Guest Author: Michael Rasmussen, GRC Economist & Pundit, GRC 20/20 Research LLC
The need for situational awareness
I am a James Bond fan and eagerly anticipate the next James Bond film, “No Time to Die.” Unfortunately, because of the global crisis we all now face, we have to wait until April 2021 to see the film on the big screen. While we wait for this next instalment in the 007 saga, we can still learn and apply what makes the master spy so great to our world of business that is situational awareness.
Today’s organization needs situational awareness. Situational awareness is the perception of the details and events around us and the interpretation of how they can or will impact us to determine our course of action. James Bond looks at the big picture and sees all the details. Situational awareness is needed across the business but is particularly needed in the context of risk in third-party relationships.
Gaining a holistic view of third party risk
Business today is a complex web of third-party relationships. Gone are the days when an organization was defined by brick and mortar walls and traditional employees. Today’s organization is a nested array of suppliers, vendors, outsourcers, contractors, consultants, temporary workers, service providers, brokers, agents, intermediaries, partners, and more.
There are no longer are hard and fast boundaries to the organization as these relationships extend and nest themselves in deep supply chains and subcontracting relationships.
What is troubling about how organizations manage third-party risk is that it is done in disconnected silos.
Different departments have their limited view of the risk a third-party relationship brings to the organization, but no one sees the full situation. They fail to see the big picture of risk across these silos.
This would be like James Bond just looking at one factor of a situation and not all the factors that tell the full story. Consider SPECTRE (Special Executive for Counter-intelligence, Terrorism, Revenge, and Extortion), led by 007’s nemesis Ernst Stavro Blofeld. Throughout the James Bond stories he has to understand the complex operations, supply chain, and movements of this organization to understand their motive and intentions. Looking at just a piece of the puzzle often misleads, but it is the full picture that tells the real risk.
Aggregate the full risk exposure from your third parties
Consider this common scenario when third-party risk is done in different departments that do not collaborate and see the big picture across departments. In a critical third-party relationship, IT security may see the risk as moderate, finance/procurement measures their risk as moderate, legal looking at things like bribery and corruption scores a moderate risk, social accountability looking at human rights defines it as moderate.
All these departments do not sound the alarm on the third-party because the risk is not high and setting off alerts. But if someone actually could step back and see the full situation and the aggregate risk exposure across these departments, they may very well realize that this critical third-party is bringing significant risk exposure to the organization that is not wanted.
Can you rely on your vendors during these uncertain times?
The current global crisis with the COVID-19 pandemic is an excellent example of the need for 360° situational risk awareness in third-party relationships. Right now, organizations need to understand the operational resiliency and viability of their third parties to ensure they are partnering with firms that can weather the current economic storm.
Assessing critical vendor risk quickly and effectively
Organizations need to understand their critical third-parties business continuity capabilities to ensure they can deliver services in this time of crisis. They need to know that their third parties are addressing health and safety concerns within their operations.
They need to understand the social accountability focus of third parties to ensure their reputation and brand will not be hurt in partnering with them in how they respond to the crisis.
And they need to understand the security controls and monitoring being done when the third parties business processes are adapting and could expose the organization’s data and network connections. Seeing all this together gives the organization 360° situational awareness or risk in these relationships.
Instead of siloed processes to assess a limited view of risk in a third-party relationship, organizations need to implement processes and technology that measure and evaluate the full scope of risk exposure in a third-party relationship. This risk needs to be assessed during the onboarding process, but also regularly throughout the lifecycle of the relationship.
Be like James Bond, get a complete grasp of your third-party relationships through situational awareness so you can see the big picture across risks that a single relationship brings to your organization.
Need to assess your critical vendors now to understand your supply chain risk exposure?
Make sure to watch our webinar where the Father of GRC, Michael Rasmussen from GRC 2020, and SureCloud’s Director of Presales, Ben Dalton, explore 360 vendor visibility and more.