Managing third party risk starts off easy, but as the organization matures, it becomes more unwieldy. With one or two vendors, you can leverage spreadsheets to manage risk. As your organization becomes larger, however, your needs become more complex and the spreadsheets often lead to disorganization. For a strong third party risk management program, take a lesson from Vanilla Ice: “Stop, collaborate, and listen.”
With this in mind, Reciprocity presents “Follow the Data: 9 Strategies to Making Third Party Risk Less Opaque” with speakers Michael Rasmussen and Aaron Kraus.
How are you managing third party risk?
More than 40% of the webinar’s poll respondents indicated they are tracking third party risk with emails and spreadsheets, while 21% aren’t currently managing the third party risk at all. Finally, 14% already use a GRC tool.
Michael Rasmussen noted that these percentages track with his experience. Most organizations are managing third party risk through an elaborate system of documents, spreadsheets, and emails. This adds a lot to the cost of third party management.
With today’s interconnected mesh of business relationships, over half of an organization’s “insiders” are third parties such as vendors, outsourcers, suppliers, service providers, contractors, consultants, temporary workers, brokers, dealers, agents, and intermediaries. This means that third party management is one of the most important ways to create a safe information environment and enforce a strong security stance. Implementation of GDPR incorporates vendor management and has significant impact for US businesses.
I sat on one major Fortune company’s social accountability advisory boards, helping them with international labor standards like child labor, forced labor, working hours, and wage an hour, across their global supply chain of 20,000 facilities. There’s the UK modern slavery act, and California’s transparency and supply chains act. There’s just a lot of pressures on third party management and anti crime and corruption, like the US Foreign Corrupt Practices Act. There’s a lot of these pressures that extend from information security and privacy into social accountability, environmental, health,safety, international labor standards, and so forth. Organizations have to be able to manage all this, and keep track of it.
Businesses currently send out assessments and add statements to those records. However, vendors don’t always reliably complete the forms. This leads to a back and forth that gets messy. When regulatory agencies crack down, businesses need an actionable system of records to ensure that audits provide the who, what, where, when, and why of compliance actions. This means that you may need to change how you currently manage third party risk.
What is the most effective strategy for managing third party risk?
Business naturally fluctuate in their needs, vendors, and processes. An effective third party risk management strategy needs to be fluid. Saying you need fluidity is one thing, but creating a responsive strategy requires a lot of effort.
An effective program requires a charter and collaboration between different groups. Breaking down the information silos inherent in an organization leads to a collaborative effort that involves areas of procurement, legal, corporate compliance and ethics, risk management, IT security, and many others.
Why is understanding risk a foundational component of a third party management system?
Your third party management needs to be built on a foundation of concrete, not sand. To do this, you need to find a fit that allows you to expand as your family of vendors grows.
Each relationship brings risk as well as value. Some relationships come with information and privacy risks because they touch sensitive data. However, the relationship’s danger is outweighed by the cost savings.
In order to appropriately evaluate relationships, you need to categorize the overall exposure, monitor changes in those relationships, and assess the state of risk and compliance in those relationships. This needs to be done prior to onboarding but also throughout the duration of the relationship. As security practices change, vendors need to respond to those changes. This means that you need to be able to ensure that your relationships stay in line with your own risk.
Michael shared 10 questions that organizations should ask when evaluating risk.
- What is the scope of the third party management program?
- Is it just IT security? Or does it include things like international labor standards, health, safety, conflict minerals, and other aspects that impact third parties as well?
- What’s the scope and focus of the third party management program?
- What’s our audience? Are there different types of third parties?
- How do we categorize them?
- Do we categorize them by geographic region and regulatory ladnscape? Won’t that create risk by geographic location?
- Do we categorize risk by type of data and information that they’re accessing?
- Is it a small relationship that impacts just one office, or is it a massive underpinning relationship that can significantly impact the objectives of the organization?
- What are the resources needed to manage these third parties?
- How do we make things accessible to them?
This is where the software as a service (SaaS) solution offers value. SaaS GRC solutions organize the question and answer process, enabling those on the ground to better manage and monitor the program while easing the process of board oversight that is required by some industries like financial services.
What are the five process focused strategies for managing third party risk?
Understanding the importance of process focused risk management strategies will allow you to to capture privacy risk data more effectively.
Managing third party risk starts with the front office. Vendor management revolves around the people who own the relationship with the vendor. Your vendors will be accessing your systems, reading your policies, and taking your assessments. To control the flow of information, you need an intuitive technology that supports this life cycle.
Procurement, legal, contracting, corporate compliance and ethics, risk management, and audit can all be involved. To manage all these moving parts of your third party risk, you need a solution that shows both the minutiae and the big picture.
The word “operationalization” sounds like something process managers say to describe a phenomenon you’ve never seen before. Its meaning, however, is simple. When we engage in a operational process, there are specific tasks and notifications we use to make that process ongoing. Michael offered three questions to help you organize your information.
- How do we integrate third party systems with other GRC systems?
- How do we understand our third party risks in the context of enterprise and operational risks?
- How can we integrate our third party systems with our supplier systems or our procurement systems?
Content and Intelligence
You need to do research before hiring a third party vendor to work with your organization. If someone will have access to your customers, you want them to be trustworthy. You wouldn’t let a random stranger into your home, so don’t let one into your business. Again, Michael offered several questions to guide the screening process.
- Do they have negative news out there? Are they having issues that are publicly known?
- What do their financials look like?
- Can we look at their Dun & Bradstreet or other public resources?
- Can we integrate this information with some of the security rating systems to see the overall scoring of these solutions?
Managing third party risk isn’t a sedentary process. Mobile devices are used to conduct inspections and gather evidence. Cameras in those devices document that information. To create an appropriate documentation system, organizations need to address the way “Bring Your Own Device” policies interact with third party risk.
What process based questions help manage third party risk?
Understanding the process based strategies that manage third party risk means asking the right questions to get the right information. With that in mind, Michael suggested six queries.
- Who owns this relationships?
- Who needs to be notified when there are issues or things that need to happen in the relationship?
- What policies govern this relationship?
- Are there regulatory obligations that govern this relationship?
- Where in the organization does this relationship fit and intersect?
What is the value of technology to managing third party risk?
Technology provides a system of record and audit trails to show not only what was assessed, but also when that assessment occurred. Policies to manage third party risk work only when they are supported by processes also.
Michael shared the case of Morgan Stanley and the Foreign Corrupt Practices Act (FCPA). In 1977, the federal government passed the FCPA to protect against foreign corruption. In 2012, Morgan Stanley was the first company that had bribe and corruption in its ranks but was not prosecuted. As Michael shared, “The memo’s right there in the Department of Justice website, praising Morgan Stanley’s compliance program, including the third party management aspect, for being able to demonstrate compliance. So this system of records becomes critical in third party management.”
Even though they had the policies and procedures in place, corruption still developed. However, Morgan Stanley did what it could to guard against corruption, documented that, and was therefore safe from prosecution.
What tools-focused strategies help facilitate the process-based strategies?
Tools should be used to strengthen processes. Business processes should drive tools, not the other way around. While Michael organized a top-down management hierarchy for processes, Aaron provided the tools necessary for these processes.
Facilitate stakeholder communication
The appropriate tools are often determined by the key stakeholder. While Michael shared the importance of collaboration, Aaron showed what areas you need to engage when deciding on tools. One of the main stakeholders, noted Aaron, is the business owner or business line for whom the third party is working. These individuals often get left out of the process.
Meaningful metrics matter
Key performance indicators (KPIs) often assist senior management with decision making. When looking at measurements, remember that the information needs to be meaningful. If you live in a place where the speed limit is posted in miles per hour, but your speedometer shows kilometers per hour, you don’t have useful information to avoid a ticket. KPIs work the same way: you need to find the right tools to give you the measurements that match your business processes.
Automate the small stuff
Automation doesn’t mean having a computer do the work for you; it means smoothing out the wrinkles in your processes. Certain key interaction points may have multiple stakeholders. This means your tools need to be flexible, allowing your organization to eradicate information silos by gathering or expanding requirements that automate these interactions. As Aaron reminded everyone, “If I have to follow up via email, or dive into a network share to find the most recent information, that’s not a good use of my time, and it’s not providing me with a direct actionable intelligence.”
Find risk management integrations
Tools—like emails, word documents, and spreadsheets—create disparate information locations. This means that information gets lost. Integrating risk management means working with not just stakeholders, but also with reports and information. For example, Aaron shared,
We actually uncovered a risk to availability (part of the information security triad) by mining an accounts receivable system to detect non-performance SLA payments that were being made by vendors. If vendors or third parties continually had to pay credits back to the organization for not hitting their SLA targets, that indicated a higher risk that the vendor might not be able to provide the service on time against the SLA requirements that we had established. That was actually a key metric that we tracked to maintain availability.
Recognize that important information may be hidden within an area not connected to your third party risk management. This might be the biggest motivator of all for creating a secure program.
How important are risk management frameworks?
When polled, 46% of those attending the webinar didn’t have a framework, and 30% were using something other than SIG or SIG Lite.
Many organizations aren’t using frameworks to approach third party risk. Frameworks may help facilitate risk management, but they aren’t strictly necessary. To successfully manage third party risk, you need a focused strategy (and the supporting technology) to show how third parties intersect and interconnect with your risk areas.
Questions and Answers
How long does it take to get an MVP of a third party management program up and running?
It really depends on the size of the organization. Are we talking about a small organization or a large organization? Based on the number of third parties and other factors, it can vary significantly. Some of the providers in the market that Gartner and Forrester love are very bespoke buildouts, and they take a lot of time to implement. I’ve seen implementations that go over six months to over a year, while some of the newer providers on the market have nimble solutions, particularly softwares and service type solutions, that can be rolled out within a month or two.
How do you come up with a third party risk score?
You can deep dive into a lot of math here. We did some basic addition of different factors, including the results of audits and SLA performance. We also looked at certain attributes of the vendors themselves. Did they have a dedicated security professional; did they have dedicated security resources? We added all of that up and did a little bit of multiplication to weight some factors—the on-site assessments that my team performed were weighted a little bit higher because we were actually reviewing things. We simply turned that into a percentage score, so we had comparability across the different vendors.
Where’s a good place to start, if someone’s interested in launching a third party risk program?
To me, it’s that collaboration standpoint—this is an island that I’m going to do with information security. But it does involve other groups, like procurement, legal, compliance, and ethics. To me, it’s about building that collaboration and starting a committee of all the people that have a vested interest in third party management.
The place that I always start is getting a handle on what exactly you are trying to manage and figuring out what percentage of your business is being done by third parties. That’s going to drive a lot of decisions: how robust a process you need, how robust a tool you need. f you have only one or two vendors, things can probably be a little bit more informal, whereas if you have 1,200 vendors who are doing all aspects of your business, you’re going to need a much more robust tool and obviously much more robust processes.
For all of the expertise shared by experts Michael Rasmussen and Aaron Kraus, watch our webinar, “Follow the Data: 9 Strategies to Making Third Party Risk Less Opaque.”
Michael Rasmussen is an internationally-recognized pundit on governance, risk management, and compliance, with specific expertise in enterprise GRC, GRC technology, corporate compliance, and policy membership. With 22 years plus of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile. He’s a sought-after keynote speaker, author, and advisor, and is noted as the father of GRC, being the first to define and model the GRC market in February 2002 while at Forrester. Michael’s presentation focuses primarily on the process side of third party risk.
Aaron Kraus, the head of GRC and InfoSec for Reciprocity, is a CISSP and CCSP who thrives on the challenge of balancing information security risk management with corporate agility. He has consulted across a range of industries including government, financial services, and healthcare, and his expertise spans designing, implementing, and auditing information security control programs that mitigate risk without impeding the organization’s objectives. Aaron is a passionate educator with teaching experience in a wide range of courses, including CISSP exam prep, Mac OS X, and SharePoint, as well as security awareness.