Going Beyond Reports in Third-party Risk Management

A hard lesson in what can happen if you treat third-party risk management as another check-the-box activity.

“Quilting is not just a craft; it’s a community. When quilters gather, magic happens.”
—Bonnie Hunter

Yes, when quilters gather at a conference, magic happens—until a third-party provider assisting in conference registrations has a failure. Then, the magic that a quilting community brings may inadvertently be laced with a bit of voodoo.

On July 31st, 2024, a major quilting organization announced that their conference registration provider had suffered a “catastrophic failure.” This failure was bad enough that the event registration was turned off completely.

Social media notifications and email posts went out to inform once-excited quilters, saying that next steps would be provided as soon as possible. However, the backlash came in a torrent. So much so, that the organization turned off comments to their Instagram notification post. This was quickly followed by an Instagram story reminding their followers that there is no need to be rude.

I agree there’s no reason to be rude. Do I understand why people became rude? Absolutely.

Credit cards were charged for the conference registrations, and expensive flights and hotels were booked. Now, the heavy question hung in the air, “Is my registration confirmed?” followed by worries about refunds. The organization gave no date for an answer in their initial communications. In fact, the next update came approximately two weeks later on August 13. Registration remained off until August 28. For those of you still with me and doing the math, that’s a few days shy of a month’s loss of time gathering conference registrations.

You Are Your Third Parties

Now, I know that the term “catastrophic failure” goes deep into what we look at during third-party reviews. It’s clearly not on the mind of the average quilter. And yet, this is the key reason I’m passionate about third-party risk management and getting it right: To your customers, you failed. They aren’t thinking about the third-party. They are thinking about you and the trust that you’ve established with them erodes. Personally, I was considering going to the conference. Now, I have questions regarding this party’s ability to process my data, and I don’t think I want them to have it.

Catastrophic failure, loss of trust, and the total stoppage of business is what we try to prevent when we perform due diligence on third-parties. If we look at this situation from a traditional third-party risk management perspective, we would’ve gotten SOC2 or ISO27001 reports, maybe a financial statement, a few other pieces of paper and signed off. However, the root cause for this failure may not have shown up in a questionnaire or report.

As I reviewed the messages from the quilting organization, I noticed something that would have been an immediate red flag to me in the initial vendor review phase. In either a now-edited or a temporary story, the quilting organization mentioned that the registration vendor attended the previous year’s conference so they “knew the conference was serious” or stated another way, the real deal. In my humble opinion, if you have to prove you’re the real deal to a third party, you probably shouldn’t hire that third party.

Because the critical part of the third-party evaluation is knowing that the third party aligns to your mission, they are dependable, and you can trust them. You have to build and maintain a healthy relationship throughout the life of the engagement to get insights into these critical aspects.

When I look at a third-party management system, I look for features such as allowing me to set tasks to check-in, request meetings with the third party, and a resource outside of email for active participation in our review process.

Process Doesn’t Replace People

Even with these tools, there is still a need for people in your third-party risk management process. Reports, questionnaires, and automated processes help us pinpoint where to direct our questions. However, you have to dig deep. The issues that cause “catastrophic failure” get into the culture and performance of an organization. How your staff is treated in getting to these answers will tell you a lot about the stability of the third-party and what they think about your relationship.

The old adage of “measure twice, cut once” certainly applies to quilting but is pretty handy when reviewing your third-parties, too. If you build relationships and use those relationships as a second measure to the hard data, well, maybe you’ll save yourself a downed registration system.

Want to learn more about Onspring’s Third-party Risk Management product? Click here to schedule a demo.