Wade Younger
Managing Partner
Armstrong Wolfe Advisory
3rd Party Risk Management - Why is it so important?
In the 1930s there was a gentleman by the name of Benjamin Klingler. He was a superintendent for an apartment complex and a former toolmaker in Germany. He had a plan to build a boat for him and his wife, an 18-foot tub of luxury. It took him four years to build and he christened it by naming the vessel Lillian, after his wife.
Once he celebrated this accomplishment he realized one thing, something very critical. Benjamin built this boat in his basement, and he didn’t think ahead as to how he would get it from that location to the water. Can you imagine that, spending four years on a project and it never comes to fruition? The moral of the story is, always plan ahead.
Dealing with third party vendors, to help us be first, best and different, is not dissimilar. While we’re all looking to make things faster, cheaper, and better for our customers, we have to use outside resources to reach this goal. But in this day and age it is risky to invite someone inside the safety of our ‘fortress’, hence the need for 3rd party risk assessments. It is about thinking ahead.
Why Should I Care About Third-Party Risk?
With most organisations relying on outsourcing to handle at least some aspects of their day-to-day operations, third-party risk should be at the front of their minds. This is especially true given the rising number of security breaches born from third-party relationships.
A recent study shows that almost a third of third-party vendors would be considered a material risk if a breach occurred. Another study revealed that 80% of surveyed organisations experienced a data breach originating from a third party in 2020.
Ultimately, your organisation’s board of directors and senior management are responsible for managing third-party relationships. The identification and control of associated risks should be held to the same standard as activities as those within the organisation.
Despite the numerous risks that arise from third-party relationships over the vendor life cycle, many organisations still do not manage third-party risks as diligently as internal ones.
Failure to manage these risks can leave organisations exposed to regulatory action, financial action, litigation, reputational damage, and can impair an organisation’s ability to gain new, or service existing, customers.
Types of Third-Party Risks
There are many potential risks that third parties can bring to an organisation, spanning six key areas:
Cybersecurity risk: The risk of exposure or loss resulting from a cyber-attack, data breach, or other security incidents. This risk is often mitigated by performing due diligence before onboarding new vendors and ongoing monitoring over the vendor lifecycle.
Operational risk: The risk that a third party will cause disruption to the business operations. This is generally managed through contractually bound service level agreements (SLAs). Depending on the criticality of the vendor, you may opt to have a backup vendor in place to ensure business continuity. This is common practice for financial institutions.
Legal, regulatory, and compliance risk: The risk that a third party will impact your organisation’s compliance with local legislation, regulation, or agreements, e.g. the EU’s General Data Protection Regulation (GDPR). This is particularly important for financial services, healthcare, and government organisations as well as their business partners.
Reputational risk: The risk arising from negative public opinion caused by a third party. Dissatisfied customers, inappropriate interactions, and poor recommendations are only the tip of the iceberg. The most damaging events are third-party data breaches resulting from poor security controls, like the high-profile Target data breach in 2013.
Financial risk: The risk that a third party will have a detrimental impact on the financial success of your organisation. For example, your organisation may not be able to sell a new product due to poor supply chain management.
Strategic risk: The risk that your organisation will fail to meet its business objectives because of a third-party vendor.
It’s worth noting that these areas often overlap, for example, if a business experiences a cybersecurity breach and customer data is compromised, this will also pose operational, compliance, reputational, and financial risks.
How Can I Minimize Third-Party Risks?
The immediate action you will need to take to mitigate third-party risks depends on the status of your organisation’s third-party risk management (TPRM) program. First, you should assess your current TPRM program to identify which security measures, if any, you currently have in place. Put simply, the initial stages of the vendor risk management process should cover:
Vendor inventory: Who are your vendors? You need to accurately identify who your vendors are. A third-party vendor is any person or organisation who provides a product or service to your organisation, who does not work at your organisation, e.g. manufacturers and suppliers, service providers, short and long-term contractors, and external staff. The inventory should be kept up-to-date and extend to fourth parties (your third-party vendor’s vendors).
Vendor assessment process: After creating a comprehensive inventory of vendors, you need to develop a vendor assessment process. Organisations use this process to assess and approve potential third-party vendors and suppliers to ensure they can meet all contracted stipulations and agreements. At this stage, you should include a vendor questionnaire template to streamline the onboarding of new vendors and the assessment of current vendors.
While these steps are important in establishing a strong foundation for TPRM, they are not enough on their own.
Most large organisations manage hundreds or thousands of vendors, with each posing differing levels of risk. Each risk tier has a unique due diligence and risk assessment process, and other tier-specific requirements, meaning your information security team will need to individually categorize each vendor accordingly. They will also need to engage with vendors to prompt risk profile questionnaire completion and communicate the importance of TPRM within the organisation.
Managing such a large number of vendors also requires prioritization of higher risk over lower risk vendors. However, it is still essential to regularly assess all vendors against the same standardised checks to ensure nothing falls through the cracks.
Managing third-party risk is not a “set-and-forget” endeavor. Vendor questionnaires should not only be part of the onboarding process but also be completed on at least an annual basis. Vendors require continuous monitoring, with regular assessments and checks to ensure their security posture is healthy.
With these considerations in mind, it is clear that effective TPRM requires significant time and resources. Information security teams must attend to all other facets of your organisation’s security program and may not have the necessary capability to thoroughly manage third-party risk.
One motivating factor to consider is that 66% of organisations in 2021 underwent ransomware attacks, which was a 78% increase over 2020. There were 3,729 complaints regarding cyber-attacks and ransomware with a combined loss of over $49 million. Being diligent in this security space for third party vendors is critical to the front line management of this class of risk.
Steps to Manage the Third-Party Vendors
Managing third parties is more than a one-time assessment. It’s a relationship that must be managed throughout the third-party management (TPM) lifecycle, from screening, onboarding, assessment, risk mitigation, monitoring, and offboarding.
There are areas for automation throughout the lifecycle that can help your organisation streamline workflows and scale their TPM program, saving time, resources, and reducing risk.
Why does the TPM lifecycle matter?
As security and risk management teams spent the last year adapting to rapid digital transformation in the wake of increased, large-scale, successful cyberattacks, TPM has become a key focus for organisations. Security teams are receiving board-level pressure to implement management programs, causing them to assess all aspects of their TPM lifecycle.
When given a closer look, the importance of the role that the third party and third-party risk assessments play in maintaining a strong security posture across the organisation is magnified. Despite the vendor ecosystem being critical to mitigating risk throughout an enterprise, many organisations aren’t appropriately assessing their third parties (and in some cases, aren’t at all).
As a result, security teams – unless they own TPM – have little visibility into their organisation’s third-party ecosystem, how they’re used, and what measures those third parties have in place to protect their data. This leads to an increased risk in cybersecurity, privacy, ethics and compliance, and environmental, social, and governance (ESG) concerns. So, where should organisations start when pivoting to a TPM program built holistically around understanding the lifecycle?
TPM programs and lifecycle
Organisations must have clear visibility into their vendor ecosystem, and this starts with having a strong working knowledge of the TPM lifecycle.
The TPM lifecycle is a series of steps that outlines a typical relationship with a third party. TPRM is sometimes referred to as “third-party relationship management.” This term better articulates the ongoing nature of third-party engagements. Typically, the TPM lifecycle is broken down into several stages. These stages include:
- Third-party identification and screening
- Evaluation & selection
- Risk assessment
- Risk mitigation
- Contracting and procurement
- Reporting and Recordkeeping
- Ongoing monitoring
- Third party offboarding
- Phase 1: Third Party Identification and Screening
There are many ways to identify the third parties that your organisation is currently working with, as well as ways to identify new third parties that your organisation wants to use. To identify third parties already in use and build a third-party inventory, organisations take multiple approaches, which include:
- Using existing information
- Integrating with existing technologies
- Conducting assessments or interviews
- Leveraging external risk ratings data
Many organisations screen third parties against sanctions lists and other sources at this point to determine if there are any ethical or compliance concerns that would make the relationship too risky to start.
Using this information, you can identify unique risks that vendors may pose to your organisation and create an appropriate assessment and/or monitoring approach that is better aligned with the inherent risk of the relationship. Not all third parties are equally important, which is why it is critical to determine which third parties matter most. To improve efficiency in your TPM program, segment your third parties into criticality tiers.
Phase 2: Evaluation and Selection
During the evaluation and selection phase, organisations consider RFPs and choose the third parties they want to use. This decision is made using many factors that are unique to the business and its specific needs.
Phase 3: Risk Assessment
Third-party risk assessments take time and are resource intensive, which is why many organisations are using a third-party risk exchange to access pre-completed assessments. Others have focused on automating what once were manual tasks across this portion of the lifecycle. Either way, the primary goal of understanding the risks associated with the third party is the same. These assessments leverage automated risk flagging to identify issues based on third party responses.
When considering a TPM program, many organisations immediately think about cyber risks, but TPM entails so much more, such as having too much confidence in your vendor. For example, recently a large car rental company has been suing a major consultant firm over a website redesign that ended in something that never saw daylight.
With the rapid growth of rideshare apps like Uber and Lift, increased competition, and falling used car prices, the car company had been struggling with profitability over the last five years, and its stock price has fallen since then. The company has replaced its CEO twice over the same period, most recently at the start of 2017.
The car company hired the consulting firm in 2016 to completely revamp its online presence. The new site was due to go live in December 2017, but this had to be delayed to January 2018. A second delay put the new go-live date to April 2018, which was then also missed.
As the car company endured the delays, it realized that there was a nasty situation at hand: the product and design apparently didn’t do half of what was specified, and even that was still not finished.
It is now suing for the $32 million it paid the consulting company in fees, and it wants more millions to cover the cost of fixing the mess.
Phase 4: Risk Mitigation
After conducting a control assessment, risks can be calculated, and mitigation can begin. Common risk mitigation workflows include the following stages:
- Risk flagging and score designation
- Evaluation of risk against your organisation’s risk appetite
- Treatment and control validation in the scope of your desired residual risk level
- Continual monitoring for increased risk levels (e.g., data breaches)
When a third-party risk is flagged, automatically assign a risk owner to oversee remediation actions. Then, provide remediation advice within any delegated tasks based on regulations, standards and frameworks embedded into your TPM lifecycle. A real-life experience of this process involved a major airline company.
The company claimed that a disastrous outage which had hit its IT systems, was estimated to between $15 million and $20 million.
The outage, which the airline sourced to a hardware failure at its outsourced IT systems provider, took down the airline’s reservations, check-in, and related systems, resulting in a string of delayed and cancelled flights and a nationwide 11-day outrage.
The airline was forced to apologize to customers at the time and provide overnight accommodation and replacement flights to passengers stranded around the nation.
Phase 5: Contracting and Procurement
Sometimes done in parallel with risk mitigation, the contracting and procurement stage is critical from a third-party management perspective. Contracts often contain details that fall outside the realm of TPM. Still, there are key provisions, clauses and terms that TPM teams should look out for when reviewing third party contracts.
Phase 6: Reporting and Recordkeeping
Building a strong TPM program requires organisations to maintain compliance. Maintaining detailed records in spreadsheets is nearly impossible at scale, which is why many organisations implement TPM software. With auditable recordkeeping in place, it becomes much easier to report on critical aspects of your program to identify areas for improvement.
A TPM program can automatically schedule reports to quickly generate and share key details with critical stakeholders. Additionally, metrics can be used as automation triggers. For example, when a new high risk emerges, a notification can be sent automatically to the appropriate stakeholder.
Phase 7: Ongoing Monitoring
An assessment is a “moment-in-time” look into a third party’s risks; however, engagements with third parties do not end there – or even after risk mitigation. Ongoing monitoring throughout the life of a third-party relationship is critical, as is adapting when new issues arise. There is a growing field of risk data providers that can greatly enhance real-time monitoring of your riskiest third parties.
Additionally, using contract or security certifications expirations as automation triggers, such as when a third-party security certification expires, automatically triggering an action (creating a new risk, sending a reassessment, or notifying a stakeholder). The same can be said of detecting third-party breaches and sanctions.
Phase 8: Third-Party Offboarding
A thorough offboarding procedure is critical, both for security purposes and recordkeeping requirements. Many organisations have developed an offboarding checklist for third parties, which can consist of both an assessment sent internally and externally to confirm that all appropriate measures were taken. Critical, too, is the ability to maintain a detailed evidence trail of these activities to demonstrate compliance in the event of regulatory inquiry or audit.
Those who have an ability to leverage data, automate manual tasks and set risk appetites will have an advantage over their peers in the next two to three years, enabling risk-based business decisions to be made quickly.
Beyond security
Evaluating third-party risk is not limited to cybersecurity. Organisations also need to ensure that partners are meeting regulatory compliance requirements because a lack of third-party controls can result in data loss and subsequent regulatory fines.
In addition, companies need to ensure that proper operational controls are in place with third parties, because failures can cause businesses to shut down for extended periods.
Third-party failures in any of these areas can result in lost business, financial damage, and a negative impact on the brand and reputation of any company that deals with the business that experienced a breach or disruption.
Concluding Thoughts
It’s important to remember that third-party risk management is not a “set it and forget it” proposition. Because third-party behavior and the threat landscape change over time, organisations need to perform regular assessments of their business partners. They can monitor continuously and in real-time by deploying tools such as vendor risk-management platforms.
The assessment process needs to be repeated for each new third-party partner an organisation hires. By being constantly vigilant, organisations can ensure that the third-party companies they do business with present as little risk as possible.
Third-party risk management takes a lot of effort, but the potential advantages are clear, leading to greater visibility of relationships with partners, which in turn enables companies to better understand the interconnectivity among supply chain parties and the potential risks.
In addition, due diligence allows executives to make more informed decisions about the organisations they do business with. Risks can be identified and controlled. Third-party risk management can also lead to better regulatory compliance because it’s a requirement of many regulations.
Perhaps most importantly, managing the risk of third-party relationships will help keep an organisation’s resources protected against a variety of threats, and its supply chain operating efficiently. To fail to manage it cogently and diligently is just like building a boat in your basement, it is a failure to plan ahead that will result in wasted time and effort.
For further information on our Advisory offerings, please contact Wade Younger or Piers Murray in the first instance, or visit our Advisory section for an in-depth overview