• Gary Lynam, Director of Advisory & Customer Success at Protecht


• 19.07.2023 10:45 am
#RiskManagement

In today’s interconnected and digital world, reliance on third parties has skyrocketed, exposing organisations to a wider range of risks within the supply chain. How can we manage third-party risk more effectively with enhanced resilience, lower costs and improved visibility, asks Gary Lynam, Director of Advisory & Customer Success at Protecht.

Recently, in the UK, we’ve seen regulatory changes come into force with emphasis on third-party risk management to achieve operational resilience, such as the PRA’s Operational Resiliency Rules and FCA’s Consumer Duty compliance. Clearly, Third Party Risk Management (TPRM) is a topic of great importance and identifying, assessing, and managing the risks associated with third parties and related supply chains is now expected as a given.

That’s because inadequate TPRM can lead to significant repercussions, such as financial ramifications, harm to reputation, and legal obligations. A good example is when a vendor experiences a data breach, resulting in the compromise of sensitive customer information, causing trust and revenue to plummet. Likewise, if a vendor fails to comply with regulations, the organisation may face substantial fines and legal consequences.

For example, in 2022, Okta faced a major security incident when it was compromised by a third-party vendor when its source code was accessed following a breach of its GitHub repositories. Okta discovered that hackers used this malicious access to copy code repositories associated with its security solution. Okta had previously been targeted by the Lapsus$ extortion group, which gained access to the account of one of Okta’s third-party service providers, and posted screenshots of Okta’s apps and systems.

Tech giant Microsoft is a frequent target of cyber attacks, which further demonstrates the rise in software supply chain security breaches. In 2021, the company experienced a series of breaches, known as the HAFNIUM attacks, which compromised the on-premises Microsoft Exchange Servers of 30,000 global organisations. Hackers were able to access employee email accounts and install malware to facilitate long-term access. Months later, 38 million records were exposed due to a vulnerability in Microsoft Power Apps. In this case, the hackers were able to gain access to COVID-19 testing, tracing, and vaccination records, as well as employee information for major organisations using the tool, such as Ford Motor Company, American Airlines, and the New York Metropolitan Transportation Authority.

But what do we mean when we talk about third parties? It can be anyone from contractors to consultants, suppliers to vendors. Of these, vendors are usually where most risk lies. Nevertheless, there are a set of guidelines that can help you minimise risk while boosting resilience, efficiency and transparency.

Introducing effective TPRM

TPRM encompasses the identification, evaluation, and reduction of risks associated with external parties. In recent times, this has extended to include fourth and fifth parties to ensure that even the suppliers' suppliers don't pose potential issues. TPRM adopts a comprehensive approach that surpasses conventional vendor management practices, such as overseeing service-level agreements and renegotiating contract terms during renewals. It aims to proactively manage and mitigate risks across the entire enterprise.

TPRM involves a structured and systematic approach to managing risks associated with third parties. The lifecycle of risk management involves three main stages – pre-onboarding, ongoing monitoring and offboarding. Each of these can be broken down into specific phases, covering identification, due diligence, SLA compliance, contract renewals, ongoing risk assessments and much more.

Begin by defining the scope of your TPRM programme, looking at which potential partners are involved and the types of risks you need to manage. Identify the key internal stakeholders and secure their buy-in from the outset. Then, assess your current state, develop a roadmap and build your TRPM programme and policies accordingly.

This will necessitate the establishment of specific processes and criteria for the partner lifecycle, such as:

• The criteria, thresholds and tolerances when assessing the tier of a vendor

• The standard of documentation and evidence you expect from vendors

• The extent of due diligence you require for different tiers of vendors

• The types of risks you want to assess, and the way these risks will be assessed

• The criteria to inform Go/No Go Decisions

You’ll also want to define monitoring and assessment procedures during the partnership. How best can we deliver on these principles? Simply put, find an enterprise risk management (ERM) specialist who will do most of the heavy lifting and automate some of the more monotonous aspects of the programme. It is perhaps ironic that when it comes to managing partner risk, the best first step is to find an ERM partner so don’t forget to do due diligence on whoever you are considering.

The benefits of TPRM

Once you have built a robust TPRM programme, you can expect to reap the rewards.

Enhanced risk management and resilience: TPRM delivers a holistic view of your partner ecosystem, identifying potential risks that may arise across the network. While addressing a single partner with inadequate cybersecurity measures is important in the short term, having multiple weak ones can lead to disastrous consequences. By identifying these risks early on, organisations can take proactive measures to manage them effectively and prevent potential disruptions to their operations.

Efficiency and cost savings: Relying on manual processes to assess and monitor vendor risks can be a tedious and inefficient task. Typically, these manual procedures rely heavily on spreadsheets, and can lead to challenges such as lost emails, resulting in data gaps and incomplete information. TPRM introduces automated, streamlined processes to reduce the likelihood of incidents disruption to operations, data breaches, and compliance failures caused by third parties. Automation means employees can focus on higher-value tasks, lowering costs and improving efficiency.

Controls Assurance: By streamlining the process of meeting due diligence and audit requests, this gives confidence to customers and prospects, and reduces audit fatigue. Controls Assurance also helps to build a risk-aware culture within your organisation by increasing staff awareness of risk and controls, and driving improvements for you and your customers.

Improved transparency: A rigorous EPRM programme will enable greater visibility into your partner ecosystem, providing insight into each partner’s risk posture and the associated impact on your business; real-time resource and activity status; and an aggregate view of the entire environment. Such transparency ultimately leads to better operational resilience and improved business outcomes.

In our increasingly interconnected world, there is much dependence across multiple partnerships; at the same time risks, whether they be a result of malicious actors or human error, are always on the rise. Implementing a strong TPRM programme now will give you peace of mind as you continue to expand your partner network.