Third Party Risk in Business Units Is Festering
Vendor management offices, risk management programs, and security leaders are all being asked to manage third party risks buried in business units. They are all looking at it from their own unique, but disparate disciplines and points of view. The reason it is so difficult to discover risk is for one, simple reason: the volume of third parties.
A 2013 McKinsey & Company report focused on the effects of regulatory changes on third-party risk continues to resonate with anyone dealing with supplier risk management. McKinsey estimates that 80 percent of spending that some business units assign to suppliers can come from co-branded partnerships, joint ventures, and sponsorships. McKinsey wrote:
Collating an exhaustive list of third parties is a big undertaking. Risks cannot be assessed and mitigated until they are found, but most financial institutions have tens of thousands of supplier relationships… Supplier databases are incomplete, and some of the most sensitive risks often turn out to reside in some relationships that are not found in supplier databases.
So the issue is, where do you find all the third party risk that isn’t easily found in a database?
Understanding Supplier and Vendor Management
There are two implications here: First, these kind of partner and sponsorship relationships likely have digital system tie-ins via web services or other Internet-enabled functionality. The security of these systems connecting to your systems is the central issue in third party risk. Hackers target vulnerabilities, holes, and any tiny opening in the applications of these systems to gain access to the bigger fish in the pond: the major corporation with heaps of customer and employee data or personally identifiable information (PII).
When these kind of partnerships and vendor relationships occur without IT department involvement it is known as rogue or shadow IT. Shadow IT sets off alarm bells with CISOs who want to put the hammer down on poor business unit security, but it is to today’s reality that business comes first. It is the job of the security teams to help find these risks, and find reasonable ways to enable business while simultaneously protecting it.
The other implication is that you have to have the kind of regular, productive communication with business units that shows you want to help them, not stop them from their revenue or partnership goals. The way that everyone wins is by open, service-minded communication and a “we are here to help you” perspective.
It will also take consistent monitoring and reporting fueled by easy to use and deploy technology. Gartner risk management research director John Wheeler recently reminded organizations of seven ways to achieve successful risk management. One of the seven that made the list includes using technology for risk oversight. Wheeler wrote in April:
While technology is often viewed as a panacea for risk oversight challenges, it is most useful and cost-effective when deployed as an enabler of well-defined risk oversight activities. Too often, companies will over-engineer the supporting risk oversight processes based on a particular technology solution, resulting in greater bureaucracy and wasted investment.
One thing is clear: Unidentified risks pose an accountability predicament for vendor, risk, and security leadership roles and program offices. CISOs may not want this responsibility, but when you now have a seat at the executive board’s table, it’s time to get out of the IT-only world and start linking security strategy to performance. You need to be talking to the parts of the business that drive revenue and help business outcomes. It also means sharing the accountability burden with business units to find acceptable, mutually agreed upon levels of risk.