The risk with third-parties
You’re only ever as secure as your third-party suppliers. If they are careless with the data you ask them to access or process – or if they are unlucky enough to be targeted by bad actors – then the knock-on effects for your own security, compliance and ultimately revenue and reputation can be severe.
Consider British Airways, recently hit with a £183 million fine by the ICO for a significant data breach. Although BA hasn’t specifically attributed the breach to any cause publicly, expert analysis of the communications by BA around the breach point to a third-party component part of their website being the cause of the breach. Or Mastercard’s ‘Priceless Specials’ loyalty program, which was run through a third party and breached in August. 90,000 customers were affected, and potentially double-digit million-euro fines are being threatened. Or Capital One, which compromised the data of 100 million people when a hacker responsible for 30 other breaches leveraged an exploit within a ‘cloud computing company’. The said company has been speculated to be Amazon Web Services (AWS).
GDPR & third-parties
Little wonder, then, that compliance frameworks like the GDPR have worked to extend the scope of responsibility for businesses significantly, to cover their third-party suppliers. Under the GDPR, any organization you engage to process or access the personal data of EU citizens becomes a data processor, where you are the data controller. And under the GDPR, data controllers are responsible for the compliance of their processors.
But how do you actually build a third-party risk management program? Our Services Director for Governance, Risk and Compliance (GRC), Alex Hollis, shows you how.
A case study in building a third-party risk management programme
Let’s imagine an SME called ‘Bananas’, and that it’s a UK-based retailer with a number of physical shops as well an e-commerce store – which sells to customers across the EU as well as Europe. To do so, it works with a number of suppliers around professional services such as marketing, legal and payroll – and also has three distribution suppliers which in turn deal with hundreds of manufacturers.
Bananas have just hired a Third Party Risk Manager, Julie, who knows that a formal system needs to be put in place – but she has no budget and a minimal team, borrowed from other functions.
Where is Bananas now?
As far as third-party risk management is concerned, currently, Bananas has a few informal systems which have developed out of necessity – the IT department has the most mature assessment, with a questionnaire loosely based around ISO 2700, but its use is inconsistent. Meanwhile, the purchasing team has a little black book of its distribution partners which was half-heartedly centralized at one point. The rest of the organization works in an ad-hoc way.
What does this mean?
Lots of problems are associated with this approach:
- There is no single place to get required information; even within teams, there are multiple sources. This leads to duplication, mistakes and inefficient decision-making.
- With no methodology, there is no risk-based approach – so Bananas will be exposed to risk.
- There is no consistency – and therefore, no opportunity for everyone to benefit from incremental improvements.
- There is no responsibility assigned, so no one is stepping in to align everyone.
- There is no schedule, so once suppliers get on the books, they stay there, regardless of how the nature of their business or the services they provide changes.
- No one wants to slow down or risk not working with their ideal vendor.
The foundations for a new third-party risk management programme
To deal with these problems, Julie makes five key recommendations – the foundation for a consistent, logical and risk-based third-party risk management (TPRM) program. These are:
- A single repository of all third-party information, with consistency across naming to avoid duplication.
- A defined process for assessing the risk associated with each third-party and confirming that it is necessary for Bananas to work with them.
- Identified responsibility, whether an individual or a team, for assessing the risk of each and every third party.
- Repeating activity, so that due diligence is repeated at regular intervals.
- Compliance – which you can only be sure about once you have completed your risk assessment processes.
From there, Julie can put together a TPRM process, which ends with a list of identified issues. These either need remediating and/or an exception from the business for Bananas to accept the risk. She can also build a system for capturing and monitoring this program. Excel provides a cheap and cheerful starting point for tracking a TPRM program, which typically lasts for about two years before its lack of dynamism, automation and reporting capability becomes a problem and organizations need to look for a more specialist risk management platform. Having embedded the base model, as in this case, you will be in a strong position for a smooth migration.
Want to follow in Bananas’ footsteps? Whether you’re starting from scratch or want to brush up on your skills, you can make your third-party program ‘a-peeling’ with the help of SureCloud. We have run a webinar to guide you through the process for Bananas, and how you can apply it in your own organization.
SureCloud is a provider of cloud-based, Integrated Risk Management products and Cybersecurity services, which reinvent the way you manage risk.
SureCloud connects the dots with Integrated Risk Management solutions enabling you to make better decisions and achieve your desired business outcomes. SureCloud is underpinned by a highly configurable technology platform, which is simple, intuitive and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to fit your current business processes without forcing you to make concessions during implementation; meaning you get immediate and sustained value from the outset. SureCloud has been recognized in the 2019 Gartner Magic Quadrant for Integrated Risk Management Solutions.