Third-Party Risk Management: What You Don’t Know Today CAN Hurt You

“Myles Gold, OpenDealerExchange: “We don’t have the biggest budget in the world, and many companies will be in the same boat. To give you a sense of where my company is today: our first step is to get the list of every third party that our company works with. We do not skip any companies, and we don’t focus on just the tier 1s or the IT ones. To get our list of third parties, we get a list of invoices paid and received from accounting, and then the list of new contracts from the previous year — but it’s not that easy. We once missed a vendor because they were a free service, so they didn’t go through our contract mentoring process and they didn’t go through as an invoice. That’s just something to be aware of. You’ll never probably have a perfect third-party list, but can ask the various teams in your company what services they’re providing or using to help find those gaps.”

“Arlene Worsley, Teck: “Specific to risk management and TPRM, I’m seeing three business trends. The first is shifting from compliance-based or maturity-based approach to a risk-based approach. The benefits of a risk-based approach include transparency on cyber risk for the company’s most valuable assets, as well as risk-based enterprise decision-making. This enables decision-makers to focus on investments in the right places depending on the risk treatments they decide on. Return on investment is also a significant benefit of a risk-based approach, ensuring efficiency of some of the counter-risk measures.”

“Dan Kinsella, Deloitte: The notion of leveraging the scoring and perspective insight is definitely where I’m seeing organizations start to go. I use the term gamification — if you had to look at a series of relationships from a scoring perspective, can you rank them based upon the risk factors that are considerations? I’m seeing some organizations starting to weave in operational considerations for how are they executing on your behalf.”

“Arlene Worsley, Teck: “At Teck, while we are not seeing more third-party security incidents, we are seeing targeted attempts by possible associations with nation-state-sponsored attacks and our vendors. This is where I’d like to share a story. As we know, the more vendors we have in our business ecosystem, the larger the attack surface for third, fourth, or fifth-party risks. It’s really important to understand your third-party ecosystem. Without that breadth and knowledge, you may find yourself a possible direct or indirect cyber indirect target for cyber warfare, particularly with the Russia-Ukraine conflict.”

“Arlene Worsley, Teck: “When it comes to value, and especially when it comes to risk, we need to be able to communicate using language that makes sense to the leaders who make the decisions. As I mentioned earlier, Teck has been transitioning from traditional approach of qualitative risk analysis to quantitative risk analysis, and the information security team at Teck uses the FAIR model — the Factor Analysis of Information Risk for calibrating estimates and quantification of risk. For those of you who might not know about FAIR, it’s an international standard for quantitative assessments that’s specific to information security. Today, Teck is integrating FAIR into our organization not only through the calibration of those estimates using some great tools, but we are also integrating FAIR data into our central ITGRC, AuditBoard. This provides a clear picture of the high/critical risk and loss impact of cyber risk that may be realized.”

“Myles Gold, OpenDealerExchange: “The simplest way we show how we add value is through risk reduction. We consider TPRM as part of our corporate risk management program. By mitigating risk from our critical vendors, we’re lowering the major risk for the whole company. From a quantitative risk perspective, I would love to do the FAIR values, but we’re just not there yet. We’re still building a program and expanding our team. What we do is provide quarterly reports to upper management. We list the third parties we assessed, the findings we had, and other high-level information. It’s a great way to show management what you’ve done and how you helped them. They can see trends, and usually if fosters good discussions because they say, “Oh, do they not have a security program?” or “Do they really not do that?” It’s a good format where you’re not bugging them every week about third parties.”

“Dan Kinsella, Deloitte: “When I think about the notion of value, I also think about having the access and availability to data in order to make those decisions — what does that look like on more of a real-time basis? You have clear insights that are action-oriented. You have some teeth and you get executives involved. You have business decision trees, and not just about not accepting a vendor — you can pivot the other way to say, “Hey this relationship is doing really well for us. Maybe we should engage in more business here.” Focus on both positive aspects and challenging aspects.”