A guide to developing a holistic third-party procurement risk management strategy
While third-party suppliers bring many positive opportunities to law firms and other professional services businesses, they also come with risks, given their potential access to firms’ and their clients’ most sensitive data. In fact, about a third of firms (33 percent) participating in the Procurement Leader Survey, conducted in conjunction HBR Consulting’s 2018 Law Firm Procurement Roundtable, had experienced a supplier risk event – such as disruption in a third-party engagement due to SLA/contract breach, information loss, a hacking or security issue, or supplier difficulties with financial viability – in the past 24 months.
Managing third-party risk is more critical today than ever before for several reasons. From increased regulatory pressure to heightened client expectations, firms face new challenges that exacerbate the potential risks suppliers pose.
The top three factors that drive third-party risk are:
- Regulatory environment: New regulatory requirements like the General Data Protection Regulation (GDPR) have forced firms to address the management of supplier risk more holistically. According to the Procurement Leader survey, a lack of supplier-related information is firms’ top concern regarding GDPR compliance (37 percent).
- Heightened client expectations: Clients are increasingly concerned about how firms manage security risks. Clients want to know that their firms are identifying possible third-party supplier risks and taking the necessary steps to monitor and control those risks.
- Firms’ reputations in the marketplace: Firms have access to some of their clients’ most sensitive information, and threats to that information can have a serious negative effect on both existing client relationships and the ability to attract new clients. If a supplier-driven incident were to occur, firms risk hurting their perception not only in the legal industry, but also beyond. Furthermore, the legal industry’s security measures in particular are viewed as less sophisticated than other industries, making them a target for hackers.
It is clear that the consequences for firms that fail to manage third-party risk are major. Failure to develop a comprehensive third-party risk management strategy can lead to fines for non-compliance with the GDPR and other data privacy requirements, loss of client revenue, difficulty attracting new clients or potential civil liability. Because of the risks suppliers can pose and the potential side effects they have on a firm’s ability to compete, it is critical to develop and execute a third-party risk management program.
Read the full report above.