Cyber risk is a huge priority for the board, including the risk posed by third-party vendors and suppliers. Armed with this information, the board can focus on getting further behind security initiatives or adding additional resources. Immature programs have traditionally relied on questionnaires and spreadsheets to assess and track third-party risk. These manual tools are sufficient if the organization is starting out.
However, as it expands and adds more suppliers, security leaders should consider adding purpose-built third-party risk management technology and automation tools to manage a successful program at scale. For instance, using BitSight Security Ratings as part of a comprehensive third-party cyber risk management program , security professionals can immediately and automatically expose third-party cyber risk during the onboarding process.
Then, instead of wasting time doing long, full-blown assessments on every vendor, they can allocate resources to vendors that require greater due diligence. Cyberspace is constantly evolving, as is third-party risk. Using BitSight, they can also gain a strategic view of risk across their vendor portfolio to prioritize urgent third-party risk issues from non-urgent ones easily.
Based on these insights, organizations can then have honest, data-driven conversations with their vendors about their cybersecurity postures , communicate exactly where risk may be present, and work collaboratively towards remediation. A successful and mature third-party risk management program transforms the way organizations manage third-party cyber risk helping them overcome one of the largest obstacles to digital transformation and business growth.
Importantly, organizations at the top of the maturity ladder view third-party risk management through an operational efficiency lens — finding ways to reduce vendor onboarding time and costs — rather than solely as a check in the box or compliance necessity.
To serve your customers and realize efficiencies, your organization may work with dozens if not hundreds of third parties including partners, vendors, cloud service providers, and subcontractors. Facebook and the apps under its umbrella, including Instagram and WhatsApp, were inaccessible for hours on Monday. The outage hamstrung the communications of billions of people, businesses, and other organizations.
The recent rise in ransomware attacks and business-halting data breaches has made it clear that your organization must prioritize cyber security performance.
But ad hoc security controls and defensive measures are not the answer Strong governance has clear benefits in reducing risk with increased transparency, better alignment to strategy, and consistent regulatory compliance. Companies can reduce their overall third-party risk profile by embedding third-party risk management practices in all levels of the organization, including:. Managing third-party risk is an ongoing process. Strong governance must go hand-in-hand, mitigating risk while enhancing rewards, and positively impacting your reputation and bottom line.
Leveraging over 23 years of experience, he shows comp Based in Toronto, Javascript is disabled. Viewing offline content Limited functionality available. Third-party risk is becoming a first priority challenge Reduce your extended enterprise risk. We see three emerging trends that drive increased third-party risk: Increased incidents related to vendors: Suppliers are causing more disruption and risks are not being managed. Information security, privacy and anti-fraud management are some examples.
Regulators focusing on supplier risk: Regulators are increasing the pressure on organizations to better manage their supply chain risk. This can be particularly beneficial to institutions that are looking to expand quickly, unwilling to invest in certain locations, or keen to offer services in markets that would be unprofitable if entered using their own sales channels, processing centres and infrastructure.
A final benefit of using third parties, if they are managed effectively, is that they can actually reduce your exposure to operational risk.
Whereas outsourcing processes and services can be extremely beneficial to FS institutions, the use of third parties can carry a significant risk. You are, in effect, trusting external firms with key parts of your business and if they fail to deliver, you could fail to deliver as well.
In essence, firms who outsource a large number of activities consequentially become part of a complex, interconnected ecosystem. Such a multifarious environment presents some fundamental challenges, at the centre of which is the need to successfully manage and monitor the third parties and the services they are providing. By outsourcing, you are handing control of parts of your value chain to other firms and even if financial losses are mitigated by contracts, mishandling these elements can cause substantial reputational damage to the firm.
At a time when data privacy and security is of paramount importance, FS institutions must be certain that data is being collected, stored, managed and used in line with all applicable laws and regulations such as the General Data Protection Regulation — GDPR.
Requesting that adherence in an SLA is one thing, but evidence is required to satisfy risk managers and regulators. Similarly, it is vital that the third parties employed by FS organisations are compliant with their principles of conduct. Customers are right to expect the same conduct standards at all points in their customer journey, so cultural alignment with third party providers is essential, especially where they interact directly with customers.
If these factors create an intricate challenge, then it is exacerbated by an inconsistent, global regulatory environment where different standards are expected by different regulators, communicated via a raft of varying regulations e. So how can FS organisations manage third party risks? Unfortunately, there is no single, simple solution, but there are five actions that FS organisations can take to mitigate the risks and demonstrate that they are in control:.
With the use of third parties no longer regarded as risk transfer, FS institutions are painfully aware of the risks involved. In the last few years there has been a significant increase in the focus on mitigating those risks and investing in their management. As well as the individual responses, some firms have attempted to outsource the issue, employing specific companies to manage their entire supplier network.
Others are pursuing community models collaborating with other industry participants to drive minimum standards and common assessment criteria. Whatever the approach to third party risk management taken by FS institutions, now is the time to ensure greater benefit is derived through the provision of more information, more tailored solutions and closer working relationships.
We were asked to lead the delivery of a high profile, multi-year Operational Risk Programme Thinking At BCS Consulting, we like to share our informed thoughts and opinions on the latest developments in the financial services marketplace. Contact Us. Using Third Parties: A competitive advantage or a cause for concern?
Reducing cost and exploiting expertise, third parties can be a market force for good Each and every FS institution requires the support of third party providers to run their business. Poor third party management can leave you vulnerable Whereas outsourcing processes and services can be extremely beneficial to FS institutions, the use of third parties can carry a significant risk.
0コメント