Third-Party Risks Need New Approaches

Businesses in all sectors are adopting new technologies and operating models to digitize processes, leverage more business partners, and widen their ecosystems of suppliers, software-as-a-service (SaaS) providers and cloud service providers (CSPs). There is also a greater number of interconnections between businesses, more interdependency between companies and their vendors, and heightened reliance on technology and data to run their operations. Sensitive corporate data now resides in multiple systems, across multiple types of platforms and devices, and may be accessed or hosted by a variety of third-party vendors.

At the same time, cybercriminal activities are turning into increasingly sophisticated, self-sustaining industries that can leverage outsourcing, adopt advanced technologies and work across national boundaries. At times, these criminal efforts are even state-sponsored. As a result, firms need to expand their enterprise risk management frameworks to encompass a whole-ecosystem view of risk. New technologies must be deployed to identify, measure and manage new risks. These protections should leverage the cloud, artificial intelligence (AI), and advanced analytics to strengthen and extend traditional risk and compliance processes.

To that end, risk management is evolving, and consultants and businesses are racing to catch up and react to new threats. Many companies are seeking support from cybersecurity risk rating companies to provide insights or data on their vendors. Still, this approach has some drawbacks and limitations.

The Challenges of Third-Party Risk Management

More and more businesses and regulators are recognizing that third-party relationships are becoming some of the most significant and challenging risks to manage properly. Working with third parties can expose you to new risks depending on their ability to manage operational and security vulnerabilities. Third-party security breaches and operational performance failures can disrupt your critical business processes, damage your brand and reputation, lead to regulatory compliance penalties, or damage your business operations. Successfully managing and mitigating emerging risks is one of the biggest challenges a company can face.

Businesses that depend primarily on cyber risk rating solutions to provide data security snapshots often find that the generated reports are limited in breadth and may not include service-specific information about their vulnerabilities and weaknesses. For example, rating companies may provide a very broad score based on a generic scan of public source data alone. Their reports may also include false positives, leaving organizations to sift through the findings and determine the true risks that could affect their business — which tends to involve more time, funds and energy.

While leveraging risk rating services may be useful as an initial indicator, most businesses today require risk assessments that are specifically tailored to the types of services they provide.

Start With the Basics

Technologies such as the cloud, the internet of things (IoT), operational technology (OT), advanced analytics, blockchain, mobile devices and AI can increase productivity and efficiency and reduce costs and operational timelines. However, they may also create new risks for a business, as they can make your vendor relationships, business processes and data protection needs more complex.

Businesses in general (and financial institutions in particular) are finally viewing vendor relationships as a risk that must be managed, rather than a simple procurement process. Traditional metrics for evaluating vendors’ performance and overall value become less relevant when an organization opts to move from a purely operational perspective to a more risk-based view.

Yet companies are failing to uphold basic risk management practices. Many are unable to take a complete inventory of their partners’ systems due to limited access to business data. They also might not fully understand which processes are critical to their business or have access to the critical technology platforms and systems needed to make a proper assessment.

Working with companies across many industries, we constantly see organizations fail to understand and address the security and operational risks involved in third-party relationships. Vendor management needs to be viewed as an end-to-end process that requires risk identification, risk mitigation and active monitoring throughout the entire vendor relationship lifecycle.

Companies need to keep up with changing technology and develop controls to sustain good risk management practices. The natures of these controls can differ substantially if one compares an operating model where the technology is operated on-premises to one where key processes and functions are outsourced or delivered by a SaaS provider. If the necessary data and workflows exist in the cloud, this can complicate matters further.

Companies need to continue to refine their governance, controls and risk management practices and adapt them to a world that is highly interconnected, which can lead to a decentralized operating model. Their staff and compliance organizations must adjust to appreciate a multiplayer risk environment where controls, protection and detection may rest in the hands of others.

The chart below illustrates the elements of an overall risk management framework that addresses the whole ecosystem of providers as well as internal functions.

Security controls for risk management

Emerging Tools for New Risks

Once you have covered the basics, you can start to look at advanced capabilities offered across the industry. There is a growing body of best practices and technologies to assist senior leaders and their risk managers in efforts to identify, manage, mitigate and reduce third-party risk in these times of change. Leading companies are adopting an “extended risk universe” that incorporates risk metrics, quantification capabilities, third-party risk assessments, monitoring and controls, and the use of advanced analytics to understand risk scenarios and key risk identifiers.

The clients I work with are leveraging proactive risk management practices that involve the use of agile techniques for identifying new risks, regular testing and rehearsal planning, top-down cultural changes, and on-demand, cloud-based security services. These leading organizations are in alignment across their C-suite executives regarding their top risks and risk trends. Such accordance can help to drive more focused investments, skills training, systemic remediation efforts and effective planning.

Our approach recommends that clients adopt both a top-down approach to managing third-party risk and a proactive, grassroots one. Leading organizations are utilizing automation to centralize and analyze risk data. They are using advanced analytics to identify correlations and relationships and to gain insights across discrete data sets. Key resources in their endeavors include internal audit results, corrective action plans, and assessments around operational, IT and compliance risks.

Critically, they are using a data-driven approach to identify, assess and monitor risks, thus ensuring that their information is based on the facts rather than on perceptions, hypotheses, or general observations about technologies and providers. These companies tend to deliver greater results than the simplistic snapshots in time that are commonly provided by other rating companies. Best-in-class businesses adopt a holistic and continuous monitoring approach that includes the consideration of business issues, reputational risk, financial risk, potential supply chain disruptions, and security and data breaches.

These businesses understand the need to focus and tailor their third-party risk efforts on the most significant and impactful risks based on services provided and data access — and these efforts are paying dividends.

Adopt a Strategic Approach to Managing Third-Party Risk

Business operations are accelerating and threat actors are leveraging some of the most sophisticated technologies. Data and transactions are being hosted, managed and secured by third parties, and operational technologies and IoT devices are more interconnected than ever. The key takeaway regarding this new environment is that risk management practices require an agile, integrated and holistic approach to identify, protect and prevent risk events from occurring.

Businesses need to adopt a strategic approach to managing third-party risks, one that provides an integrated view of the vendor relationship process and incorporates risk management throughout that process. It should include considerations for onboarding and procurement, legal and contracts, information security, data access, active monitoring, and operational management. Organizations need to assess vendors of all types in the context of the role they play and the relationship that is in place; risk management must adapt to the extended universe environment.

Boards need to be better equipped and practiced in the art of risk management. Every company should ask, “What are our top 10 enterprise risks?” and ensure alignment with the C-suite in their response. Every company should be able to gather and analyze their risk data to identify and monitor systemic risks, both new and emerging. Finally, every company must have a control framework that is both comprehensive enough to manage their current risks and flexible enough to address future risks.

Contributor'photo

Randy Spusta

Associate Partner - Global Security Services Risk & Compliance (SSRC), IBM Security

Randy Spusta is the Globlal Competency Leader of the Security Strategy Risk & Compliance practice. He specializes...