By Prasad Sabbineni
As businesses deal with constant volatility due to heightened geopolitical tensions and regulatory demands, the spotlight has increasingly moved to third-party risk management. Whether it is high-impact events such as the pandemic or other incidents of varied severity like phishing or misconfigurations, businesses globally now find proactive and continuous third-party management imperative.
As per the PwC Global Economic Crime and Fraud Survey that focused on India, companies typically engage with as many as five distinct platforms for their routine business operations. The rise of e-commerce, contactless payments, home delivery models, remote work, and other such developments have spurred more third-party-based innovations and created opportunities for fraudulent activities and risks to enter the scene.
Enterprise risks, including a significant share of cyber risks, are evolving rapidly and becoming more interconnected, necessitating swift response strategies and ongoing monitoring. EY’s 2023 Global Third-Party Risk Management Survey covering 500 organizations worldwide including India has revealed that cybersecurity and digital risk take more than 60% of a company’s overall risk inventory reporting.
The time has come for organizations to move beyond traditional risk identification and mitigation approaches and foster a culture of risk awareness that calls for a fundamental shift in employee mindset.
This is especially crucial for the extended enterprise, including third-party vendors, suppliers, and contractors, which demands a transfer of risk management ownership from the second line to the front line.
Given this background, here are some essential factors for organizations to contemplate when developing a robust third-party risk strategy:
Shared Accountability in Third-Party Risk Management
Third-party risk management extends beyond specialized roles like the Chief Information Security Officer (CISO) and Governance, Risk Management, and Compliance (GRC) teams. It includes everyone from the C-suite to employees. Individual decisions, even those made when unobserved, shape not only personal ethics but also the collective risk profile of the organization.
Whether a high-ranking executive or a new employee, it is crucial to recognize that every individual associated with the organization, vendors, customers, partners or employees poses a potential risk if not adequately trained and informed about cyber risks.
Ensuring Consistency between Third-party Risk Strategy & Organizational Objectives
It is essential to meticulously align the third-party risk program with the organization’s primary risk philosophy, strategy, tolerance and practices in the short and long term. A thoroughly integrated risk framework empowers organizations to comprehend risk and reward trade-offs, assess risk exposure, and manage specific risks judiciously while enhancing stakeholder transparency.
Simultaneously, it is vital to document and communicate the roles, responsibilities and accountabilities for third-party risk management across the enterprise for the organization and the third party involved. While the board sets the primary narrative and the leadership must lead by example, establishing feedback and communication channels enables employees to share observations efficiently and promptly.
Enhancing Third-Party Risk and Compliance Oversight
Given the increasing reliance on third-party services, organizations must integrate third-party risk and compliance management into their predominant GRC framework to achieve comprehensive visibility and understanding of their overall position. This integration is imperative due to regulatory requirements such as the SEC Cyber Rules, GDPR, HIPAA, and SOX.
Consequently, organizations must establish continuous assessment strategies, processes and systems to evaluate third-party risks and ensure compliance with relevant industry regulations and standards. They must also implement well-defined policies, Service Level Agreements (SLAs) and ethical business practices to mitigate risks to the greatest extent possible. Adopting a proactive and continuous approach to maintaining effective risk and compliance oversight when dealing with third parties is now essential.
Broadening Risk Perspective
When it comes to organizational risks, strengthening peripheral vision means cultivating the ability to recognize or predict emerging risk trends and indicators that may currently appear insignificant but have the potential to escalate in significance over time. To enable this capability, organizations must implement a comprehensive risk monitoring strategy, leverage internal and external data sources for informed third-party risk insights, and enhance risk awareness across all three lines of defence.
Relying solely on current and historical data for risk assessments leads to an incomplete perspective. It is, therefore, essential to supplement this approach with insights into forthcoming trends in markets, industries, economies and global affairs.
Organizations can proactively identify emerging threats and formulate effective mitigation strategies by fostering a culture of awareness among employees regarding present and future risks.
Embracing an Integrated Approach
In today’s landscape, risks are not isolated incidents. They are innately linked, often impacting multiple aspects simultaneously. A fragmented approach to risk management impedes an organization’s capacity to comprehend these interconnected relationships, leading to incomplete risk awareness and ineffective GRC practices.
By integrating various programs under a unified taxonomy and centralized data model, organizations can discern patterns and trends in risk, understand their interconnections and identify essential intersections. This comprehensive approach facilitates a more efficient response strategy. Third-party assessments should encompass operational, compliance, Cybersecurity, ESG (Environmental, Social, and Governance) and business continuity risks to extract relevant insights and data.
Using Innovative Technology Solutions to Handle Modern Risks
By integrating cognitive technologies, artificial intelligence, IoT devices, blockchain, data analytics, and intelligent tools, organizations can significantly streamline the consolidation of third-party risk data, comprehend their risk exposure and promptly respond with appropriate mitigation measures.
Automating risk management processes yields numerous advantages, including enhanced readiness for risk events, operational efficiencies, and actionable insights for informed decision-making. Additionally, industry experts increasingly advocate using AI-driven risk intelligence to monitor third-party risk and control autonomously.
As the business landscape becomes more interconnected and digitized, third-party entities face increased scrutiny from business stakeholders and regulatory bodies. Organizations must adopt a connected and continuous approach to third-party risk management supported by an integrated, real-time perspective of their expanding extended enterprise.
Leveraging technology and automation can help facilitate the implementation of this strategy, ensuring thorough oversight. A comprehensive and robust third-party risk management program is imperative, with well-defined processes, policies and tools governing third-party selection and onboarding, due diligence, contractual agreements, risk assessments, monitoring and mitigation strategies. Such measures are vital for sustaining business operations and fostering resilience in the face of evolving risks.
(The author is Prasad Sabbineni, Co-CEO, MetricStream, and the views expressed in this article are his own)
