Top 5 Third-Party Risks for Organizations


Every organization needs third parties to run its business. However, any use of third parties introduces an increased level of risk, a risk that needs to be managed on an ongoing basis. Below is an outline of the top five risks for enterprises relying on third-party providers in 2023.

  1. Cybersecurity risk

    Cybersecurity risk remains the top priority for most organizations. According to the Global Cybersecurity Outlook 2022 by the World Economic Forum, the world is seeing a new generation of cybersecurity breaches and organizations are struggling to keep up with the ever-changing cybersecurity landscape.

    The report estimates that each cyber security incident costs an average of $3.6 million USD and it takes organizations an average of 280 days to identify and respond to an attack. There were an average of 270 attacks per organization in 2021, a 31% increase over 2020, with “unauthorized access to networks” and “ransomware” making up for more than 65% of all cybersecurity attacks.

    The ramifications of a cybersecurity attack for an organization are immense. Not only does a cybersecurity attack cause a potential disruption to business operations and a loss of productivity, it also erodes customers’ trust in the organization. This in turn can cause a significant financial impact by loss of revenue and an exodus of customers who vote with their feet.

  2. Environmental, social and governance (ESG) risk

    With the increasing focus on sustainability and new legislation for mandatory reporting in many regions around the world, ESG risk is fast becoming a key focus area for organizations. ESG risk is applicable both upstream within the organization itself, and downstream within its supplier ecosystem, including the supply chain.

    Organizations are starting to connect the media headlines related to climate change, poverty, depletion of natural resources, pollution, modern slavery, racial and gender inequality, and armed conflicts or wars with the ESG footprints of their own supply chains. Customers want assurance that they are buying goods and services from organizations that conduct business in an ethical manner.

    While it is relatively easy to set ESG targets, it is much harder to measure your supply chain against those targets. There is also the risk of “greenwashing,” making achievements look better than they are, be it in Scope 1, 2 and 3 emissions or diversity, equity and inclusion.

    It is important to acknowledge that climate change is not just an ESG factor. Climate change is now considered a systemic risk to the financial sector and economies worldwide, and prudential regulators are introducing standards that must be adhered to in most jurisdictions. Modern slavery, which covers a wide range of human exploitative activities, is one of the greatest moral crises of our time. Globally, customers are demanding swift and measurable action to mitigate these risks.

  3. Reputational risk

    Reputational risk is the hidden threat or danger to the good name or standing of an organization. Reputational risks leave organizations vulnerable to negative publicity. The biggest challenge with reputational risk is that it can erupt out of nowhere and without warning.

    There are many examples of reputational risks caused by third parties, and many of them are common with other risk areas such as cybersecurity, ESG and financial risk. Due diligence of suppliers and their supply chains to minimize the potential reputational risk is of utmost importance. Such a due diligence of third and fourth parties should include all the key risk areas, including any adverse news such as litigation, bribery and corruption and affiliation with entities or organizations (politically exposed persons, terror organizations, extremist political movements, etc.) or any association with exploitation (environmental or human).

  4. Financial risk

    Apart from the more traditional financial risks, such as operating margin and market capitalization, there are several other factors worth exploring for third parties in your supplier ecosystem. Declining revenue, whether caused by a downturn in sales, overinvestment, mergers and acquisitions or take-over rumours, must be continuously monitored to avoid disruption to services and distribution of goods.

    Although also part of ESG risks, corporate governance relating to financial practices (annual financial statements and other financial disclosures) should also be scrutinized as should the presence and effectiveness of committees to oversee audit requirements, renumeration setting and acquisitions.

  5. Geopolitical risk
    The war in Ukraine has highlighted the need for organizations to monitor political developments very closely and be prepared to act in volatile situations. Organizations need assurance that all supplier, partner and joint venture activities in jurisdictions subject to sanctions have ceased.

    However, the war in Ukraine and the associated sanctions of Russia and Belarus are not the only geopolitical risk to take into consideration. Suppliers with operations in countries prone to regime volatility, such as military coups, violent uprisings and oppression of minorities in a systemic manner, require careful and continuous monitoring.

    Suppliers with operations in regions prone to natural disasters (floods, earthquakes, bush fires, tsunamis, etc.) pose another geopolitical risk. In such cases, organizations will need to seek assurance of business continuity plans from their suppliers.

ISG helps enterprises identify, assess and manage risks posed by their third-party providers and supplier ecosystems. It’s a complex undertaking, and we have the expertise and technology to manage and mitigate your risk. Contact us to find out how we can help your organization.


About the author

Hanne McBlain

Hanne McBlain

Ms. McBlain brings over 25 years’ experience in building and managing vendor management relationships to clients of ISG, including establishing vendor governance frameworks, in-depth knowledge of sourcing policies and practices in a government as well as commercial environment, conducting contract and commercial negotiations and assessing and managing risk within a vendor governance framework.