Third Party Risk Management (TPRM) is a pillar of operational resilience. Based on extensive experience it has become clear that most organisations are unaware of how many third parties are involved in their operations, nevermind the risks that these third parties pose to the organisation. There is unquestionable strategic value in employing third parties to assist with the organisation’s service or product delivery, including:The science of managing the risks associated with employing these Third Parties has however lagged, exposing organisations to unknown risks.
Some of the key steps to be followed in order to manage these risks include:
- Establishing a centre of excellence based on industry standards
- Identifying all Third Parties, beyond just procurement.
- Determining the inherent risk ratings of those third parties
- Conduct risk-based control assessments to identify the risks that the organisation needs to be aware of.
CONSIDER THE DIFFERENT TYPES OF THIRD PARTIES
“Third parties aren’t going away any time soon, so we need to manage the risks,” says Lee Bristow, Chief Operations Officer for Phinity Risk Solutions.
Making a concerted effort to manage and mitigate Third Party risk involves identifying and categorising the different types of Third Parties and how they can impact an organisation. These Third Parties can be diverse and often organisations do not consider all types.
The following diagram outlines the key parts of the business that utilise Third Parties and the typical nature of those Third Parties:
WHAT ARE THE POTENTIAL RISKS POSED BY THIRD PARTY VENDORS?
“43% of organisations do not perform due diligence checks on their Third Parties,” says Patrick Ryan, “so the TPRM process has a shaky start. As the number of Third Parties used by an organisation increases, the number of risks posed to that organisation increases too”.
The diagram below outlines some of the key risks that organisations should be aware of. Typically the management of these risks sits within different functions at the organisation (eg Compliance, Enterprise Risk Management, Operational Risk, Information Security, etc) so one of the challenges is to create a process that can cater to all of the internal stakeholder’s needs.
Two of the areas leading the drive to adopt third party risk management are:
- Where changes in technology and information security leads to increased risks. For example, the increased cloud adoption requires a refreshed risk approach to Information Security to manage security and compliance risks effectively. From a cyber security perspective, Patrick Ryan notes that “More than 50% of breaches that companies experience are as a result of third parties providing the gateway through which the breach occurs,”
- In order to manage risks, there has been a marked increase in legislation (e.g. General Data Protection Regulation (GDPR)) and industry regulations (banking, insurance and healthcare regulations) being most prevalent) over the past few years which have highlighted third parties and the risks that need to be managed. In order to achieve compliance with these varying requirements, organisations need to take a combined approach when considering the legislative and regulatory frameworks that differ from company to company. From a data security and cyber security perspective, we have found the ISO27000 and NIST provide robust frameworks that cater for most legislative and regulatory requirements. “Failure to remain informed may result in non-compliance, as each one of these legislations and regulations impact how an organisation needs to manage third party risks,” says Lee Bristow.
WHO SHOULD OWN THIRD PARTY RISK MANAGEMENT?
TPRM is becoming a strategic priority for many organisations. Based on client research, most organisations tend to lean towards a decentralised approach to TPRM due to the size and complexity of an organisation and their pre-existing processes.
Having a variety of TPRM processes can become problematic if not managed holistically as the organisation may not have the high-level perspective that is needed to be aware of all the risks that come with different third parties and the varying nature of the processes may lead to inefficiencies.
So, whilst third party ownership is an organisation-wide responsibility, organisational leadership should drive toward a shared framework and tools to enable the various risk management processes to share data and create efficiencies. This framework may be owned and overseen by risk management or procurement.
“By implementing a centralised Third Party Risk Management Framework, TPRM processes can be unified under an umbrella of excellence,” says Patrick Ryan.
AUTOMATED RISK MANAGEMENT SOLUTIONS
Based on our experience and research, the vast majority of organisations still use manual processes & spreadsheets for TPRM. This manual approach means that scarce resources spend their time collecting data instead of analysing the data collected and remediating the risks that have been identified. According to Lee Bristow,
Managing Third Party risk manually is tedious, time consuming and often ineffective. There is a better way to manage third party risks.
Automation, such as Phinity Risk Solutions, can help organisations fast track their TPRM by providing a common framework, risk identification resources, efficient reporting, status tracking, and exception-based risk identification – all of which help the organisation cover more risk in an efficient manner.
Phinity provides a true integrated TPRM Framework that pulls together all of the disparate processes into a single unified method to manage risk effectively.
Follow this link to learn more about how to automate your third party risk management processes.
Watch this video to learn about how to tie together and boost your third party risk management processes: