You’re only ever as secure as your third-party suppliers. If they are careless with the data you ask them to access or process – or if they are unlucky enough to be targeted by bad actors – then the knock-on effects for your own security, compliance and ultimately revenue and reputation can be severe.
Consider British Airways, recently hit with a £183 million fine by the ICO for a significant data breach. Although BA hasn’t specifically attributed the breach to any cause publicly, expert analysis of the communications by BA around the breach point to a third-party component part of their website being the cause of the breach. Or Mastercard’s ‘Priceless Specials’ loyalty program, which was run through a third party and breached in August. 90,000 customers were affected, and potentially double-digit million-euro fines are being threatened. Or Capital One, which compromised the data of 100 million people when a hacker responsible for 30 other breaches leveraged an exploit within a ‘cloud computing company’. The said company has been speculated to be Amazon Web Services (AWS).
Little wonder, then, that compliance frameworks like the GDPR have worked to extend the scope of responsibility for businesses significantly, to cover their third-party suppliers. Under the GDPR, any organization you engage to process or access the personal data of EU citizens becomes a data processor, where you are the data controller. And under the GDPR, data controllers are responsible for the compliance of their processors.
But how do you actually build a third-party risk management program? Our Services Director for Governance, Risk and Compliance (GRC), Alex Hollis, shows you how.
Let’s imagine an SME called ‘Bananas’, and that it’s a UK-based retailer with a number of physical shops as well an e-commerce store – which sells to customers across the EU as well as Europe. To do so, it works with a number of suppliers around professional services such as marketing, legal and payroll – and also has three distribution suppliers which in turn deal with hundreds of manufacturers.
Bananas have just hired a Third Party Risk Manager, Julie, who knows that a formal system needs to be put in place – but she has no budget and a minimal team, borrowed from other functions.
As far as third-party risk management is concerned, currently, Bananas has a few informal systems which have developed out of necessity – the IT department has the most mature assessment, with a questionnaire loosely based around ISO 2700, but its use is inconsistent. Meanwhile, the purchasing team has a little black book of its distribution partners which was half-heartedly centralized at one point. The rest of the organization works in an ad-hoc way.
Lots of problems are associated with this approach:
To deal with these problems, Julie makes five key recommendations – the foundation for a consistent, logical and risk-based third-party risk management (TPRM) program. These are:
From there, Julie can put together a TPRM process, which ends with a list of identified issues. These either need remediating and/or an exception from the business for Bananas to accept the risk. She can also build a system for capturing and monitoring this program. Excel provides a cheap and cheerful starting point for tracking a TPRM program, which typically lasts for about two years before its lack of dynamism, automation and reporting capability becomes a problem and organizations need to look for a more specialist risk management platform. Having embedded the base model, as in this case, you will be in a strong position for a smooth migration.
Want to follow in Bananas’ footsteps? Whether you’re starting from scratch or want to brush up on your skills, you can make your third-party program ‘a-peeling’ with the help of SureCloud. We have run a webinar to guide you through the process for Bananas, and how you can apply it in your own organization.
SureCloud connects the dots with Integrated Risk Management solutions enabling you to make better decisions and achieve your desired business outcomes. SureCloud is underpinned by a highly configurable technology platform, which is simple, intuitive and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to fit your current business processes without forcing you to make concessions during implementation; meaning you get immediate and sustained value from the outset. SureCloud has been recognized in the 2019 Gartner Magic Quadrant for Integrated Risk Management Solutions.