before you work with new vendors and third parties, you need to make sure that the risks they pose are reasonable and manageable. Consider the following steps:
- Do your due diligence: Conduct research on your potential vendors to make sure they’re legitimate and up-to-date with relevant compliance measures and licenses. You can review their business information, licenses and certifications, references, online reviews, and public financial data.
- Send new vendors a questionnaire: Before you finalize your relationship with a potential vendor, ask them to fill out a comprehensive questionnaire on their information security and privacy practices, their physical data center security, their operational processes in connection to you, and their compliance with any industry, local, state, or federal laws relevant to their services as a third party.
- Evaluate their risk level: Using the same process you used with your current vendors, assign each new potential vendor a value, necessity, and risk score. You can use these numbers to decide whether or not a particular third party is worth the risk.
- Sign a contract: It’s a good idea to include a section in your vendor contract that addresses third-party risk. First, make sure you list the security, privacy, compliance, and business continuity controls a vendor should have in place before working with you. Second, outline the regulatory requirements you and your vendor are each subject to, as well as each of your responsibilities to abide by the requirements.
- Review vendors regularly: Create a vendor assessment process that outlines what you should do every quarter or year to review your vendors. That might include re-sending your questionnaire once a year to ask vendors for updates or holding an annual meeting with your vendors to review risk management strategies and get on the same page.
3. Create backup plans
Contingency plans can help you control third-party risk and pivot when you need to. Your contingency plans will be specific to your business goals and the third parties you work with, but here are some general strategies to consider:
- Put systems in place to manually track and record important business information in case a SaaS provider fails. This can be as simple as tasking someone on your team with downloading and saving automatic software reports to a secure but accessible cloud folder.
- Have backup vendors and suppliers on call in case something goes wrong with your primary contacts.
- Always make sure more than one person in your business is trained and up to date on your operational processes and security protocols.
- Create specific contingency plans for the third parties that pose the biggest risks.
- If you have the resources, you may also want to consider using cybersecurity software to fortify your small business tech infrastructure.
