You know that your contractors/freelancers are third-party vendors. But what about the law firm you use? Yep, third-party.
And the print shop who prints your brochures? Third-party.
While figuring which entities are third-party contractors, you also need to figure out the risks you’re taking on when you use them.
More than just “suppliers”
You no doubt think of lawyers and your janitorial service as a third-party supplier. After all, they “supply” you with a monthly service for which you contract.
Yet any company or person into which you’ve entered in a business relationship is a contractor/supplier if it provides goods or services for you to use, provides one or more particular outsourced function for you and/or provides you access to markets, services and products.
Aha! There it is! A succinct definition of a third-party.
In a nutshell, just about anyone or any business with which you interact that isn’t a bona-fide employee or client, probably is a third-party.
Some potential third-party entities:
- Temporary agencies
- HR/payroll services
- Credit card processors
- Mail and fulfillment houses
- And more.
Even Aysling – if you purchase our service resource software platform – would be a third-party supplier.
But the most important thing about identifying third-party suppliers? Identifying and managing the risks you take on by doing business with them.
Managing third-party risk
The potential exposure to harm, loss or other problems can arise from just about any interaction you have with any external third-party with which you have entered into a business relation/transactional relationship. Just a few of the different types of risk are:
- Reputation: the relationship you have with the supplier could result in negative public opinion, such as from security breaches that expose customer information or having your customers become dissatisfied with the products or services that your third-party supplier provides to them on your behalf.
- Operational: you run a risk of loss due to failed or inadequate systems and people that the third-party provided you.
- Compliance: this risk arises when the products or services of the third-party violate rules, regulations or intentional/unintentional non-compliance of laws, ethical standards, internal policies/procedures, etc.
- Information/Data Security: this doozy of a risk pops up when a third-party procures unauthorized access to sensitive information and uses, discloses, records, or destroys it.
Important note: it’s critical that you understand that you don’t need to have an actual written and signed contract with a third-party to have risks you need to manage.
An example of such a relationship? Freelancers. Many writers/graphic artists, social media marketing providers, etc. often work on an as-needed, informal, “gentleman’s agreement” type basis, without written contracts.
Assessing and managing third-party risk
To determine how much risk, if any, you have with any particular third-party supplier, you should take a look at any written agreements and identify any gaps you may have in your controls and policies and if you find any, make it a top priority to close those gaps.
Lastly, once you find and close any gaps, you need to create an ongoing risk-monitoring process. Why? Because new vendors arrive and old vendors go and it’s easy to let new ones slide on in without looking at the particular risks you’re taking on with them.
After all, you’re primary focus is providing services to your clients today. And so who has time to worry about potential risks when a deadline looms? Which is why a risk-monitoring process that pretty much automatically kicks in whenever you onboard a new vendor or contractor makes it a lot easier to help you keep an eye on your third-party risk mitigation.
Manage third-parties with ease with Aysling
Aysling’s cloud-based vendor management module helps you manage your vendors, suppliers and freelancers/contractors in one place with ease. Most importantly, it helps you see and manage the information to which your vendors have access, allowing you to remove such access if needed.
Third-party risk is too important to manage and mitigate in our highly litigious society.