Managing Third-Party Contractor Risk
Companies of all sizes routinely outsource work to third-party contractors. Yet, each third-party hire comes with risk. Whether deliberate or unintentional, a third party’s actions can cost you money and harm your company’s reputation — particularly if they violate laws and regulations. Here’s how to contain possible threats.
Potential problems
Suppose your company employs an overseas trucking company to transport goods from a port to a customer’s warehouse. The driver could pay a kickback to customs personnel to release shipments quickly — potentially subjecting your business to bribery and corruption charges locally and in the United States.
In another scenario, a third party might expose your company to excessive risk because it lacks a robust cybersecurity program and is easily hacked. This is what happened when Target Corporation suffered a major data breach via its HVAC contractor.
Due diligence approaches
Due diligence is essential to reducing such risk. Before hiring a third-party contractor:
Identify applicable laws and regulations. Your company’s operating footprint will determine the laws and regulations governing your third parties. Anti-bribery and corruption laws often cover third parties and hold companies that engage them liable for their actions. It’s especially important to understand the laws in foreign countries where your business has a presence.
Gather relevant documents. Mitigating risk requires a detailed understanding of each third party. So collect all relevant information, such as incorporation and registration documents, explanations of ownership structure, insurance coverage proof and cybersecurity reports.
Classify third parties based on inherent risk. Risk varies according to the scope of services a third party provides. Although there are several ways to quantify third-party risk, they all require detailed evaluation. In general, the more access a third party has to your company’s IT environment, the greater the risk score you should assign it.
Scale due diligence to risk levels. The higher a third-party’s risk score, the more stringent your due diligence should be. For example, scrutinize a cloud computing provider or physical security system service far more rigorously than a landscaping company. Some companies outsource their due diligence investigations. These professional investigations range in scope from open-source inquiries, which primarily involve online research, to actual onsite inspections.
Annual reviews
Regardless of their inherent risk, every third-part vendor should undergo some form of review at least annually. After all, software, processes, personnel and even a company’s ownership can change over time. For the riskiest contractors, an executive with authority to approve or reject contracts should conduct the review.
(This is Blog Post #1147)