New product alert: Learn about RegComply!

Customers
Login
Auditboard's logo

September 8, 2022 2 min read

Third-Party Risk Management: What You Don’t Know Today CAN Hurt You

Vendor vulnerabilities continue to plague many industries and teams are struggling to manage the associated risk volatility. A strong third-party risk management (TPRM) program can help alleviate the impact of related risks. The building blocks of a successful program include a sturdy workflow for vendor onboarding along with ongoing monitoring of each vendor. Daniel Kinsella of Deloitte & Touche LLP moderates a conversation with Arlene Worsley of Teck Resources Ltd. and Myles Gold of OpenDealerExchange about how their organizations tackle third-party risk management, including:

  1. Trends and approaches for handling third-party risk, including taking a risk-based rather than a compliance- or maturity-based approach.
  2. The importance of understanding your third-party ecosystem — it’s larger than you might think.
  3. Showcasing the value of your TPRM program with quantitative risk analysis and enabling the business to make risk-informed decisions.
Experts from Deloitte, Teck Resources Ltd., and OpenDealerExchange share actionable insights to help you advance your TPRM program.
Myles Gold, OpenDealerExchange: “We don’t have the biggest budget in the world, and many companies will be in the same boat. To give you a sense of where my company is today: our first step is to get the list of every third party that our company works with. We do not skip any companies, and we don’t focus on just the tier 1s or the IT ones. To get our list of third parties, we get a list of invoices paid and received from accounting, and then the list of new contracts from the previous year — but it’s not that easy. We once missed a vendor because they were a free service, so they didn’t go through our contract mentoring process and they didn’t go through as an invoice. That’s just something to be aware of. You’ll never probably have a perfect third-party list, but can ask the various teams in your company what services they’re providing or using to help find those gaps.

Arlene Worsley, Teck: “Specific to risk management and TPRM, I’m seeing three business trends. The first is shifting from compliance-based or maturity-based approach to a risk-based approach. The benefits of a risk-based approach include transparency on cyber risk for the company’s most valuable assets, as well as risk-based enterprise decision-making. This enables decision-makers to focus on investments in the right places depending on the risk treatments they decide on. Return on investment is also a significant benefit of a risk-based approach, ensuring efficiency of some of the counter-risk measures.

Dan Kinsella, Deloitte: The notion of leveraging the scoring and perspective insight is definitely where I’m seeing organizations start to go. I use the term gamification — if you had to look at a series of relationships from a scoring perspective, can you rank them based upon the risk factors that are considerations? I’m seeing some organizations starting to weave in operational considerations for how are they executing on your behalf.

Understanding Your Third-Party Ecosystem

Arlene Worsley, Teck: “At Teck, while we are not seeing more third-party security incidents, we are seeing targeted attempts by possible associations with nation-state-sponsored attacks and our vendors. This is where I’d like to share a story. As we know, the more vendors we have in our business ecosystem, the larger the attack surface for third, fourth, or fifth-party risks. It’s really important to understand your third-party ecosystem. Without that breadth and knowledge, you may find yourself a possible direct or indirect cyber indirect target for cyber warfare, particularly with the Russia-Ukraine conflict.

Showing the Value of Your TPRM Program

Arlene Worsley, Teck: “When it comes to value, and especially when it comes to risk, we need to be able to communicate using language that makes sense to the leaders who make the decisions. As I mentioned earlier, Teck has been transitioning from traditional approach of qualitative risk analysis to quantitative risk analysis, and the information security team at Teck uses the FAIR model — the Factor Analysis of Information Risk for calibrating estimates and quantification of risk. For those of you who might not know about FAIR, it’s an international standard for quantitative assessments that’s specific to information security. Today, Teck is integrating FAIR into our organization not only through the calibration of those estimates using some great tools, but we are also integrating FAIR data into our central ITGRC, AuditBoard. This provides a clear picture of the high/critical risk and loss impact of cyber risk that may be realized.

Myles Gold, OpenDealerExchange: “The simplest way we show how we add value is through risk reduction. We consider TPRM as part of our corporate risk management program. By mitigating risk from our critical vendors, we’re lowering the major risk for the whole company. From a quantitative risk perspective, I would love to do the FAIR values, but we’re just not there yet. We’re still building a program and expanding our team. What we do is provide quarterly reports to upper management. We list the third parties we assessed, the findings we had, and other high-level information. It’s a great way to show management what you’ve done and how you helped them. They can see trends, and usually if fosters good discussions because they say, “Oh, do they not have a security program?” or “Do they really not do that?” It’s a good format where you’re not bugging them every week about third parties.

Dan Kinsella, Deloitte: “When I think about the notion of value, I also think about having the access and availability to data in order to make those decisions — what does that look like on more of a real-time basis? You have clear insights that are action-oriented. You have some teeth and you get executives involved. You have business decision trees, and not just about not accepting a vendor — you can pivot the other way to say, “Hey this relationship is doing really well for us. Maybe we should engage in more business here.” Focus on both positive aspects and challenging aspects.

Looking for more thought leadership? Check out our on-demand webinar library, and stay tuned for more AuditTalk videos featuring audit community leaders about industry issues, insights, and experiences.

You may also like to read

Featured image
InfoSec

AI Governance: Automated Control Testing for ITRC

LEARN MORE
Featured image
InfoSec

Commanding Compliance: Demystify the Common Control Set

LEARN MORE
Featured image
InfoSec

Practical Steps for Applying NIST CSF 2.0 to Third-Party Risk Management

LEARN MORE

Discover why industry leaders choose AuditBoard

SCHEDULE A DEMO
upward trending chart
confident business professional