All organisations rely on vendors or third parties. They provide organisations with resources or capabilities that they don’t have, enable them to be competitive by leveraging their specific area of expertise, and allow them to focus on their core strengths.
Those resources and capabilities allow organisations to deliver critical services to their customers – but it also means disruption to any one of those vendors may affect the resilience of your own operations. In fact, supply chain attacks are now the preferred method used by threat actors.
How can organisations achieve visibility over all the links in their supply chain, identify the weak links that might undermine your operational resilience, and forge stronger links?
Recently, in the UK, we’ve seen regulatory changes come into force with emphasis on third party risk management to achieve operational resilience, such as the PRA’s Operational Resiliency Rules and FCA’s Consumer Duty compliance. These new regulations have placed Third Party Risk Management (TPRM) firmly in the spotlight. Therefore, it’s never been more important for organisations to identify, assess, and manage the risks associated with third parties and related supply chains – in fact, it is now expected as a given.
An inadequate TPRM programme can lead to significant repercussions, such as financial ramifications, harm to reputation, and legal obligations. A good example is when a vendor experiences a data breach, resulting in the compromise of sensitive customer information, causing trust and revenue to plummet. Likewise, if a vendor fails to comply with regulations, the organisation may face substantial fines and legal consequences.
An example if this was in 2022, when Okta faced a major security incident after being compromised by a third party vendor when its source code was accessed following a breach of its GitHub repositories. The hackers used this malicious access to copy code repositories associated with its security solution. Okta had previously been targeted by the Lapsus$ extortion group, which gained access to the account of one of Okta’s third-party service providers and posted screenshots of Okta’s apps and systems.
Tech giant Microsoft is a frequent target of cyber attacks, which further demonstrates the rise in software supply chain security breaches. In 2021, the company experienced a series of breaches, known as the HAFNIUM attacks, which compromised the on-premises Microsoft Exchange Servers of 30,000 global organisations. Hackers accessed employee email accounts and installed malware to facilitate long-term access. Months later, 38 million records were exposed due to a vulnerability in Microsoft Power Apps. In this case, the hackers gained access to COVID-19 testing, tracing, and vaccination records, as well as employee information for major organisations using the tool, such as Ford Motor Company, American Airlines, and the New York Metropolitan Transportation Authority.
A third party can be anyone from contractors to consultants, suppliers to vendors. Of these, vendors are usually where most risk lies. Nevertheless, there are a set of guidelines that can help you minimise risk while boosting resilience, efficiency and transparency.
Introducing and building a TPRM with integrity
TPRM encompasses the identification, evaluation, and reduction of risks associated with external parties. Recently, this has extended to include fourth and fifth parties to ensure that even the suppliers’ suppliers don’t pose potential issues. TPRM adopts a comprehensive approach that surpasses conventional vendor management practices, such as overseeing service level agreements and renegotiating contract terms during renewals. It aims to proactively manage and mitigate risks across the entire enterprise.
TPRM involves a structured and systematic approach to managing risks associated with third parties. The lifecycle of risk management involves three main stages – pre-onboarding, ongoing monitoring and offboarding. Each of these can be broken down into specific phases, covering identification, due diligence, SLA compliance, contract renewals, ongoing risk assessments and much more.
When introducing a TPRM programme, organisations should begin by defining the scope of their programme by looking at which potential partners are involved and the types of risks you need to manage. Identify the key internal stakeholders and secure their buy-in from the outset. Then, assess your current state, develop a roadmap and build your TRPM programme and policies accordingly.
This will necessitate the establishment of specific processes and criteria for the partner lifecycle, such as:
- The criteria, thresholds and tolerances when assessing the tier of a vendor
- The standard of documentation and evidence you expect from vendors
- The extent of due diligence you require for different tiers of vendors
- The types of risks you want to assess, and the way these risks will be assessed
- The criteria to inform Go/No Go Decisions
You’ll also want to define monitoring and assessment procedures during the partnership. How best can we deliver on these principles? Simply put, find an enterprise risk management (ERM) specialist who will do most of the heavy lifting and automate some of the more monotonous aspects of the programme. It is perhaps ironic that when it comes to managing partner risk, the best first step is to find an ERM partner so don’t forget to do due diligence on whoever you are considering.
Reaping the rewards of TPRM
The benefits of having a robust TPRM programme in placed, include:
Enhanced risk management and resilience: TPRM delivers a holistic view of your partner ecosystem, identifying potential risks that may arise across the network. While addressing a single partner with inadequate cybersecurity measures is important in the short term, having multiple weak ones can lead to disastrous consequences. By identifying these risks early on, organisations can take proactive measures to manage them effectively and prevent potential disruptions to their operations.
Cost savings and efficiency and cost savings: Relying on manual processes to assess and monitor vendor risks can be a tedious and inefficient task. Typically, these manual procedures rely heavily on spreadsheets, and can lead to challenges such as lost emails, resulting in data gaps and incomplete information. TPRM introduces automated, streamlined processes to reduce the likelihood of incidents disruption to operations, data breaches, and compliance failures caused by third parties. Automation means employees can focus on higher value tasks, lowering costs and improving efficiency.
Controls Assurance: By streamlining the process of meeting due diligence and audit requests, this gives confidence to customers and prospects, and reduces audit fatigue. Controls Assurance also helps to build a risk-aware culture within your organisation by increasing staff awareness of risk and controls and driving improvements for you and your customers.
Greater transparency: A rigorous EPRM programme will enable greater visibility into your partner ecosystem, providing insight into each partner’s risk posture and the associated impact on your business; real time resource and activity status; and an aggregate view of the entire environment. Such transparency ultimately leads to better operational resilience and improved business outcomes.
In today’s increasingly interconnected digital world, organisations depend on their relationships across with multiple partners. However, this brings with a greater level of risk, ranging from malicious actors to human error – and these risks are always on the rise. By implementing a strong TPRM programme, organisations will have peace of mind as they continue to expand partner networks across the supply chain.