Third-Party Risk: Be careful who you play with
Many firms were ignorant of third-party risk scale and impact even before lockdown. With the new reliance on distant supply chains and remote technology services, Bill Mew considers how firms should manage one of the fastest-growing categories of risk.
Reliance, integration and complexity
Trade requires goods to move smoothly in one direction, payment to move in the other, and data to move in both. Reliance can come in many forms.
Many firms rely on the supply of goods and struggled when supply chains were interrupted during lockdown. Others are reliant on payment, operating on thin margins and with limited reserves. When cashflow dries up, these companies suffer a great deal.
Increasing levels of integration mean firms are sharing more data across supply chains, opening themselves up to data privacy and security risks. These forms of reliance on third parties increase as ecosystems become more complex.
Firms often have inadequate partner inventories and lack the full picture of associated third parties. As a result, this exacerbates the problems with managing risk.
Supply chain risk
Adding to supply interruption, companies must be alert to corruption and contamination. Firms that use ingredients or components from suppliers need to minimise the risk that these will be compromised.
There is a risk that laws, such as the use of child labour, the payment of bribes, or some form of engagement with embargoed economies, may also be broken during production.
Procurement fraud is also an issue within the supply chain. Research from SAS revealed that procurement fraud is more common than bribery, corruption and cybercrime. Widespread in the UK, it lags behind many countries in its detection capabilities.
British companies, on average, lose significantly more money to procurement fraud, with 40% of UK firms hit each year for between €150,000 and €400,000. The country is far more reliant on ineffective manual detection techniques than other nations – contrary to the use of analytics or AI.
Business continuity risk
The provision of computing services is an area of particular reliance, exacerbated by the move to cloud computing. While the cloud has been a boon for businesses with employees working from home and needing to access application systems remotely, it becomes a liability when there is an outage or any kind of communications issue.
The reliance on cloud suppliers is an issue taken particularly seriously in regulated industries such as banking. In its three recent technical papers the EBF Cloud Banking Forum set out guidance for the use of cloud, cloud exit strategies, and a cloud outsourcing register, to help banks address these risks.
Firms today are not only reliant on cloud and managed services providers to run their application systems, but they also have an ecosystem of partners that are granted access to these IT systems or entrusted with sensitive company data.
A study from the Ponemon Institute showed that 59 per cent of companies have experienced a data breach caused by one of their vendors or third parties, yet only 16 per cent say they effectively mitigate third-party risks.
Information sharing no longer only occurs across the distribution supply chain, but it could also include outsourced digital marketing agencies or indeed professional services firms like accountants or solicitors.
Not enough firms have a clear idea of how many third parties there are in their ecosystem, and which of these have access either to their customer data, their financial data, or even their intellectual property.
Most firms only really do a decent job of assessing and reviewing a fraction of their partners and firms few do adequate due diligence on information security or any kind of privacy assessment.
High profile third-party data breaches have included British Airways and Equifax. Indeed, data breaches originating from a third-party – such as a partner or supplier – cost companies $370,000 more than average.
Forrester analyst Alla Valente, author of a new study of Third-Party Risk Management Platforms, suggests that you start by agreeing “on the definition of what a third-party relationship is. You need to get as comprehensive a catalogue as possible.
Secondly, update your definition of what critical is; stop thinking in very traditional antiquated ways.” Valente also says that firms should actively-monitor third-party access as contracts expire and have an ‘offboarding’ process.
Effective third-party risk management (TPRM)
Firms need to consider problems with third party impact on service or product delivery. To add to which, risks to do with violations of laws, rules, or regulations, as well as ethical standards. This is on top of the data risk arising from unauthorised access, use, disclosure, disruption, modification, inspection, recording or destruction of information.
Effective TPRM requires close management of the process of identifying, assessing, and controlling these risks and others throughout the lifecycle of your relationships with third-parties. It can start during the procurement process and often extends all the way through the end of the offboarding process.
At a minimum you need:
- Central visibility into all third-party relationships and contracts
- A formal, pre-contract risk assessment and due diligence process
- Use of standardised, risk-mitigating contractual terms and provisions
- Risk-based monitoring and oversight
- Formal offboarding at the end of the relationship
And you not only need to consider all direct relationships but also any downstream relationships - those with vendors, suppliers, and contractors used by your own third parties. Risk extends right down the supply chain, so it’s important to know who they are and how they are managed.
With many firms reconsidering their supply chain relationships in light of the pandemic and considering on-shoring some contracts, now is as good a time as any to consider third party risk and how it can be managed.
You might also be interested in
Founder and CEO of CrisisTeam.co.uk (SiliconANGLE global Startup of the Week – May 2019), an elite team of experts in incident response, cyber law, reputation management and social influence that help clients minimize the impact of cyber incidents. Previous cloud strategist at UKCloud (the...