Third-party risk management: Time for an overhaul?

There is an interesting risk trend that recently caught my eye – in the past six months, CFOs, Auditors, Procurement and Supply Chain execs have all rated ‘third party risk’ as their key focus area. Looks like this is the first time in several years that third-party risk (and risk management) have risen to a Top 5 issue for Boards. Each of these executives have slightly different reasons for focusing on third-parties – but the underlying theme is increased concern over supplier solvency and its corollary implications for product quality, supply chain disruptions, focus on safety and regulatory compliance.

CISOs have been ahead of the curve in signaling the importance of effective third-party risk management – primarily driven by concern over sensitive information that a third-party might have access to. Most security organizations have made great strides in developing good third-party programs as well. However, if you look at third-party risk management writ large, most companies have a silo-ed approach, where not surprisingly the silos don’t interact from a risk standpoint. We have CISOs looking at risk of data breaches originated by third-parties, Legal and Vendor Management look at contractual risks and potentially solvency risks and Supply Chain folks worry about continuity/disruption risks. Very few organizations, if any, can summon up an overall risk picture of a third-party to make portfolio-level decisions.

There are three potential implications for CISOs:
– very tactically, this is an opportunity to establish closer coordination and exchange of information among the different groups. The data you gather might help CISOs prioritize third-parties better or watch out for signals that would otherwise be ignored.
– this could be an opportunity for CISOs to take on third-party risk management activities that go beyond its traditional scope. For instance, how difficult would it be to incorporate indicators of financial viability/solvency into the current assessment framework? We already see some organizations going down this route. Not only would this win friends for the CISO, but it would help make a case for more resources for third-party risk management – something CISOs have been clamoring for for years
– finally, there is the potential to develop a unified framework and centralized ownership of third-party management (with risk management being part of it): think of it as a group with experts in multiple disciplines with responsibility to assessing all kinds of risks related to the company’s supplier/partner base. While the CISO might relinquish a key area of responsibility, maybe they can sleep better knowing the risk is being taken care of by capable hands. The real difficulty in implementing such a model lies in figuring out ownership and decision rights – given agency conflicts and silo-ed view points. There is also the real question of competency to be able to assess several different risk areas.

Whatever the medium- or long-term scenario be, it would be wise for CISOs to adapt their frameworks to take notice of higher-order supplier risk issues or atleast proactively start sharing information with their peers. However, we don’t see any third-party frameworks  going down this path and broadening the scope of a traditional security assessment of third-parties. Prudent approach or lost opportunity?

Explore posts in the same categories: Uncategorized

Tags: ,

You can comment below, or link to this permanent URL from your own site.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: