Third parties are important to business success but can introduce risk in various ways.
Working with a third party can introduce risk to your business. If they have access to sensitive data they could be a security risk, if they provide an essential component or service for your business they could introduce operational risk, and so on. Third party risk management enables organisations to monitor and assess the risk posed by third parties to identify where it exceeds the threshold set by the business. This allows organisations to make risk-informed decisions and reduce the risk posed by vendors to an acceptable level.
Third parties are an important key to the success of a business. Organisations of all sizes are becoming more and more reliant on third parties for their innovation, growth, and digital transformation.
But, a strong reliance on third parties can be risky. The risk posture of a third party is crucial to the risk posture, resilience and reputation of a company using a third party. It can be very costly and difficult to deal with a third-party incident, with consequences including regulatory actions, damage to reputation and a loss of revenue. Third parties need to be carefully vetted with ongoing risk assessments to ensure that an organisation is protected and secure.
Prior to now, vendor risk management has been time-consuming and error-prone, consisting of manual processes using emails, spreadsheets, and siloed vendor risk management tools. These processes and tools are simply inadequate — neither the tools nor the teams can keep up with the growing number of third parties. Common challenges faced by enterprises who haven’t implemented modern or comprehensive solutions include:
Below are some important considerations that need to be taken into account when choosing a third party. The answers will determine the level of risk they pose to the business:
Strategy can be threatened when third parties and organisations aren’t aligned on decisions and objectives. It is crucial to monitor third parties to make sure that strategic risk doesn’t lead to a lack of compliance or eventual financial risk.
The reputation of a company can also hinge on the reputation of a third party with whom they do business. If a third party has an issue with reputation or a data breach, it can lower customer trust in a business that works with the third party.
Operations can sometimes hinge on third party applications and services, and there is always a risk that the third party can fall victim to a cyber attack or a lapse in service that can lead to operational interruptions, a loss of data or a privacy violation. If there are fourth parties involved the same concerns apply to them.
There can be issues with a product or service delivery from a third party, which can cause transactional issues within an organisation.
Standards are slowly beginning to incorporate third party risk as a requirement for compliance, so risk tolerance for compliance should be extended to third-parties as well.
Regardless of whatever form data may take, there is a degree of risk that arises from allowing a third party to interact with data, including risk from unauthorised access, disruption, modification, recording, inspection or destruction of information.
It is important to work with financially viable third parties to avoid disruptions to the supply chain. Additionally, third parties who are in financial trouble may not be as focused on security measures, leaving themselves open to unnecessary risk.
There are a few essential steps for third-party risk management:
When considering working with a third party it’s important to do an initial risk assessment as part of the decision making process - prior to formally bringing a third party onboard. You can use external data to get a broader picture of the third-party risk using, for example, cybersecurity ratings to gauge their security posture. This reduces the chance of unknowingly inheriting undesirable risk.
Either as part of the initial risk assessment, ideally performed prior to onboarding, or as soon as the third party has been brought onboard there should be a tiering assessment performed. This assessment is performed internally and results in the third party being placed in a tier that dictates the type and frequency of assessments the third party will receive. Tier 1 or critical vendors are the highest tier. Some vendors may be at a tier that does not require regular assessments (for example the third parties that cut the grass). External data from, for example, security ratings providers could be used to adjust the tier level if necessary.
Third parties in the upper tiers should have regular risk assessments performed. These should be based on the area of risk posed by the third-party. For example vendors who manufacture a component may have questions around employee health and safety, while consulting firms may not. But all third parties would have questions regarding their security posture and financial viability. The frequency of these assessments would be based on the tier, with the highest tier having the most frequent assessments.
When an assessment is returned there may be responses that are unsatisfactory or incomplete. Additionally any objective external data collected around the third parties financial or security posture should be evaluated at this time for any issues. Issues, or findings, can then be reverted back to the third party to respond.
There may be a period where an assessment goes back and forth, tasks are generated, issues are responded to and evidence is provided if necessary. All communication should be captured for future reference. In the end, there may be some risks that are accepted.
After identifying, analysing and remediating the risk, report on it to the necessary parties. All stakeholders should be able to get the level of visibility they desire.
As previously mentioned, third parties should be continuously assessed, which ideally means monitoring for any changes in risk or performance. This can be done through more frequent assessments or external data feeds such as continuously updated cyber security ratings. Changes should automatically trigger an issue, assessment and/or tier change. It is crucial to continuously monitor to ensure that all third parties are fulfilling their obligations and do not pose an undesirable risk to the organisation.
All organisations should have a formal process to retire third parties and ensure all information that should not be stored is permanently deleted.
Manage risk and resilience in real time with ServiceNow.