According to the Opus and Ponemon 2018 report, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is higher at 61 percent. Also noted that many breaches go undetected: 22 percent of respondents admitted they didn’t know if they’d had a third-party data breach in the past 12 months. A third-party breach costs, on average, twice what a normal breach cost.
We covered the Major Breaches and Bankruptcy in Part I of the blog. In part II is about the Drivers of Risk Management, Alignment, and Governance. The series will cover the following topics at a high level to provide sufficient knowledge for professionals to design the program that commensurates with the size, nature, and objectives of the organization. It explores the topics below:
- Drivers of Risk Management
- Alignment and Governance
- Categorizing Vendors
- Analyzing Vendor Risks
- Monitoring Vendor Risks: The Vendor Management Organization
- Communicating Vendor Risks
- Optimization and Standards
Many organizations are not aware but intellectual property (IP) breaches can be a recipe for bankruptcy.
Drivers of Risk Management
What are Third Parties?
Third Parties is the broadest and most inclusive term that includes parties not controlled by either the company (First Party) or its customers (Second Party), and Third Party intermediaries (TPIs). Third Parties are effectively the external parties with which a company interacts – Suppliers, Vendors, Licensees, BPOs, Agents, etc. TPIs include business partners, distributors, agents, consultants, vendors, dealers, customers, logistics providers, and others
Drivers of Third-Party Risk Management
The common concerns in Third Party risk management are:
- How do you identify the full third-party population?
- How do you identify what services those third parties provide?
- How should affiliate relationships be assessed and managed in the same way as external third parties?
- Are any risks not relevant/heighted in an affiliate?
- How do you identify subcontractor relationships?
- Do you approve the terms of subcontractor engagement?
- How do you define ‘critical’?
- How do you identify critical services/third parties?
- What involvement should internal audit have in framework design?
- Should internal audit teams undertake third-party inspections?
What is Third-Party Risk Management?
Third-party Risk Management (TPRM) is the process of analyzing and controlling/managing risks associated with outsourcing to third-party vendors or service providers. The goal of any third-party risk management program is to reduce the likelihood of data breaches, meet regulatory requirements, vendor bankruptcy and to avoid operational failures.
Why perform Third Party risk assessment?
- Organizations in regulated industries continue to rely on the extended third parties to perform mission-critical services, which in turn, can increase business exposures.
- With heightened and reinforced regulatory expectations in third party management, it is imperative to have capabilities at hand to continuously monitor and manage third party risk and performance.
- Management must understand the high risk their organization is exposed to from cybersecurity attacks and data breaches from their organization and their third and fourth-party service providers.
- Legal and regulatory requirements should also be understood. Such as compliance with bribery regulations, awareness of global industry standards as they apply to third-parties, as well as environmental and health and safety compliance.
- Organizations can outsource the process, not the responsibility.
- In the United States, the Office of the Comptroller of the Currency (OCC) wrote in its risk management guidance: “A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”
Part III of the series will cover the vendor categorization, alignment, and governance. •