One cannot deny the fact that organizations today are vulnerable to cyberattack from all sides and one of the sources of attacks are from risk arising due to third party. The contribution of third party and their offerings are increasingly growing as organizations finding it important to optimizing their supply chain by acquiring third party products and services. This is done to enable increment in the performance of critical business process. Nature of third party services in today’s landscape is associated with number of risk and that cannot be avoided as they are constantly evolving. So the question arises are organization taking a matured outlook to mitigate the risk arising from vendor or any third party whose services are being rapidly accepted by organizations.
It is imperative that organizations must ensure the way modern risk management work and understand the ongoing changes in third-party relationships. This also entitles the pre-acquisition risk assessment to be done thoroughly with the vendors and third parties. The responsibility from here increases and allows organization to manage and mitigate risks on a continual basis, rather than at specified intervals. Periodic risk assessment will put third party to act with accountability and responsibility while handling data, supply chain and access governance to name a few with diligence. Recent researches showed that there are organizations who lacks in third party risk management by introducing proper governance and technology.
“Today adequacy of third party vendor risk management is a top concern for all including regulators. Third Party vendor risk management should be done around a robust framework that includes all processes & related risks. It should be a continuous process to ensure the control on specific risks attributed to the third party vendor” says Sanjay Tiwari, CISO & VP at IIFL (India Infoline Group).
Gartner recently surveyed 250 legal and compliance leaders who revealed that standard point-in-time approach to risk management is no longer effective in today’s landscape of fast-paced, rapidly changing business relationships. The recent high-profile security incidents, such as the Facebook data leak and the ASUS Shadowhammer attack, made it to acknowledge the fact that third parties can introduce tremendous risk to business operations, data security. The risk associated with it can even spoil the technical infrastructure of any organization and products and services.
The 2019 Vendor risk management (VRM) study by Protiviti polled 554 risk management practitioners and C-suite executives on the detailed criteria in the Shared Assessment VRMMM (Vendor risk management model) to obtain the results. The study revealed that there were no sectors in which more than 50%of respondents reported mature vendor risk management programs. Four in ten organizations had fully mature VRM programs, but almost a third had adhoc or no program in place.
The survey highlighted the need for a strong tone at the top: “Awareness of third-party risks by organization’s Board of Directors is a strong indicator of vendor risk management (VRM) program maturity: 57% of organizations reporting high levels of board engagement also reported mature and advanced vendor risk management programs.”
“The overall maturity of vendor risk management programs is virtually unchanged in the face of an increasingly challenging external risk and regulatory environment,” wrote experts from Protiviti in the company’s fifth annual vendor risk management survey.
Managing Third Party Risk
Managing third party risk factor is gearing up and organizations are increasingly focusing on this risk factor. There are number of factors which according to Gartner have contributed to this shift. One of the reasons being that third parties have greater access to organizational data and also provide with new kind of technology service for organizations. This also includes for start-ups and business model innovators.
Incidents regarding data breach from third parties in the past confirmed how vendors are exposing businesses to new risks such as the threat of high profile customer service disruption and other major business failures. These risks have led to compromise with organizational reputation and even attracted substantial penalties and regulatory enforcement with tough actions. So now question arise what methods organization should adopt to manage third party risk beginning from contracting part in deployment phase till the end process of re certification.
Gartner find that compliance leaders attempt to identify potential third-party risks with extensive due diligence before contracting and again at recertification. This approach is largely ineffective as can it contribute to longer on boarding and waiting periods and fails to capture any risks that may arise due to ongoing changes throughout the relationship. The survey says that respondents who identified risks post-due diligence, 31% of those risks had a material impact on the business.
Therefore it is recommended by experts that to mitigate risk from third party is through actual engagement with the third party and through ongoing risk identification over the course of the third-party relationship.
Most important element to look for in the arrangement is, the cultural dimension, the interest to protect customer and their information. CISOs role starts at an early stage in ensuring the security control alignment at a policy level and setting up appropriate security objectives. Organisations collaborating with limited third parties can continue with their traditional practices like periodic risk assessment and due diligence checks for their ongoing assurance.
But, the ecosystem is changing; third party risk scorecards are now available as online subscriptions and it is ready to disrupt the current business models says Lakshmi Narasimhan R CISO Intellect Design Arena.
Another important approach is the iterative approach to risk management which allows compliance leaders to improve risk. Gartner research says organization that applied an iterative approach experienced almost four times the level of business partner satisfaction with the speed to engage, twice the ability to remediate risks prior to impact and 1.5 times greater ability to identify risks prior to impact.
“Now days third parties are not just product sellers but partners in success story of any business. There is an impact on the organizations mission, privacy, business functions and risk tolerance levels while replacing or upgrading an OS, database or an application provided by the vendor or OEM hence as leaders our Iterative approach to 3rd party risk.
Management should not only be restricted to security testing or patching but also bearing in mind the end user experience, reviewing contracts, due care & due diligence process & evaluating competitors product to ensure we contribute to business growth by mitigating risks.” Says Vishal Bhatia, Director Head InfoSec ,FIS Global
Further the iterative risk management approach can streamline due diligence requirements to focus on the most critical risks. This will be accompanied by creating controls and establishing internal triggers to monitor for change. This brings us to understand the regulatory mandates an organization needs to cater and apply at the same time on third party. Regulatory guidance requires that an organization’s Third Party Risk Management (TPRM) and/or Vendor Risk Management (VRM) program be risk-focused. Also help and provide oversight and controls commensurate with the level of risk presented by the organization’s outsourcing arrangements and reliance on third parties.
The key finding of the survey by Protiviti at the end says that businesses need to work even harder than before to maintain the same relative level of maturity versus their industry peers.
Leading organization across the world are understanding and aware that its more important to protect their valuable data, information and assets through effective risk management. As incidents relating to third-parties continue to rise, organizations are becoming more concerned about any disruption to customer service. At the same time organizations are starting to realize that a consistent approach to third party risk management will help to maintain standards across their operating units and aspiring to increase their monitoring and assurance activities over third-parties.
(Image Courtesy: www.blog.v-comply.com)