Third party risk management is an increasing issue as your business grows. Below Ewen O’Brien, EMEA Director at BitSight Technologies, explains how CEOs should effectively scale their third party management programmes.
Today’s hyperconnected business environments deliver a host of advantages for companies who want to cut costs and provide slicker, faster customer experiences. You want to integrate closely with your suppliers and outsource critical infrastructure to third parties such as cloud and mobile providers, making your business more efficient and agile to swiftly respond to rapidly changing market conditions.
However, with the advantages comes increased risk from the third parties that you engage with. As cyber threats continue to increase, managing the risk that derives from a company’s supply chain and vendor partners is becoming a pressing board level issue. It’s not surprising that scaling up and enhancing third party risk management programmes is now a priority.
Engaging with third parties immediately elevates your risk profile as the number of potential access points to your network and areas of vulnerability increase. The third party’s security programme is outside your immediate control and, if that third party also partners with other organisations, your risk extends all the way down the chain. When your partner network is large and complex, it can be extremely difficult to gain a clear picture of where the significant risks lie.
Nevertheless, security risk management leaders are increasingly being asked to provide comprehensive oversight of third party risk exposure to the Board. In strictly regulated industries such as the financial sector there is already an explicit compliance requirement for companies to understand and mitigate third party risk continuously and this is extending to other industries. The drive for greater regulation and accountability in areas such as data protection means that all businesses need to understand and proactively manage the wider risk outside the gates of their immediate network.
The risk management challenges of an evolving threat environment
Assessing the risk associated with engaging with a third party traditionally takes place at the start of the relationship as part of contractual due diligence. The process relies on self-assessment by prospective partners, who complete questionnaires about their own security posture. The responses are therefore subjective and don’t deliver any independent, objective information about the risk of engaging with that organisation.
Lack of ongoing risk visibility
A key problem for the conventional approach to risk management is that the threat environment evolves continuously. A point approach offers a snapshot that only gives accurate risk data in the context of the current situation. To gain relevant insight as the threat landscape changes, you need to continuously monitor third and even fourth parties, looking for material changes in your risk framework. Given that the number of partners an organisation works with can exceed the number of employees it has, this process is impossible to achieve manually.
Speed and scale
Another challenge is that the quantity and complexity of the third parties your business engages with fluctuates significantly over the business cycle. Coping with a sudden increase in auditing a large number of new partners is a major challenge for in-house risk and compliance departments and can limit your ability to move quickly when bringing on board new partners, stifling your business agility.
Collaborating to reduce risk
Finally, taking a point approach limits the opportunity for you to work proactively with your third parties to improve and adapt security performance over time. Even a scheduled audit programme only delivers a further static snapshot of performance and compliance. It doesn’t encourage organisations to work together to identify and counter emerging threats on an ongoing basis.
The reason that companies engage with third parties in the first place is because they can deliver a product or service more efficiently and cost-effectively than can be achieved in-house. Why not apply the same principle to third party risk management? Employing an independent organisation has key benefits, as consultancy Deloitte underlined when recommending that financial sector companies take this approach. They pointed to economies of scale and associated cost reductions, the ability to scale up and down as required, taking the burden from in-house departments, and additionally the fact that regulators often prefer to see an independent assessor involved in risk management programmes.