Are you close enough to your third parties?

Risk management encompasses more than just what goes on inside the walls of your business - it needs to include your suppliers, contractors, data storage providers and more, essentially any third party that you use. So are you close enough to them to help mitigate the risks they bring? Peter Deans, CRO Group Risk at BOQ looks into the past, present and future of best practice. 

For many organisations using third parties is nothing new, although the frequency and scale of third party use and the regulatory focus on how organisations are managing these third parties has and will continue to increase. This article explores the management of third parties and will provide some areas for risk managers to consider as they mature their management of third party risks and contemplate how well they know their third parties.

The Past

Third party risk was traditionally addressed in a more siloed manner, often with individuals within the organisation focused on specific risks, usually within the supply chain. For example, consumer businesses were more likely to focus on reputational related risks involving product quality and/or safety. For many financial institutions; the focus was more likely on the technology aspects including business continuity and data protection where customer data was being shared with a third party. Many of these third party relationships were viewed and managed as ‘outsourced relationships’.

Many organisations have identified the need for better third party risk management and are well advanced on that journey, while others are just starting.

Organisations have been able to proactively manage third party risks, however, many haven’t yet considered the broader business exposure and a holistic view that’s essential to understanding the overall risk exposure from third parties to manage it enterprise-wide.

The Present

Many organisations have identified the need for better third party risk management and are well advanced on that journey, while others are just starting. A risk management framework that takes into consideration potential drivers of risk, looks at the scope of risk management activities, as well as different monitoring and reporting approaches, and assurance activities, will assist in establishing a more rigorous and consistent approach to third party risk management.

Engaging third parties for the provision of products or services is not a new concept, so why is third party management now becoming so important?

There are a number of key factors to consider, each of which are contributing to this increased focus. These include:

Technology

Technological enhancements developed by smaller (and arguably more innovative partners) are increasingly being provided access to sensitive organisational data. Many of these smaller partners may not yet have the same level of security posture as your organisation, thus increasing the likelihood of data leakage that could be highly detrimental. The likelihood of data leakage is also now becoming a greater reality for business leaders as the threat of a cyber-attack increases.

Specialist suppliers

The establishment of more specialist third parties (including cloud services) has led to some organisations becoming very dependent on the products and/or services from those third parties, which if they were to fail would have an adverse impact on the organisation.

Offshoring

Many organisations utilise offshoring arrangements to seek out lower cost solutions.  Regulatory differences between these offshore locations and those of the organisation’s home base could lead to inconsistent risk management and control implementation.

Market conditions

Global recession has driven many organisation to focus on ‘core’ activities and thus increase the level of operations that are ‘outsourced’ to third parties.  Outsourced arrangements inherently lead to a reduction in control and transparency that could create significant risk for the organisation.

Reputational impact

Failure by a third party to deliver against its contractual obligations could have a severe reputational impact, particularly if it leads to lengthy delays or inability to deliver services to customers.

Regulation

Regulators have increased their attention on third party risks within organisations and continue to enhance their regulatory requirements accordingly.  Many regulators across the globe are also establishing mandatory breach reporting programs to ensure an appropriate level of focus and risk management is being applied to data across organisations they regulate.

The financial services industry appears to be driving some of the more leading practices for managing third party risks. There is extensive guidance and regulation on the matter. Some of the more relevant regulatory guidance includes the Australian Prudential Regulation Authority (Australia), Prudential Standard CPS 231 Outsourcing, the Monetary Authority of Singapore (Singapore), Guidance on Outsourcing, the Financial Conduct Authority (United Kingdom), SYSC 8.1 General Outsourcing Requirements and the Office of the Comptroller of the Currency (OCC) (United States of America), OCC Bulletin 2013-29 Third Party Relationship – Risk Management Guidance, all of which appear to be converging towards organisations having a deeper understanding of the operations and risk management of the third party they are doing business with.

As risk managers, the question we should be asking ourselves is: “how well do I really know the third parties we are in business with?”

There are four areas worth drawing attention to that many financial institutions are now focused on, such as:

1. Non-traditional service providers . Third party risks can arise from more than just the ‘traditional’ outsourced service providers. Organisations are now starting to consider a slightly broader definition of third parties that includes other relationships, including those on the revenue aspects of their operations such as distributers, sales agents, brokers and licensees. Using a third party risk assessment process will assist in risk rating the various third parties and help drive the right mitigation and monitoring activities that is required.
2. Cyber risks. Understanding the potential cyber risks of the third party relationship, particularly those that have access to your core customer systems or platforms. The sophistication of cyber threats appears to be on an exponential trajectory and organisations need to keep pace with to reduce the risk of a damaging cyber-attack. Focusing on only the material third parties is unlikely to be sufficiently comprehensive to address cyber risks across the enterprise as organisations are likely to have a number of ‘non-material’ third party relationships that have access to customer data. These smaller, non-material third parties can also be exploited to gain access to your environment and customer data. Using ethical hackers or ‘Red Teams’ to better understand potential cyber vulnerabilities is starting to become common within financial institutions.
3. Fourth party risks. Includes understanding the potential risks created when your third party provider uses service providers in their own supply chain. This is increasingly being referred to as ‘fourth party’ and in some situations may even go as far as ‘fifth party’. Organisations need to understand their end-to-end supply chain to ensure an appropriate level of risk management is being applied across all parties involved.
4. Management of data breaches. Many jurisdiction are moving towards mandatory breach reporting regimes, which often includes the potential for quite significant fines for companies and individuals that don’t adequately manage data breaches. Organisations are not only focused on how to enhance their own breach reporting processes, but also those of their third parties; many of whom will have access to customer data. Ensuring your third parties are not only aware of, but complying with the mandatory reporting requirements is essential to being able to respond to regulators in the required timeframes.

The Future

Put simply, the more immediate future is likely to focus on many of the same areas noted above, but to a much greater degree of detail. The work around cyber threats will almost certainly become more prominent as organisations start to better understand potential vulnerabilities and impacts. The increased visibility of breaches through the various mandatory breach reporting regimes will drive organisations into a more transparent and deliberate risk response (including those not yet directly impacted by a data breach).

With the trend of third parties being considered extensions of an organisation, one area that could emerge around third party risk management is the alignment of third parties to organisational values. Areas of focus could extend beyond the more traditional matters highlighted above and start to include broader topics such as diversity requirements within the third party, ethical practices (including management of conflicts of interest), environmental matters, and/or basic workforce policies.

As risk managers, the question we should be asking ourselves is: “how well do I really know the third parties we are in business with?”