Addressing Key Pain Points to Develop a Mature Third-Party Risk Management

Third-party risk management is high on the boardroom’s agenda. The business ecosystem is heavily dependent on third-party relationships, and with this dependence comes a responsibility to manage risk. There is a growing need to implement robust third-party risk management frameworks or improve and update existing programs.

The third-party landscape is evolving at a rapid pace, with on-demand service providers and fourth parties playing a significant role and work being moved to enterprises’ global capability centers (another kind of third-party relationship). This supports the need for a strong third-party risk management framework.

Regulators are continuing to emphasize third-party oversight.¹ Although some industries have regulatory guidance to define their approaches to third-party risk management, others are solely dependent on internal requirements driven by the enterprise’s risk framework. Regulatory-driven initiatives generally yield better results, but for those industries that lack regulatory mandates, other requirements such as the US Sarbanes-Oxley Act (SOX), the EU General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS) can help improve and mature programs.

There is an inherent dichotomy when it comes to managing third parties. Business units that deal with third parties prefer seamless relationships; they want third parties to be quickly brought on board so they can start receiving services. Any risk management initiatives are seen as barriers to that relationship. Risk teams, in contrast, want to consider the risk factors in the relationship and take appropriate measures before third parties commence service delivery.

Cataloging third parties, tiering based on criticality, oversight commensurate with risk exposure, and improved reporting and governance are areas that typically require constant improvement for enterprises seeking a mature third-party risk management program.

Typical Pain Points in Today’s Third-Party Risk Management Program

Figure 1 illustrates the common pain points in a third-party risk management program.

Lack of a Holistic Third-Party Risk Management Program
In most cases, third-party risk management is synonymous with assessment. However, other aspects of third-party risk management include risk profiling, ensuring the use of appropriate language or requirements in contracts, and managing problems identified by assessments.

Some regulations provide directions for setting up a third-party risk management (TPRM) framework. Taking guidance from the regulations, a high-level framework can be developed, as shown in figure 2. Further, many add-ons or improvements are available that can enhance an existing third-party risk management program. These include:

• Governance, risk management and compliance (GRC) tools—The last decade saw the emergence of GRC tools to manage risk and compliance within an enterprise. This can be extended to third-party risk management. For instance, GRC tools can be leveraged to maintain inventories of third parties, conduct assessments, track issues to closure and so forth.
• Dashboarding and reporting—Multiple reports are required to be prepared and distributed to internal stakeholders, regulators, clients and others. Hence, it is critical to define and manage reporting parameters. Also, an analytical perspective that lists trends can be very useful.
• Risk intelligence—Risk intelligence on third parties is readily available. It is important to obtain the risk intelligence published by various sources and act on it. This is helpful in establishing continuous monitoring.²

Lack of Comprehensive Third-Party Coverage
Defining “third party” is essential to the success of a program. In less mature third-party risk management programs, the scope of third parties is restricted to typical IT service providers. In some cases, the scope is extended to include business process outsourcing arrangements. Therefore, it is critical to define what constitutes a third-party arrangement. Ideally, all entities that have a contractual obligation to deliver services to the enterprise should be considered third parties.³ Some examples of third parties are IT suppliers, business partners, affiliates, subsidiary enterprises, business process outsourcing/knowledge process outsourcing (BPO/KPO) service providers, subcontractors, distributors, brokers and dealerships.

A mature third-party risk management program has processes that can constantly scan and catalog third parties throughout the enterprise. This is more easily said than done. It is not uncommon for business units to enter into contracts with or procure services directly from third parties (e.g., shadow IT), which might lead to the skipping of essential steps in risk mitigation.

Different third parties pose different risk to an enterprise, so it is critical to profile third parties based on the appropriate parameters, which include:

• Volume of data accessed, processed or stored
• Type of data accessed, processed or stored
• Location from which services are provided
• Annual spending on the third party
• Business units or processes impacted by services provided by third party

One way of defining third parties is to classify them as mission critical, business essential or noncritical.

Limited Risk Coverage
Information and data privacy issues are top concerns when developing a third-party risk management program.⁴ This is not surprising, as these are obvious risk factors in any third-party arrangement. However, third-party risk management involves much more. For instance, do third parties follow a responsible supply chain? Some of the broader risk domains that should be considered include concentration risk, geopolitical risk, credit risk and strategic risk.

If a third-party risk management program is heavily focused on a handful of risk factors and ignorant of other requirements, it might not identify the actual risk a third-party arrangement poses to the enterprise.

A MATURE THIRD-PARTY RISK MANAGEMENT PROGRAM HAS PROCESSES THAT CAN CONSTANTLY SCAN AND CATALOG THIRD PARTIES THROUGHOUT THE ENTERPRISE.

Not all risk factors are relevant to all third-party arrangements, but it is essential to consider different risk domains across different third-party types and different phases of the program’s life cycle.

A mature third-party risk management program provides for multiple risk domains that are mapped to different third parties based on their applicability, and it determines appropriate actions to mitigate the risk.

One-Size-Fits-All Assessment Approach
Although third-party risk management is evolving at a rapid pace, the assessment of third parties is still vital. This critical component can provide a snapshot of the third party’s compliance posture.

Assessment must be efficient and commensurate with the risk exposure of the third party. Less mature third-party risk management programs use a single questionnaire or set of controls to assess all third parties. Such an approach is ineffective.

A mature third-party risk management program has a healthy mix of remote and on-site assessments and relies on service auditor reports (SARs) conducted at specified frequencies and covering relevant areas. The assessment program should define three parameters: frequency, mode and scope (figure 3).

Frequency
Third parties require assessment at different intervals. It might make sense to assess mission-critical third parties every year and noncritical third parties every two years. A mature third-party risk management program should also provide for ad hoc assessments in response to data breaches or any global threat.

A MATURE THIRD-PARTY RISK MANAGEMENT PROGRAM HAS A HEALTHY MIX OF REMOTE AND ON-SITE ASSESSMENTS AND RELIES ON SARS CONDUCTED AT SPECIFIED FREQUENCIES AND COVERING RELEVANT AREAS.

Mode
It is also important to define the method of conducting the assessment. Common methods include:

• SAR review—Technically, this cannot be considered a mode of assessment; however, under certain third-party arrangements, the third party might be required to provide only attestation reports for the enterprise’s consumption. It is, therefore, essential to understand what is available in these reports and how they line up with control requirements. It may be difficult to follow up on any identified problems, but it is important to ensure that they are addressed (see the later discussion of issue management).
• Self-assessment—This is the easiest method and requires little interaction. Typically, a questionnaire is sent to the third party to complete, and no additional clarifications are requested. Although this is easy to accomplish, it lacks comprehensiveness and relies completely on the third party’s responses.
• Remote assessment—This mode is slightly more comprehensive than self-assessment. Enterprises conduct remote interviews and discussions and ascertain responses by the third party. This mode is especially effective when third parties are located around the globe, and it helps reduce costs. The downside is that multiple remote discussions might be required, extending the assessment schedule.
• On-site assessment—This is the most comprehensive assessment mode. Dedicated assessors visit third-party sites and conduct the assessment within a defined period. Although this method provides a high level of confidence in the assessment, it is costly.

MOST ENTERPRISES OVERLOOK THE RISK ASSOCIATED WITH FOURTH PARTIES BECAUSE THEY RELY ON THEIR CONTRACTUAL ARRANGEMENTS WITH THIRD PARTIES TO MANAGE FOURTH PARTIES.

All the preceding are viable options, as long as the assessments are well planned and executed. Some enterprises create two- or three-year assessment calendars, with adequate buffers for any ad hoc assessment requests.

Most important, all third-party contracts should include “right to audit (or) inspect” clauses. Third parties should be actively involved in the planning phase, and appropriate agreements should cover scope, logistics, evidence sharing and follow-up.

Scope
The most important element of an assessment is its scope. As discussed earlier, the risk assessment allows an enterprise to determine the various risk factors to which it is exposed through the third-party arrangement. So, it is essential to base the scope of the assessment on the characteristics of the third-party arrangement. One way to achieve this is to develop a baseline set of controls for assessment and then add other controls as needed.

Issue Management Lacks Focus
When problematic issues are identified by risk assessments, it can be a challenge to manage them. Some key challenges related to issue management include:

• Lack of defined ownership of identified issues
• No defined timelines for managing issues
• Lack of support from third parties for remediating identified issues

It is important to have a defined process that clearly identifies roles and responsibilities for managing problematic issues (figure 4). It is important to recognize that the issue management process is not the sole responsibility of the third party’s risk management team. It is a collaborative effort that includes multiple stakeholders such as business, senior management, suppliers and the like.

Third-Party Risk Management Stops With the Third Party
Risk management goes beyond third parties. Fourth (or nth) parties provide services to support the operations of third parties, which, in turn, provide services to the primary enterprise. Therefore, these fourth parties may be directly involved with the services delivered to the primary enterprise, exposing it to various risk factors.

Fourth parties or subcontractors may also have access to data owned by the primary enterprise, and any risk to these data while held by the fourth party remains the responsibility of the primary enterprise, from the perspective of both regulators and customers. Thus, the significance of fourth parties and the risk associated with them should be addressed by enterprises and regulators.

Interestingly, most enterprises overlook the risk associated with fourth parties because they rely on their contractual arrangements with third parties to manage fourth parties. Their primary focus continues to be oversight and monitoring of third parties.

Regulators, however, emphasize fourth-party management, encouraging primary enterprises to establish inventories of fourth parties and independently assess them, especially when the fourth party accesses, stores, processes, or hosts confidential or sensitive data.^{5, 6}

A mature third-party risk management program should include provisions related to the fourth-party relationship commensurate with the fourth party’s level of involvement.

ENTERPRISES SHOULD FOCUS ON IDENTIFYING LOOPHOLES IN THEIR CURRENT PROGRAMS AND IMPROVING THEIR MATURITY.

Different Regulators Have Different Needs
Globally, there are many regulatory requirements related to outsourcing or third parties. Enterprises operating in multiple geographic locations must comply with multiple regulations. This can be a daunting task, and the consequences of failing to comply can be significant.

It might make sense to identify the common requirements and build an all-inclusive framework. In fact, it is fairly easy to extract the common trends in regulations, as they tend to follow a similar pattern. Regulatory requirements can be broadly divided into two types:

1. Framework requirements—Regulations mandate that certain components be included in the overall third-party risk management framework. These requirements tend to cover the full life cycle of the third-party arrangement from sourcing to termination.
2. Risk requirements—Regulations require that certain risk factors be addressed. For example, the US Federal Reserve requires a financial institution to focus on compliance, concentration and reputational risk when entering into and managing a third-party arrangement.

A mature third-party risk management program identifies and includes the set of common requirements contained in multiple regulations, and it keeps a constant watch for any new regulations that might be applicable.

Conclusion

A balanced and risk-driven approach to third-party risk management that continuously monitors and adjusts to the changing risk posture is vital today. Enterprises should focus on identifying loopholes in their current programs and improving their maturity.

Recent exposure incidents reiterate the need for a holistic third-party risk management framework and continuous improvements to ensure mature third-party risk management programs.

The following recommendations can greatly help improve the overall maturity of a third-party risk management program:

• Having a holistic third-party risk management program covering the entire third-party relationship life cycle
• Extending the third-party coverage to include various types of third parties
• Extending the risk domains to cover different types of risk that a third-party arrangement can bring to the enterprise
• Working on the assessment approach and tweaking it to make it commensurate to the risk a third-party arrangement brings to the table
• Ensuring all identified issues are taken to their logical conclusion
• Including fourth parties in the third-party risk management program
• Considering all common requirements from different regulations while developing the overall third-party risk management framework

Endnotes

¹ Venminder, “State of Third Party Risk Management 2019,” www.venminder.com
² Aravo, “The Growing Need to Infuse Third-Party Risk Intelligence Into Your TPRM Program,” 5 June 2019, http://www.aravo.com/blog/the-growing-need-to-infuse-third-party-risk-intelligence-into-your-tprm-program/
³ Board of Governors of the Federal Reserve, “Guidelines on Outsourcing Risk Management,” USA, 5 December 2013, http://www.federalreserve.gov/supervisionreg/srletters/sr1319a1.pdf
⁴ Pymnts, “Third-Party Data Breaches Rise to 61 Pct in US,” 15 November 2018, http://www.pymnts.com/news/security-and-risk/2018/third-party-data-breaches-cybersecurity-risk/
⁵ Monetary Authority of Singapore (MAS), “Risk Management/Outsourcing Guidelines,” 5 October 2018, http://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Outsourcing-Guidelines_Jul-2016-revised-on-5-Oct-2018.pdf
⁶ Op cit Board of Governors of the Federal Reserve

Visveshwar Ramasubramaniam, CISA, CISM, CISSP, CCSP
Is an information security professional with more than 12 years of experience in information security, information assurance and third-party risk management. He has worked on multiple projects related to developing third-party risk management programs and conducted third-party assessments for organizations across banking, financial services, insurance; technology; and oil and gas industries.

Anil Kumar Singh
Is an information security professional with more than seven years of experience in information security, data privacy and third-party risk management. He has predominately worked for healthcare, IT, banking and insurance organizations. He has been involved in developing, establishing and streamlining privacy and third-party risk management frameworks for various organizations.