How to Accommodate Third-Party Risk Variants
September 16, 2021
Most businesses have a diverse network of third-party partners, each with their own unique value and subsequent risk profiles. Consider how many vendors your business has contracted to stock your shelves, clean your facilities, mow your lawn, service your computer system, scale your shipping logistics, and even refill your water coolers.
While there are some inherent risks involved with contracting a wide range of suppliers that vary greatly in size and scope (most of which are related to cyber attacks and data breaches that stem from third-party negligence) there are also many benefits to diversification.
A pizza chain, for example, might have national contracts with service providers to clean their facilities and haul their trash, while simultaneously contracting smaller, more agile delivery driver management companies to service specific cities or states with a larger franchise presence and/or sales volume.
Businesses of all sizes have different expectations for each of their third-party partners, and thus, supplier risk profiles will naturally vary. There’s a strong need to accommodate this by instituting a unique set of insurance requirements for each supplier category, but in most cases, risk managers tend to avoid going this route because they’re worried about adding more manual tasks to their daily operations.
The problem is that most corporate risk managers have just one or two blanketed sets of insurance requirements for all of their third parties, which means they’re already using excessive manual intervention because they’re constantly making exceptions and overrides so that their preferred suppliers can continue to participate in their network.
Evident’s average customer has roughly 23 sets of third-party insurance compliance criteria, but some of our customers, like grocery store chains and supply chain businesses, have more than 50 different sets of compliance criteria. And it makes sense – you wouldn’t want your cybersecurity provider to prove that they meet the same set of insurance requirements as your window washer. It’d be like trying to force both a triangle peg and a circle peg through the same square-shaped hole.
Not surprisingly, a recent study indicated that 42% of businesses are still assessing their third parties using spreadsheet-based questionnaires, and 65% of these respondents are either unsatisfied or neutral with this approach. Automated technology solutions offer a robust alternative to accommodating third-party risk variants that’s both safer and easier than using spreadsheets.
Our insurance verification technology supports “complicated” risk variants by collecting and managing third-party COIs, verifying that they meet their specific category’s compliance criteria, and providing risk managers with visibility into their partners’ compliance (or non-compliance) with corporate insurance requirements.
We believe that companies can and should have many different sets of insurance requirements for each supplier category so they can maintain high standards and still enable smaller businesses to share in the good reputation and earnings that come from supporting enterprises.