The mere terms third-party, supplier, vendor, service provider and customer demand context and definition. Either an organization conducts cybersecurity and privacy due diligence on critical third parties or is on the receiving end fielding customer due diligence requests – and often, doing both. Wherever each organization is on the third-party risk management journey, its leaders should know that the discipline has evolved dramatically in recent years – and for the better.
At the 2022 Shared Assessments Summit held in early May, the words trust, accountability and risk reset were clear and present themes. A departure from a conversation once focused on sustainably managing prohibitively daunting workloads, these reflections herald a ‘back to the basics’ mantra. This post underscores what going back to the basics can do for an organization, how automation can help and why it’s important to do so now on the journey toward managing more risk, per dollar spent.
Why the change in tone?
The transition is marked partly by recent tragic outcomes. A string of pervasive and humbling attacks in 2021 – SolarWinds and Kaseya, to name two – has proven decisive in shifting third-party risk toward one of fundamental importance. These catastrophic cyberattacks, along with the COVID-19 pandemic and a multi-dimensional war in Ukraine, have elevated third-party dependencies as critical threats to an organization’s integrity. Further, third-party risk is no longer synonymous with ‘the most regulated’ industries with money to spend. Others are grasping the risk and exploring techniques that accomplish more with less, stimulating fresh conversations to find efficiencies.
Back to the basics: Knowing is half the battle
Establishing a proper lens for third-party oversight will reduce the time and effort required to make confident risk management decisions. This is achieved by investing time in these foundational thought processes below:
- Establish the scope and inventory of the organization’s critical third-party dependencies and risk exposure
- Identify who defines the organization’s risk appetite for engagements with third parties
- Right-size the level of initial and ongoing due diligence based upon prioritized risk tiers and sustainability
- Define roles and responsibilities for making risk management decisions
It is hard to overstate the importance of defining the scope of the organization’s third-party risk exposures in a sustainable fashion. The purpose of doing so is to support the prioritization of due diligence efforts in alignment with the organization’s risk appetite. Organizations who have not itemized and reconciled their third-party relationships against consistent risk criteria, business-critical processes and applications are vulnerable to a broader range of misadventures.
A right-sized level of due diligence allows the organization to prioritize their efforts strategically and predictably. For example, organizations relying upon a third party’s SOC2 Type II attestation should carefully review the scope of systems covered under the SOC2 attestation, as well as the delta between the SOC2 Trust Services Criteria and the organization’s own policies and procedures. This step allows clear determination of whether additional effort is required to satisfy risk appetite, while also proactively vetting the results of due diligence for relevance. Decisionmakers can act confidently when empowered with relevant risk insights, along with clearly defined roles and responsibilities.
The next step on the journey, whether transitioning an existing program toward a new heading (which can feel like turning an aircraft carrier) or creating structure where there is none, is to re-focus on a set of tactical questions:
- What data must be gathered to assess third-party risk?
- How would this data be gathered, and when?
- What are the expected actionable outcomes of due diligence?
Staying grounded in the basics helps sustain the organization’s focus on managing risk and preventing costly distractions begotten of daunting workloads. The Shared Assessments Vendor Risk Management Maturity Model offers comprehensive guidance toward building the infrastructure to support these objectives.
Automation: Enabling effective resource management
The organization’s requirements must be put into perspective with an improving capability landscape. Open-source intelligence and process acceleration have, in combination, revealed opportunities to expand risk visibility on a commoditized basis. Examples of automation include:
- Continuous risk monitoring platforms, providing real-time alerting of third-party cybersecurity issues, reputational considerations and other elements of risk exposure
- Automated mapping of documentation, such as policies, third-party attestations and questionnaires, against industry standard frameworks
- Exchanges, which allow for the purchase of basic entity information and continuously updated cybersecurity assessment results
Smart use of automation allows organizations to manage blind spots that can manifest through exclusive reliance upon manual and point-in-time due diligence – without breaking the bank with headcount or professional services.
Completing the circuit: Answering the ‘so what?’ question
Sustainable, risk-based third-party due diligence should set up timely and risk-informed business decisions. This may influence several actions, including but not limited to:
- Third-party selection
- Amended contracts
- Remediation of specific cybersecurity gaps
- System architectural and/or privacy data governance decisions
- Undertaking alternative initiatives entirely
- Risk acceptance or transfer
- Risk mitigation and compensating controls
Finally, vigilance was another key theme at the Summit, further underscoring the need for proactive risk mitigation. The pandemic has forced an existential shift toward nimble, scenario-based readiness and responsiveness as opposed to traditional business continuity and disaster recovery planning. This has proven cumbersome in the face of rapidly evolving factors and there is still much to learn. For example, organizations can ingest third-party risk alerts into their security event monitoring processes and use automated prioritization to anticipate disruptions or events, as threat levels change. This further broadens the organization’s risk visibility, enabling more risk-informed actions with reduced effort. And the cycle begins anew.
Thanks to opportunities created by automation, organizations can achieve improved risk visibility with reduced effort, allowing greater focus tracking critical dependencies, sound fundamentals and meeting regulatory compliance. As a result, the discipline is maturing into a powerful source of risk intelligence – both in protection of data as well as system operations.
To learn more about our third-party risk management consulting services, contact us.