Coming out of the pandemic, business leaders have finally gotten the memo. Third-party risk is a huge issue, with companies becoming increasingly reliant on third-party vendors even for critical functions; or, as Deloitte puts it, “many companies even outsource core functions”i.
This is particularly the case when it comes to dependence on cloud service providers (CSPs). As of 2022, 73 per cent of Deloitte global survey respondents stated they had moderate to high levels of dependence of CSPsii. Already staggering in itself, the figure is set to jump all the way to 88 per cent in the years to come.
As a result, regulators have stepped in. Under the banner of operational resilience compliance, banking regulators, in particular, have put forth specific compliance requirements for firms who have “outsourced” material business activities to third parties.
The European Union, for its part, has gone even further, passing the Digital Operational Resilience Act (DORA), which compels entities operating in its vast jurisdiction to establish third-party risk management (TPRM) measures to mitigate ICT (information and communications technology) risk.
What then can companies do to mitigate third-party risk and ensure compliance? This guide will lay out the strategies and digital tools companies need to manage risk across their third-party ecosystem.
The first place to start when looking to managing third-party risk is to the third-party risk management lifecycle when onboarding critical third parties.
The purpose of the TPRM lifecycle is to help organizations manage their third-party risk by ensuring that vendors meet the same standards and expectations (be they for cybersecurity, data privacy, or any other matter) as their internal teams.
So, what’s the third-party risk management lifecycle consist of?
Like the risk management lifecycle from which it’s derived, the third-party risk management lifecycleiii is an ongoing process requiring regular reassessment to ensure that risks are being appropriately managed.
The process itself consists of the following stages:
Far from being undertaken in a silo, though, the third-party risk management lifecycle should fit within the context of a broader TPRM program. The purpose of that program will be to provide better governance over a company’s third-party ecosystem, with the benefit of such an approach being the followingiv:
Such are the benefits of third-party governance. But what should the program itself look like?
Like with risk management more broadly, third-party risk governance will be highly site-specific. Of course, analystsv have provided some generic leading practices that all organizations with significant third-party risk exposure should consider following.
Here are examples of leading practices in third-party risk governance:
Why? These frameworks already set criteria and expectations for third-party dependency management and business continuity planning and testing. Organizations, therefore, do not have to reinvent the wheel to perform an impact assessment and gap analysis against currently proposed drafts.
As noted, building a successful third-party risk management program often entails aligning plans to an existing regulatory framework.
This best practice makes sense. After all, the regulatory interventions themselves are the result of increased risk (to financial markets) posed by the sharp rise in third-party risk.
As a result, regulations, even for organizations outside of the industries in question, are a good place to turn to when beginning to build out TPRM programs.
On this score, what do the statutes say? Released in 2016, APRA Prudential Standard CPS 231, which deals with outsourcing, requires that all outsourcing arrangements involving material business activities be subject to appropriate due diligence, approval, and monitoring.
Drilling down a bit, some specific CPS 231 requirements include:
The standard also imposes timely notification requirements on regulated entities should they get into outsourcing arrangements involving material business activity. And when they do, entities must also provide a summary of the key risks involved in the outsourcing arrangement and the risk mitigation strategies put in place to address these risks.
In many respects, the bulk of CPS 231’s requirements simply serve to extend risk management best practices to the realm of outsourcing. And so, all organizations, even those not under APRA’s remit or in the financial services sector at all, could benefit from adopting the following best practices:
Third-party risk comes in all shapes and sizes. Chief among threat vectors, though, is ICT risk, as companies becoming increasingly dependent on CSPs. In fact, ICT risk has become so disproportionate that policy makers tend to give it special attention.
This is the case with the EU’s DORA legislation, which focuses on digital operational resilience and therefore includes a subsection on third-party ICT risk.
The Act itself is too lengthy to treat in this guide. However, here are a few requirements that might form the basis of a best-practice, third-party ICT risk management program:
From best practices to compliance, there’s a lot to consider when trying to get on top of third-party risk. But as mentioned, the soundest place to begin is with the TPRM lifecycle.
Fortunately, firms don’t need to approach the TPRM lifecycle with the same manual processes and methodologies as they might have once used for the risk management lifecycle.
Why’s that? That’s because advances in digital technology have led to platforms purpose-built to streamline activities throughout the third-party lifecycle. Using automated workflows to invite vendors and gather due diligence information using questionnaires and documents, these technologies serve to simplify the onboarding process for third parties. And once onboarded, service details, contracts, and risk assessments are set up in collaboration with vendors to ensure alignment between parties.
What other capabilities should you be looking for? Consider the following:
Digital technology should incorporate third-party risk management into your wider resilience workspace to align third parties with your resilience initiatives – from anticipating disruptions using risk intelligence, improving preparedness with risk assessments and dependency mapping, through to collaborating during incident response.
Digital technology should support monitoring of third parties on an ongoing basis to ensure you have the right data to improve the resilience of the third-party ecosystem, with automated document and questionnaire updates, third-party status updates, risk assessment and action monitoring, plus risk intelligence to stay ahead of emerging threats.
Digital technology should enable you to leverage the data collected from your ecosystem and visualize it using configurable analytics to identify top issues and opportunities for improvement. Insights should also be able to be shared with internal stakeholders or externally with regulators as required, to satisfy obligations in customizable, printable reports.
Further capabilities to consider:
Empower vendors to participate in resilience initiatives through their own workspace, resulting in less manual work following up with vendors and better quality data to enable your team to identify the top opportunities to improve resilience.
Understand the dependencies that exist in your organization by capturing the services each vendor provides and relating these to contracts, 4th parties, risk assessments, corrective actions, and incidents, to provide a full picture of the dependencies that exist in your organization.
Proactively identify and assess risks at a service level, identify and implement controls, and monitor on an ongoing basis to manage vendor risks as part of your wider risk management program.
Assign actions to vendors to complete in their workspace to ensure actions are delivered on time and at the standard expected, leveraging automated reminders to ensure actions aren’t missed.
Streamline due diligence using questionnaires and send these to vendors to complete or request documents including insurances and certifications, then set these on a recurring refresh cycle to ensure vendors have adequate controls in place to deliver services on an ongoing basis.
Manage vendor service contract details to ensure they are aligned with the resilience needs of your organization, then monitor performance to ensure vendor service levels are maintained over the lifetime of the contract, and take action if obligations are not upheld.
Proactively detect emerging threats to vendors using threat intelligence capabilities so that you can anticipate potential disruptions, improve preparedness, and respond effectively when threats escalate into incidents that have the potential to cause disruption.
Consolidate data to gain valuable insights and visualize it through interactive dashboards, charts, and maps in real-time. Create custom reports as PDF or Word documents and share with stakeholders to empower informed decision-making and strengthen resilience.
Finally, third-party risk is exploding. Addressing this new risk environment, as this guide has argued, will take robust third-party risk management measures.
Beyond these procedures, however, organizations should also seek out third-party risk management software to manage risk across their entire third-party ecosystem.
These solutions, such as Noggin, seamlessly collaborate with third parties in a unified workspace dedicated to enhancing resilience. From onboarding and due diligence to risk monitoring, contract, and action management, these platforms equip teams to pinpoint and address the top issues across the vendor ecosystem.
i. Deloitte: Third-party risk is becoming a first priority challenge. Available at https://www2.deloitte.com/ca/en/pages/risk/articles/reduce-your-thirdparty-risk.html.
iii. Lexis Nexis: Defining Third Party Risk Management. Available at https://internationalsales.lexisnexis.com/glossary/compliance/third-party-riskmanagement.
v. Michael Giarrusso et al., EY: 2023 EY Global Third-Party Risk Management Survey. Available at https://www.ey.com/en_gl/risk/2023-ey-global-thirdparty-risk-management-survey.
Published: 5 December 2023