relationship, don’ t forget that risks don’ t just disappear. Sensitive data must be returned or securely destroyed, access to your systems needs to be cut off, and any ongoing obligations should be carefully wrapped up. Surprisingly, many companies overlook this stage during offboarding. This leaves the door open to lingering security issues or compliance problems that could cause trouble down the line.
Why This |
Matters |
- |
A |
Real-Life |
Example |
|
|
|
|
I want to share a story that really shows why managing third-party risk through every stage is so important. Back in March 2000, a fire broke out at a Philips semiconductor factory in Albuquerque, New Mexico. It seemed like a small incident at first, but it ended up shaking up the whole telecom industry and serving as a huge wake-up call for how companies handle third-party risk.
Philips was making critical components- radio frequency chips- that Nokia and Ericsson depended on for their mobile phones. Both companies relied heavily on Philips, and at the time, there weren’ t any real backup suppliers for those parts. When the fire happened, Philips thought the problem would be fixed in about a week. They told Nokia and Ericsson the same.
But the reality was worse. The fire had contaminated the cleanroom where those chips were made, and the shutdown ended up lasting weeks, maybe months. This caused big problems for both phone makers, but how they reacted made all the difference.
Nokia acted quickly. They sent their own team to check things out, realized the situation was serious, and immediately put their contingency plans into motion. They found alternative suppliers, tweaked some designs to work with different chips, and shifted production schedules around. Because of this fast response, Nokia barely felt the disruption and even ended up taking some market share from competitors during the chaos.
Ericsson, on the other hand, took the fire at face value and assumed it would be over quickly. They had no backup suppliers and no plans in place to deal with something like this. Their decisionmaking was slower, and by the time they realized how bad it was, it was too late. They lost around $ 400 million in revenue, which contributed to their decision to get out of the phone business altogether and team up with Sony.
This story highlights some key lessons about third-party risk: relying on a single supplier for something critical is a huge gamble, you need visibility into what’ s really going on with your vendors, blind trust can be costly, and having tested backup plans can save your business. Most importantly, how fast you respond can mean the difference between a temporary hiccup and a full-blown crisis.
So, what does all this mean for your business? Well, it means that managing third-party risk isn’ t just a checkbox or a one-time thing you do when you sign a contract. It’ s an ongoing, evolving process that touches every part of your relationship with vendors and suppliers. You need to think about it from the moment you start looking for a vendor, all the way through to when that relationship ends. Every step matters and brings its own risks that need attention.
When you’ re first sourcing and selecting vendors, it’ s tempting to focus on price or how well they meet your specs. But it’ s just as important to understand the risks they bring with them. Does the vendor have a solid security posture? Are they financially stable? How reliable are they operationally? Gathering this information upfront helps avoid surprises later and can speed up your buying process, too, since you won’ t get stuck going back and forth trying to fix overlooked risks.
Once you pick a vendor and start onboarding them, things can get complicated if your internal teams don’ t share information well. Procurement, legal, security, operations- they all have different pieces of the puzzle. If their data is scattered across different systems or spreadsheets, you’ ll struggle to get a clear picture of your vendor’ s risk level. Automating this onboarding process and making sure everyone’ s on the same page saves time and prevents costly missteps.
After onboarding, not every vendor needs the same level of scrutiny. Some are low-risk and won’ t cause major issues if something goes wrong. Others are critical to your business and deserve deeper due diligence. Understanding inherent risk- basically the vendor’ s risk before you add your controls- helps you decide how much effort to put into each vendor. This risk-based approach means you can focus your resources where they matter most.
Once you start assessing vendors and working on remediation, consistency is key. You don’ t want a situation where every team is asking different questions or tracking issues in different ways. Standardizing questionnaires, collecting responses automatically, and following up on risk remediation in a coordinated way makes the whole process smoother and more effective.
But it doesn’ t stop there. Risks change all the time. What seemed safe last month might be risky today because of a new cybersecurity threat, a financial setback, or supply chain disruption. That’ s why continuous monitoring is crucial. By keeping an eye on your vendors around the clock, you can spot trouble early and act quickly, rather than waiting for an annual review or a vendor’ s self-report.
Alongside monitoring risk, managing vendor performance is equally important. Contracts aren’ t just pieces of paper; they’ re promises vendors make about how they’ ll perform. Tracking service levels and remediation efforts ensures vendors live up to those promises and helps you avoid interruptions to your business.
And when it’ s time to end the relationship, don’ t think your job is done. Risks can linger after the contract ends if data isn’ t properly returned or deleted, or if vendor access to your systems isn’ t revoked. Having clear offboarding procedures in place protects you from ongoing risks and potential legal headaches.
Wrapping It Up
Third-party risk management isn’ t fashionable, but it’ s essential. The Philips fire example is a reminder that even a small incident at a vendor can ripple out and cause major disruptions for your business. Being proactive about risk- from sourcing and onboarding, through ongoing monitoring and performance management, all the way to offboarding- lets you stay ahead of surprises and keep your operations running smoothly.
The reality is, no vendor is perfect. Residual risk will always exist, but the goal is to spot problems early, respond quickly, and keep risks at a level your business can accommodate. It’ s about building strong partnerships based on trust, clear communication, and shared commitment to managing risk together.
At the end of the day, treating third-party risk management as a continuous journey- not a one-time project- gives you the best chance to protect your organization, your customers, and your reputation.
Reuben Kisigwa is a strategic consultant and a certified competencybased curriculum developer. You can engage him vide mail at: RKisigwa @ gmail. com.