Discussing third-party risk can be akin to opening Pandora’s box. Once you start discussing third-party risks, the conversation becomes quite complex, involving multiple stakeholders and outside organizations.
All businesses of all sizes have third-party relationships; it’s just a matter of scale. Large businesses may have ample resources to manage third-party risk, but they have many more third parties to work with. A smaller business may have fewer third parties but are typically limited in their budget and personnel resources.
Identifying, tracking and managing third-party risks has grown into an increasingly complex endeavor, with many organizations operating either remotely or hybrid. Adding to the complexity are all of the vendors and partners who also have a more complex operating environment, with additional risks ensuing.
Diligent third-party risk management (TPRM) is increasing in importance as the cyber threat landscape continues to evolve. “We are seeing new and different types of cyber-attacks,” says Linda Tuck Chapman, CEO at Third Party Risk Institute Ltd. She explains:
Attackers are no longer going after individual companies as their sole target. They're going after third-party software companies and finding their way in because these companies turned out to be a weaker link than some of these big corporations. We’re reliant on these companies, but we don't really know what's happening – And it's that uncertainty that's making us so concerned.
This is further complicated by the fact that organizations often don’t know all the parties they’re dependent on. As Tuck Chapman notes, “Risk events such as cyberattacks or supply chain interruptions can arise from fourth parties you didn't even know you were doing business with.” She concludes, “The only way you make the system safe is to make the component pieces safe, which is a focus on individual companies.”
Entering into a new relationship or renewing a contract with a vendor should be evaluated by defining the business need and scope of the relationship with a programmatic approach. “Relationship segmentation is kind of a catch-all term. Look internally and decide how important this relationship is to this business or to our company,” says Tuck Chapman.
Determining the type and size of risk to the business comes next, and allowing for a certain amount of risk tolerance is a critical step in evaluating a partnership. It’s also important to determine how a serious third-party failure would impact your organization. The level of access and sensitive information provided to the third party will determine the scope of a catastrophic failure on your business.
Filtering third parties through this lens will allow for robust relationship segmentation, according to Tuck Chapman. “It sounds complicated, but once you get a framework in place and a way to filter them through, it's actually very straightforward.”
Third-party relationships require proper due diligence to ensure risks are accounted for, accepted, and managed appropriately. According to Tuck Chapman, it is helpful to discuss due diligence in three steps.
First, “make sure you're getting into business with a company that you want to do business with for a long time,” she says. “Second, you might go through some sort of bid process or down selection. And when you get down to a company you think you're going to work with, or even maybe the final couple, you’ll want to look at another form of due diligence, which I'm calling pre-screening.”
She continues, “Your first step with procurement determines if the company is a good fit. The second one looks at if there is anything that would affect your reputation or cause you to back away from this company.” Pre-screening should ask questions such as:
- Is the business operating in a high-risk country?
- How many company officers are there?
- Are they on a sanctions list?
- What is their financial health?
- What type of and how much data will they have access to?
- Will they have direct contact with your customers?
The third step is the most difficult: actually performing the due diligence. Tuck Chapman suggests looking at the controls of the third party. Do they have a secure VPN? Do they use anti-virus software and have a regular program for patching? What does their employee screening look like? Do they have proper endpoint security? Those questions are by no means exhaustive, but serve as an example of what type of factors should be considered.
“If you've done a good job on the build, you know what you're looking for,” she says. But the due diligence itself requires a third party to provide information to you. And right now, even before COVID, they were getting inundated with information and requests.” Performing proper due diligence takes time – sometimes 30 to 45 days or more – but is a crucial step in TPRM.
Third-party risk management necessitates involvement from the Board and multiple stakeholders across the business. Depending on the type of risk and vendors involved, stakeholders include (but are not limited to) leaders in legal, privacy, human resources, cybersecurity, IT, and risk. And while those individuals or departments may own vendor relationships, track risks, and manage incidents, it’s important to remember that when it comes to third-part risk, working across functions is key. “Everyone is a risk manager, even if they're not directly responsible for it,” says Tuck Chapman.
For more in-depth guidance on this topic, you can watch Linda Tuck Chapman and Matt Kelly’s discussion from the NAVEX Next Virtual Conference.