Are You a Third Party Risk Management Leader?
Third parties are an organization’s fastest growing cyber risk. To safeguard business health and catalyze growth, companies need to better resource their third party risk management programs.
How can you know if your company is doing enough? A landmark study from RiskRecon, the Third-Party Security Risk Management Playbook, revealed the real-world risk management capabilities of leading enterprises, providing a benchmark for others to measure their own practices against.
We had the privilege of speaking with Kelly White, CEO and Co-founder of RiskRecon, about the Playbook in an Opus expert webinar. Here, we recap the main points of discussion.
Key Elements of a Third Party Risk Management Framework
The Third-Party Security Risk Management Playbook aggregated the real-world third party management capabilities and processes employed by enterprises across industries.
From their results, RiskRecon identified three core pieces of a third party risk management framework:
- Program Management
- Risk Assessment
- Monitoring and Response
Within each of these areas, RiskRecon identified common practices that 50% or more of companies complete. Companies that are stepping up their game go beyond these standard strategies to engage in emerging and pioneering practices.
Common Risk Management Practices
Does your company have policies and standards in place for third party risk tracking and discovery? Do you involve legal and procurement? Do you have set procedures for assessing risk and an action plan to address it? Governance practices are the baseline of third party risk management, and most companies have them under control.
Emerging Risk Management Practices
Emerging practices include training and awareness, intelligently managing risk resources and continuous surface risk assessment. Emerging companies use open source intelligence data and providers to assess their vendors and are adept at managing analysts and their work.
Pioneering Risk Management Practices
Companies that have taken the leap to ongoing monitoring and response are third party risk management pioneers. Less than 25% of companies conduct real-time monitoring beyond gathering information at an annual assessment. Continuous monitoring lets companies address exposure related to vendors on a day-to-day basis.
Say a hurricane is moving in. Do you know what third parties are in its path that could suffer an interruption in operations from the storm? Geolocation awareness is one aspect of continuous assessment that lets companies get ahead of risky scenarios.
Pioneering companies also have insight into their 4th party risk. Who are your third parties outsourcing work to or sharing information with? Are your third parties using any hosting providers? 4th parties are as susceptible to risk as any company, and though a few steps removed, their troubles extend backward.
Surprisingly, 50% of organizations in the study did not have a centralized database where they could track vendor risk. Clearly, there is much room for growth in the third party risk management realm.
Why Companies Should Strive to Be Third Party Risk Management Leaders
Companies have different motivations for engaging in risk management, RiskRecon found.
- 50% of companies recognize that third parties expose them to operational regulatory, legal and reputational risk and want to manage that.
- 20% of companies are only doing third party risk management to comply with regulations or with customer requirements.
- 30% of companies indicate that both are motivating factors.
Highly-regulated industries, like finance and insurance, have had third party risk management programs operating for 6.5 years, with compliance a motivating factor. Over the years, especially with digital transformation, companies are recognizing that the benefits of third party risk management extend far beyond meeting regulators’ demands.
The move to digital requires working with outside vendors, which leads directly to increased risk. Implementing a third party risk management framework based on leading practices protects a business from a host of risks, including information security risks, lack of financial stability, supply chain disruptions and environmental or social accountability issues.
Pioneering companies know this, and are developing third party risk management programs to match. What tactics will you add to your third party risk management playbook?
Listen to a full overview of the Third-Party Security Risk Management Playbook in the full webinar.