Third-Party Risk Management: What You Don’t Know Today CAN Hurt You
Vendor vulnerabilities continue to plague many industries and teams are struggling to manage the associated risk volatility. A strong third-party risk management (TPRM) program can help alleviate the impact of related risks. The building blocks of a successful program include a sturdy workflow for vendor onboarding along with ongoing monitoring of each vendor. Daniel Kinsella of Deloitte & Touche LLP moderates a conversation with Arlene Worsley of Teck Resources Ltd. and Myles Gold of OpenDealerExchange about how their organizations tackle third-party risk management, including:
- Trends and approaches for handling third-party risk, including taking a risk-based rather than a compliance- or maturity-based approach.
- The importance of understanding your third-party ecosystem — it’s larger than you might think.
- Showcasing the value of your TPRM program with quantitative risk analysis and enabling the business to make risk-informed decisions.
Trends and Approaches for Handling Third-Party Risk Management
Myles Gold, OpenDealerExchange: “We don’t have the biggest budget in the world, and many companies will be in the same boat. To give you a sense of where my company is today: our first step is to get the list of every third party that our company works with. We do not skip any companies, and we don’t focus on just the tier 1s or the IT ones. To get our list of third parties, we get a list of invoices paid and received from accounting, and then the list of new contracts from the previous year — but it’s not that easy. We once missed a vendor because they were a free service, so they didn’t go through our contract mentoring process and they didn’t go through as an invoice. That’s just something to be aware of. You’ll never probably have a perfect third-party list, but can ask the various teams in your company what services they’re providing or using to help find those gaps.
Once you get the list of third parties, you define your third parties. We have four buckets, what we call level 0, 1, 2, and 2. Level 0 is considered not a risk. If an employee signs up for training or leases a car, those are skipped in our risk assessment. Level 1 would be third parties that are not a current risk, but that you want to monitor. Levels 2 and 3 are where we do the actual risk assessments. Level 2 is something that’s critical to us such as a financial risk, employee data, or proprietary business information. We assess level 2s every three years. I would not do a third-party assessment every year for all your vendors. It’s not value add and can annoy your relationship owners. Level 3 is where we have consumer data like PII or credit report data, and we audit third parties that have it once a year. Since we’re a software company, pretty much all our supply chain are level 3s. To give you an idea, we have 63 level 1s, 31 level 2s, and 21 level 3s.
When we’re ready to do the actual assessment, we ask our relationship owners like IT and legal what type of data is being stored at the third party, the number of transactions, any threats or vulnerabilities that could be exposed, and any areas of concern. Once we get the questions answered, we’ll start building our actual risks and create the inherent risk ratings, and then determine the scope of the audit. Each company is going to be different, but for us complying with PCI, if data is stolen or lost or third parties go down, those are all major risks for us, so those are usually what we consider in third-party assessments.
From there, we build out our questionnaires. Each risk will have its own questionnaires and its own assessment. Get specific in your questionnaires. Instead of having a 100-question questionnaire, try to pick the ones that actually matter. If you don’t care that they respond negatively to your question, don’t ask it. I once was required to do a 700-question questionnaire. Turned out that the bank that audited me only looked at 300 of those questions — it’s not good from a relationship perspective to ask more questions than you need. Additionally, make sure that the questions you ask are open-ended, and have evidence that’s requested. As a former auditor, I can say that if you don’t ask for evidence you’re not going to get the answers you want.”
Arlene Worsley, Teck: “Specific to risk management and TPRM, I’m seeing three business trends. The first is shifting from compliance-based or maturity-based approach to a risk-based approach. The benefits of a risk-based approach include transparency on cyber risk for the company’s most valuable assets, as well as risk-based enterprise decision-making. This enables decision-makers to focus on investments in the right places depending on the risk treatments they decide on. Return on investment is also a significant benefit of a risk-based approach, ensuring efficiency of some of the counter-risk measures.
The second shift that I’m seeing is transitioning from qualitative risk analysis to quantitative risk analysis. This is where the language of risk really resonates with leaders because traditionally many organizations use the red, amber, green status — high, medium, low. Qualitative. With any gauge, it’s not quite clear where you want to prioritize those risks that you identify. With quantitative risk analysis, we’re seeing that our decision makers are better informed to identify the top risks based on loss impact in dollars. That’s been really important here at Teck, and as a result we’re able to prioritize our risks and investments to support that prioritization.
The last shift we’re seeing is advancing third-party real-time monitoring through tool integration, particularly with centralized solution like AuditBoard.”
Dan Kinsella, Deloitte: The notion of leveraging the scoring and perspective insight is definitely where I’m seeing organizations start to go. I use the term gamification — if you had to look at a series of relationships from a scoring perspective, can you rank them based upon the risk factors that are considerations? I’m seeing some organizations starting to weave in operational considerations for how are they executing on your behalf.
Understanding Your Third-Party Ecosystem
Arlene Worsley, Teck: “At Teck, while we are not seeing more third-party security incidents, we are seeing targeted attempts by possible associations with nation-state-sponsored attacks and our vendors. This is where I’d like to share a story. As we know, the more vendors we have in our business ecosystem, the larger the attack surface for third, fourth, or fifth-party risks. It’s really important to understand your third-party ecosystem. Without that breadth and knowledge, you may find yourself a possible direct or indirect cyber indirect target for cyber warfare, particularly with the Russia-Ukraine conflict.
Teck did undergo some challenges where we had a third party with an association through that conflict. Some of our lessons learned include the importance of vendor inventory, particularly for high/critical vendors. If you have a high/critical vendor, it would be beneficial to the organization to take a close look at their international partners and affiliations, and also evaluate your organization to see if you can potentially be a target of a direct or indirect nation-state attack. Of course, many of us feel that we may not be part of that environment, particularly with a very specific cyber warfare conflict. However, the ecosystem is large, and you might be surprised when you connect the dots.
You’ll want to assess what your susceptibility is to this risk and the business impact to the organization, which is very relevant to a risk-based approach. You also want to assess the level of dependency on these high/critical vendors — understand your business continuity risk and your response readiness in the event of a disaster through your third party that may have a direct impact directly or indirectly on your organization. Test your business continuity and your disaster recovery plans using nation-state third-party scenarios, and lastly, as part of that exercise, identify your security gaps, determine risk treatments, obtain buy-in from management, and execute mitigation to prevent a material breach or a network outage by a third party. At the end of the day, what we’re trying to reduce and avoid is severe operations disruption or impact on human or environmental safety, data loss, revenue loss, and reputational damage.”
Showing the Value of Your TPRM Program
Arlene Worsley, Teck: “When it comes to value, and especially when it comes to risk, we need to be able to communicate using language that makes sense to the leaders who make the decisions. As I mentioned earlier, Teck has been transitioning from traditional approach of qualitative risk analysis to quantitative risk analysis, and the information security team at Teck uses the FAIR model — the Factor Analysis of Information Risk for calibrating estimates and quantification of risk. For those of you who might not know about FAIR, it’s an international standard for quantitative assessments that’s specific to information security. Today, Teck is integrating FAIR into our organization not only through the calibration of those estimates using some great tools, but we are also integrating FAIR data into our central ITGRC, AuditBoard. This provides a clear picture of the high/critical risk and loss impact of cyber risk that may be realized.
We’re also taking it to the next level and ensuring all management levels of the organization are receiving FAIR training in an effort to increase awareness and understanding of the benefits of FAIR and how it works. Sometimes when you’re presenting information that is quantified, the numbers can be scary. These are calibrated estimates, but at the end of the day all they see is large numbers — so you need to be able to effectively communicate not only using the FAIR model, but also illustrating how FAIR feeds into your threat-based risk analysis. For instance, using an illustrative example from a threat actor penetrating your environment, and showing how they can pivot and navigate in the environment, where your vulnerabilities are, and what the loss events could be, and the potential business impact at that point. The more you can illustrate that, the easier they can follow the rationale of the FAIR analysis.”
Myles Gold, OpenDealerExchange: “The simplest way we show how we add value is through risk reduction. We consider TPRM as part of our corporate risk management program. By mitigating risk from our critical vendors, we’re lowering the major risk for the whole company. From a quantitative risk perspective, I would love to do the FAIR values, but we’re just not there yet. We’re still building a program and expanding our team. What we do is provide quarterly reports to upper management. We list the third parties we assessed, the findings we had, and other high-level information. It’s a great way to show management what you’ve done and how you helped them. They can see trends, and usually if fosters good discussions because they say, “Oh, do they not have a security program?” or “Do they really not do that?” It’s a good format where you’re not bugging them every week about third parties.
The last thing I want to add is the best way you can help your company and add value is by helping them make the right business decisions. You are the subject matter experts on risk. By training your employees, you help guide them to make those business risk decisions that they weren’t doing before. My team is starting to do that. We’ve actually rejected a vendor recently based on the risk being too high. I think that’s where we add value once we start getting into those conversations.”
Dan Kinsella, Deloitte: “When I think about the notion of value, I also think about having the access and availability to data in order to make those decisions — what does that look like on more of a real-time basis? You have clear insights that are action-oriented. You have some teeth and you get executives involved. You have business decision trees, and not just about not accepting a vendor — you can pivot the other way to say, “Hey this relationship is doing really well for us. Maybe we should engage in more business here.” Focus on both positive aspects and challenging aspects.
To wrap up, even though third-party risk can harm you, be happy in the process — and realize inthird-party risk as well as life, the best is yet to come.”
Looking for more thought leadership? Check out our on-demand webinar library, and stay tuned for more AuditTalk videos featuring audit community leaders about industry issues, insights, and experiences.
