Managing Third-Party Risk: Strategies and Tools

A Guide to the Strategies and Digital Tools Needed to Manage Third-Party Risk

Coming out of the pandemic, business leaders have finally gotten the memo. Third-party risk is a huge issue, with companies becoming increasingly reliant on third-party vendors even for critical functions; or, as Deloitte puts it, “many companies even outsource core functions^”i.

This is particularly the case when it comes to dependence on cloud service providers (CSPs). As of 2022, 73 per cent of Deloitte global survey respondents stated they had moderate to high levels of dependence of CSPsii. Already staggering in itself, the figure is set to jump all the way to 88 per cent in the years to come.

Regulatory pressure to mitigate third-party risk

As a result, regulators have stepped in. Under the banner of operational resilience compliance, banking regulators, in particular, have put forth specific compliance requirements for firms who have “outsourced” material business activities to third parties. 

The European Union, for its part, has gone even further, passing the Digital Operational Resilience Act (DORA), which compels entities operating in its vast jurisdiction to establish third-party risk management (TPRM) measures to mitigate ICT (information and communications technology) risk. 

What then can companies do to mitigate third-party risk and ensure compliance? This guide will lay out the strategies and digital tools companies need to manage risk across their third-party ecosystem.

The third-party risk management lifecycle

The first place to start when looking to managing third-party risk is to the third-party risk management lifecycle when onboarding critical third parties.

The purpose of the TPRM lifecycle is to help organizations manage their third-party risk by ensuring that vendors meet the same standards and expectations (be they for cybersecurity, data privacy, or any other matter) as their internal teams.

So, what’s the third-party risk management lifecycle consist of?

Like the risk management lifecycle from which it’s derived, the third-party risk management lifecycleⁱⁱⁱ is an ongoing process requiring regular reassessment to ensure that risks are being appropriately managed.

The process itself consists of the following stages:

• Identification of whether you need to employ a third party
• Conducting due diligence
• Shortlisting and selection of a third party
• Sending out a risk questionnaire
• Contract drafting
• Commencement of the onboarding process
• Ongoing monitoring
• Undertaking of internal audits
• Contract termination or offboarding

Far from being undertaken in a silo, though, the third-party risk management lifecycle should fit within the context of a broader TPRM program. The purpose of that program will be to provide better governance over a company’s third-party ecosystem, with the benefit of such an approach being the following^iv:

• Following a more intelligent risk-based approach better aligned with enterprise strategy
• Better training of staff and executive champions in aligning service delivery with strategic objectives
• Development of standardized processes and proactive decision making via the use of data and analytics
• Creation of fully customized, value-added tools that support decision making

Leading practices in third-party risk governance

Such are the benefits of third-party governance. But what should the program itself look like?

Like with risk management more broadly, third-party risk governance will be highly site-specific. Of course, analysts^v have provided some generic leading practices that all organizations with significant third-party risk exposure should consider following. 

Here are examples of leading practices in third-party risk governance:

• Define objectives and scope. To build a successful TPRM program, organizations should consider anchoring their operational resilience and third-party risk management plans to an existing framework, be it DORA, APRA, or the UK Operational Resilience Framework (More later). 

Why? These frameworks already set criteria and expectations for third-party dependency management and business continuity planning and testing. Organizations, therefore, do not have to reinvent the wheel to perform an impact assessment and gap analysis against currently proposed drafts.

• Fully understand, document, and maintain your third-party inventory.
• Develop policies and procedures. Lack of coordination between internal stakeholders is often cited as the biggest challenge for organizations undertaking third-party risk management.
• Enhance ongoing monitoring. Initial due diligence is only a floor. Organizations will need more robust ongoing monitoring of third parties to enable more dynamic risk reporting.
• Establish a governance structure. Regardless of ownership, the program will require input from multiple functions and teams, making well-defined governance crucial. For global entities, it’s, therefore, recommended to have a consistent global policy with local addenda for sub-entities.
• Implement technology and automation. Programs that integrate digital third-party risk management functionality into the supplier lifecycle and embed automated cross-functional workflows, e.g., procurement, cyber risk, resiliency, are more effective in managing third-party risk and reporting to senior leadership.

Third-party risk management: compliance requirements

As noted, building a successful third-party risk management program often entails aligning plans to an existing regulatory framework. 

This best practice makes sense. After all, the regulatory interventions themselves are the result of increased risk (to financial markets) posed by the sharp rise in third-party risk.

As a result, regulations, even for organizations outside of the industries in question, are a good place to turn to when beginning to build out TPRM programs. 

On this score, what do the statutes say? Released in 2016, APRA Prudential Standard CPS 231, which deals with outsourcing, requires that all outsourcing arrangements involving material business activities be subject to appropriate due diligence, approval, and monitoring. 

Drilling down a bit, some specific CPS 231 requirements include:

• Maintain a policy, approved by the Board, relating to outsourcing of material business activities
• Have sufficient monitoring processes in place to manage the outsourcing of material business activities
• For all outsourcing of material business activities with third parties, have a legally binding agreement in place, unless otherwise agreed by APRA
• Consult with the regulator prior to entering into agreements to outsource material business activities to service providers that conduct their activities abroad
• Notify APRA after entering into agreements to outsource material business activities

The standard also imposes timely notification requirements on regulated entities should they get into outsourcing arrangements involving material business activity. And when they do, entities must also provide a summary of the key risks involved in the outsourcing arrangement and the risk mitigation strategies put in place to address these risks. 

In many respects, the bulk of CPS 231’s requirements simply serve to extend risk management best practices to the realm of outsourcing. And so, all organizations, even those not under APRA’s remit or in the financial services sector at all, could benefit from adopting the following best practices:

• Identify, assess, manage, mitigate, and report on risks associated with outsourcing to meet the institution’s financial and service obligations to its stakeholders
• Have procedures to ensure that all the institution’s relevant business units are made aware of, and have processes and controls for monitoring compliance with, the outsourcing policy
• Rest ultimate responsibility on the Board for oversight of any outsourcing of a material business activity. Although outsourcing may result in the service provider having day-to-day managerial responsibility for a business activity, the entity remains responsible for complying with all requirements that relate to the outsourced business activity
• Give the Board responsibility to ensure that outsourcing risks and controls are taken into account as part of the institution’s risk management strategy and when completing a risk management declaration

A closer look at third-party ICT risk

Third-party risk comes in all shapes and sizes. Chief among threat vectors, though, is ICT risk, as companies becoming increasingly dependent on CSPs. In fact, ICT risk has become so disproportionate that policy makers tend to give it special attention. 

This is the case with the EU’s DORA legislation, which focuses on digital operational resilience and therefore includes a subsection on third-party ICT risk.

The Act itself is too lengthy to treat in this guide. However, here are a few requirements that might form the basis of a best-practice, third-party ICT risk management program:

• Entities’ management of ICT third-party risk shall be implemented in light of the principle of proportionality, taking into account:
  1. The nature, scale, complexity, and importance of ICT-related dependencies
  2. The risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and availability of financial services and activities, at individual and at group level
• Adopt and regularly review a strategy on ICT third-party risk, as part of the entity’s ICT risk management framework, taking into account the multi-vendor strategy. The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis. The management body shall, on the basis of an assessment of the overall risk profile of the entity and the scale and complexity of the business services, regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions.
• Entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. When those contractual arrangements concern critical or important functions, financial entities shall, prior to concluding the arrangements, take due consideration of the use, by ICT third-party service providers, of the most up-to-date and highest quality information security standards.

Digital technology to help manage the third-party risk management lifecycle

From best practices to compliance, there’s a lot to consider when trying to get on top of third-party risk. But as mentioned, the soundest place to begin is with the TPRM lifecycle. 

Fortunately, firms don’t need to approach the TPRM lifecycle with the same manual processes and methodologies as they might have once used for the risk management lifecycle.

Why’s that? That’s because advances in digital technology have led to platforms purpose-built to streamline activities throughout the third-party lifecycle. Using automated workflows to invite vendors and gather due diligence information using questionnaires and documents, these technologies serve to simplify the onboarding process for third parties. And once onboarded, service details, contracts, and risk assessments are set up in collaboration with vendors to ensure alignment between parties.

What other capabilities should you be looking for? Consider the following:

Integrate third parties into your resilience initiatives

Digital technology should incorporate third-party risk management into your wider resilience workspace to align third parties with your resilience initiatives – from anticipating disruptions using risk intelligence, improving preparedness with risk assessments and dependency mapping, through to collaborating during incident response.

Automate ongoing monitoring and follow-up activities

Digital technology should support monitoring of third parties on an ongoing basis to ensure you have the right data to improve the resilience of the third-party ecosystem, with automated document and questionnaire updates, third-party status updates, risk assessment and action monitoring, plus risk intelligence to stay ahead of emerging threats.

Identify and share insights to improve resilience

Digital technology should enable you to leverage the data collected from your ecosystem and visualize it using configurable analytics to identify top issues and opportunities for improvement. Insights should also be able to be shared with internal stakeholders or externally with regulators as required, to satisfy obligations in customizable, printable reports.

Further capabilities to consider:

Vendor onboarding

Empower vendors to participate in resilience initiatives through their own workspace, resulting in less manual work following up with vendors and better quality data to enable your team to identify the top opportunities to improve resilience.

Vendor services

Understand the dependencies that exist in your organization by capturing the services each vendor provides and relating these to contracts, 4th parties, risk assessments, corrective actions, and incidents, to provide a full picture of the dependencies that exist in your organization.

Risk management

Proactively identify and assess risks at a service level, identify and implement controls, and monitor on an ongoing basis to manage vendor risks as part of your wider risk management program.

Action management

Assign actions to vendors to complete in their workspace to ensure actions are delivered on time and at the standard expected, leveraging automated reminders to ensure actions aren’t missed.

Due diligence

Streamline due diligence using questionnaires and send these to vendors to complete or request documents including insurances and certifications, then set these on a recurring refresh cycle to ensure vendors have adequate controls in place to deliver services on an ongoing basis.

Contract management

Manage vendor service contract details to ensure they are aligned with the resilience needs of your organization, then monitor performance to ensure vendor service levels are maintained over the lifetime of the contract, and take action if obligations are not upheld.

Risk intelligence

Proactively detect emerging threats to vendors using threat intelligence capabilities so that you can anticipate potential disruptions, improve preparedness, and respond effectively when threats escalate into incidents that have the potential to cause disruption.

Analytics and reporting

Consolidate data to gain valuable insights and visualize it through interactive dashboards, charts, and maps in real-time. Create custom reports as PDF or Word documents and share with stakeholders to empower informed decision-making and strengthen resilience.

Finally, third-party risk is exploding. Addressing this new risk environment, as this guide has argued, will take robust third-party risk management measures. 

Beyond these procedures, however, organizations should also seek out third-party risk management software to manage risk across their entire third-party ecosystem. 

These solutions, such as Noggin, seamlessly collaborate with third parties in a unified workspace dedicated to enhancing resilience. From onboarding and due diligence to risk monitoring, contract, and action management, these platforms equip teams to pinpoint and address the top issues across the vendor ecosystem. 

Sources

i. Deloitte: Third-party risk is becoming a first priority challenge. Available at https://www2.deloitte.com/ca/en/pages/risk/articles/reduce-your-thirdparty-risk.html.

ii. Ibid. 

iii. Lexis Nexis: Defining Third Party Risk Management. Available at https://internationalsales.lexisnexis.com/glossary/compliance/third-party-riskmanagement.

iv. Ibid.

v. Michael Giarrusso et al., EY: 2023 EY Global Third-Party Risk Management Survey. Available at https://www.ey.com/en_gl/risk/2023-ey-global-thirdparty-risk-management-survey.