Risk specialist Lee Bristow breaks down a new strategy to mitigate security threats from third parties.
If you use third parties to support your business’s core operations, they need access to essential data, intellectual property and operational capabilities for successful service delivery. This means you have an ethical and legal responsibility to protect the customer information entrusted to you.
While the attendant dangers may seem obvious, ongoing research into risk management, auditing, information management, and supply-chain risk management hasn’t managed to stem the tide of information breaches – which is just another way of saying we have a challenge, and it’s not going away. We’ll get to the possible solution in a moment, but first, let’s look at the current practices and why they aren’t working.
Third Party Risk Management (TPRM) is often considered a procurement issue. It’s not.
As organisations outsource more operations, almost all significant risk categories are affected. The result is that all businesses must rely on complex relationships with multiple third and fourth parties (like subcontractors) to deliver any service or solution.
To highlight this complexity, journalist Pierluigi Paganini detailed how one of South Africa’s largest banks, Nedbank, was impacted by a relatively small organisation that provided SMS marketing services. The provider, Computer Facilities, had a security breach that affected 1.7 million Nedbank customers. In other words, the issue was not with the bank’s Information Security capability but with the third party.
Large organisations like Nedbank have intricate, cross-department processes that often don’t support a risk-based approach. Procedures are simply too rigid and can’t cater to smaller start-ups, sole traders, and niche suppliers like Computer Facilities.
Without automation, a balanced and proportional response at scale is almost impossible. To truly get to a proportionate response, several factors must be considered, including organisational size, jurisdiction, and the type of services provided to ensure the right due diligence regardless of size or complexity.
The Current State
TPRM started as an Information Security problem, then it became a privacy problem, and now it’s a challenge involving the entire organisation. One of the traditional approaches to TPRM involves using legal and contractual means to manage Third Party Risk, but this doesn’t address the underlying issue. Simply put, you can beat the third party with a legal stick, if the data has already left the building, what are you achieving?
There is overwhelming statistical evidence and academic literature on this topic, highlighting that our current approaches are ineffective and impractical. Take the latest survey from Deloitte:
The Building Blocks: Ethics and Automation
Part of the solution is to see your third and fourth parties as strategic to your success. Currently, most businesses manage third party risk at a siloed level – the same Deloitte study found 65% of programmes were funded by Information Security budgets. There is not enough focus and investment in a robust TPRM programme, as the rest of the business can’t see the value yet.
There is, however, a growing trend to adopt robotic process automation (RBA) to create better efficiencies. Combining risk management and RBA ensures proper stewardship of third parties, removing several earlier challenges.
The other piece of the puzzle lies in behaviour. How does the third party operate, and do they align with your company’s ethical standpoint? Usefully, organisations are already creating centres of excellence that include ethical codes of conduct for employees. When integrated into a TPRM programme, these codes can act as behaviour markers for possible and future risks – and therefore for the sustainability of a third party. Simply stated, it can tell you whether you should begin a relationship with a third party in the first place.
According to Rieger in his book, Corporate Governance and Ethics, all business activities require an ethical standard woven into the fabric of the organisation. This ethical standard should encompass TPRM and its sub-processes and tools, including automation, communication, decision-making and analysis.
Adaptation of Rieger’s ethical concepts, incorporating TPRM, RBA and analytics.
Generally speaking, pulling together the strands of risk management and ethics ensures greater transparency between parties, resulting in open and trusting relationships. We see this in our own personal relationships, where we can handle this approach with a few people in our lives. But when it comes to managing thousands of third parties and tens of thousands of people across networks, we need a structured discipline. The proposed solution combines TPRM, RBA and ethics into a single platform that creates this structure.
Bottom line: the cost of implementing the correct frameworks far outweighs the implications of security breaches, fines, loss of trust, and brand damage. A stronger understanding of risks based on structured analysis and ethical principles is simply good for business.
About Lee Bristow
Based in Dublin, South African-born Lee has over 20 years of experience in technology, product management, risk and compliance. Recently he’s been focusing on a new vision for risk management, making it simpler and more engaging.
Phinity integrates into your risk and compliance processes to help you decrease your risk exposure. Boost your management capability and manage your organisational risks, from identification through to remediation. Make informed decisions faster. www.phinityrisk.com