Anyone who drives a car has worried about their mechanic over-charging them for services. In economics, the principal-agent problem assumes differing interests between those who are customers, investors, and executives on the one hand, and employees, contractors, and service providers on the other. Any service provider upon whom your business relies for products, legal services, cyber security, or more, brings the principal-agent problem with them. This is the heart of third-party risk. Mitigating third-party risks means knowing who your providers are, their interests, histories, and reputation; because at the end of the day, those third-party qualities affect your business. If those vendors are involved in bribery or corruption this will inevitably impact the reputation of your business and may even jeopardize the very existence of your business.
Third-party providers and suppliers offer tremendous value and the ability to reach customers in locales and jurisdictions that vertical integration would prohibit. Directly establishing in-house distributors, directly hiring permanent cybersecurity personnel, and other providers are often cost-prohibitive for small and medium-sized enterprises. Despite the cracks currently forming in the global economy, globalization and technology allows makes it easy and cheap to work with third-parties. Unfortunately, these third parties also carry risks of their own due to the differences in knowledge and interests between you and them. Third-parties carry expertise that your firm lacks on the inside, while at the same time holding an incentive to keep costs low as possible. If those low costs sacrifice quality, that is a liability.
Third-party risks have recently come under greater scrutiny in the business world. In banking and finance, the Federal Reserve, FDIC, and the Office of the Comptroller of the Currency (OCC) issued special guidance for how smaller banks should handle third-party relationships in order to ensure proper compliance and maintain anti-money laundering (AML) safeguards. This is a trend of increasing government scrutiny on third-party relationships in the finance sector as emerging financial tech companies (FinTech) and traditional banks partner to reshape the banking landscape.
In the real economy, third-party risks are increasingly a point of concern as supply chains are threatened by disruptions from economic and political risks including war. According to a survey from 2023 by Ernst & Young, only 54% of companies have a comprehensive program to monitor third-party risks. According to the management firm Gartner, only 16% of companies effectively monitor and mitigate third-party risks. As companies seek new routes around conflict and find themselves working in new locales with new partners, third-party risks are a real and fluctuating problem. In the cybersecurity field, 61% of companies that experienced a cyber breach had the breach occur with third-party partners. That same year, third-party data breaches rose by 49% from the year prior, reaching a new all-time-high.
In banking, trade and manufacturing, and tech, the third-party problem is alive and well and posing unique due diligence challenges. Any time your company partners with a third-party firm, that firm’s reputation, liabilities, and capabilities effectively connect to your business. Your company screens high-level hires during onboarding, the same needs to happen to ensure quality and competence in your third party vendors and service-providers.
Everyone has a past that reveals traits of character, interests, behavior, and ethics. Companies have biographies as well, and knowing them is critical to knowing the business as the corporate “person” with whom you do business. Conducting due diligence on a third-party’s executive team, reputation, and obtaining an inside look of operations to ensure the capabilities you seek are not only critical steps to protecting your business, but by avoiding the pitfalls of the principal-agent problem. Before signing the contract to add a third-party partner, you should conduct a comprehensive risk assessment and due diligence investigation to identify potential risks related to industry dynamics, geographical location, and regulatory environment. Ensuring a partner’s capacity to fulfill the work you seek should include assessing their financial stability, liquidity, solvency, overall business reputation, and capital to fulfill contractual obligations and withstand economic uncertainty.
Doing business internationally means new regulations, legislation, and cultural norms that can negatively affect your reputation and bottom line. Developing countries may offer lower production costs, but pose risks ranging from child labor violations, corruption, and exposure to crime.
Mitigating third-party risks abroad requires ensuring that your supplier adheres to relevant regulations both locally and in your home jurisdiction. Due to evolving security situations overseas, a good third-party due diligence investigation should include establishing robust third party vetting, crisis management protocols and communication in the event of upheaval.
Third-party relationships are at their core, relationships. To be valuable, relationships require knowledge, and knowledge of your third-party vendors is critical to ensuring that reputation is preserved and value is created. For example, changing supply chains to de-risk from China by finding new suppliers in Latin America requires conducting due diligence investigations on your new partners, checking that they are not violating U.S. laws such as the Foreign Corrupt Practices Act (FCPA), checking they are not doing business with sanctioned entities, and knowing their place in their broader business environment. Closer to home, third-party due diligence means assessing the viability and quality of the service you are buying. Knowledge may be power, but knowing your third-party partners is value. Know your trading partners and beware the middleman.
