How to Manage IT and Non-IT Third-Party Risks

5 Non-IT Risks to Monitor

The following five primary categories of non-IT risk can impact your company’s ability to meet its obligations.

1. Operational Risk: Supply Chain Disruptions

The COVID-19 pandemic and resulting supply chain disruptions were clear evidence that businesses can be impacted by non-IT events. For example, Armstrong Flooring and cosmetics giant Revlon both cited supply chain disruptions in their bankruptcy filings.

Operational risks will continue to exist in the post-COVID world. In an unstable political environment, risk is rampant. In addition to affecting the supplies of grain, fertilizers, and natural gas, the Russian invasion of Ukraine halted production at two Ukrainian companies responsible for between 45% and 54% of the world’s supply of semiconductor-grade neon used in manufacturing chips. Continued attacks on shipping in the Red Sea by Houthi rebels threaten to upend global shipping. Additionally, unexpected disasters can significantly impact supply chain operations, such as the Francis Scott Key Bridge Collapse, which effectively rerouted $80 million of maritime cargo and trucking from one of America’s largest ports

For risk management professionals, understanding the resilience of their supply chain is critical. This includes evaluations of incident response, business continuity, and disaster recovery plans. With a holistic understanding of your suppliers’ capabilities, your organization can better prepare to reduce operational risk from pandemics, environmental disasters, and other potential crises.

2. Compliance Risk Resulting in Fines and Lawsuits

Regulatory frameworks are growing more complex each year. Most, including HIPAA, PCI-DSS, GDPR, PDPA, the Québec Private Sector Act, and CCPA/CPRA, are focused on protecting the personal information of customers and employees. A common thread is that all require organizations to understand where risk exists (typically through a risk assessment), maintain a plan for mitigating that risk, and report back to regulators. This extends to risks presented by vendors, business associates, contractors, and partners.

Perry Johnson & Associates (PJ&A), a medical transcription services provider, was breached in March 2023 and exposed the personal information of more than 9,000,000 individuals, gaining the attention of the U.S. Department of Health and Human Services (HHS) and resulting in class action lawsuits filed against several of their medical customers and lost customers. Although a business associate agreement almost certainly would have been in place between PJ&A and its customers, that agreement did not protect the company from facing reputational damage and legal challenges of its own.

As organizations continue their digital transformation, compliance requirements are extending to new services and vendors including web hosting, payments processing, and cloud services providers. To mitigate this risk, you must understand which regulatory standards apply to your organization and its vendors but also fully assess your vendors’ operations and controls. After all, penalties and lawsuits can be expensive, disrupt operations, and cause reputational damage.

3. Corporate Social Responsibility Risk from Poor ESG Behavior

The concept of being a “good corporate citizen” has been around for a while but is evolving as awareness increases. At one time, organizations could meet the definition of corporate social responsibility (CSR) by giving back to the community through donations of time and money. However, CSR is increasingly associated with environmental, social, and governance (ESG) practices. These include your company’s approaches to environmental sustainability; its relationships with customers, employees, and communities; and how it deals with executive pay, internal controls, and shareholder rights.

A growing issue in several industries is the use of slaves and child labor. For example, news reports of child labor being used in mining for Cobalt used in batteries brought focus to the supply chain practices of Apple, Microsoft, Tesla, Samsung, and others. In addition to reputational damage, several companies faced lawsuits for their practices.

Regulatory pressure is also growing in areas of climate, governance, and fighting corruption. The European Union (EU) Parliament passed the Corporate Due Diligence Act and Corporate Sustainability Directive that mandates that EU businesses “identify and, where necessary, prevent, end or mitigate adverse impacts of their activities on human rights, such as child labour and exploitation of workers, and on the environment, for example, pollution and biodiversity loss.” The German Supply Chain Due Diligence Act requires similar assurances.

Navigating ESG requirements can be challenging for risk executives accustomed to focusing only on IT-related issues. Understanding regulatory and industry guidelines for ESG can help assess potential suppliers, vendors, or other third parties against your organization’s policies and customer expectations.

4. Financial Risk from Supplier Viability Concerns

The financial health of vendors and strategic partners is critical when assessing third-party risk. After all, a vendor can only support its clients if it is financially sound – and it may be too late to make adjustments after a bankruptcy filing is announced. Financial risk can also arise if one of your company’s competitors acquires a key reseller or distributor, potentially closing off a geographic or vertical market while alternate channels are established.

Understanding a vendor’s financial risk goes beyond examining last year’s balance sheet. For instance, customer or distribution partner losses or missed earnings could result in a restructuring or discontinuation of specific offerings. In addition, the loss of key executives could signal a downturn in revenue or an upcoming lawsuit.

While many organizations review financial risk before onboarding a new vendor, risk executives require ongoing monitoring of their vendors and partners to mitigate and manage risk throughout the relationship.

5. Reputational Risk from Doing Business with Unethical Companies

Fair or not, organizations are judged by the company they keep. It therefore makes sense for you to pay attention to the practices of your partners. Reputational harm from working with unethical vendors or suppliers can damage your business. Sudden disclosures of unethical actions can disrupt supply chains as suppliers move or rebuild operations and litigate legal actions.

Risk managers need to monitor public and private sources of reputational information, lawsuits, and impending sanctions such as the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury, the UK Sanctions List, and the EU Consolidated List of Sanctions throughout the business lifecycle.

Next Steps: Learn to Manage Third-Party Risk Holistically

Third-party risk management processes must evolve for organizations to effectively stay ahead of both IT and non-IT threats. Discover how to gain a holistic view of vendors, suppliers, and partners across the third-party lifecycle in our white paper, How to Manage IT and Non-IT Third-Party Risks. This paper includes essential guidance on how to:

• Associate third-party risk types to IT and non-IT domains
• Align internal teams with the third-party risks that matter most to them
• Map third-party risk types and teams to each stage of the vendor lifecycle

With this comprehensive guidance, your organization can get control over IT and non-IT third-party risks. Interested in how Prevalent can help? Request a demo and strategy call to discuss your project with one of our experts.