Third parties add a layer of complexity and risk that can lead to many different types of disruptions and business impacts. Organizations are becoming a complex tapestry of products and services, processes and technologies provided by third parties and this complex and changing ecosystem makes it increasingly difficult to clearly manage risk. The recent SolarWinds breach is an unfortunate event that highlights the challenge organizations face today in the combination of cyber-attacks and third party risk. This event highlights three major areas of IT, security and risk management.
Organizations must be constantly vigilant for cyber-attacks from many different threat vectors and actors.
Organizations must understand vendor and supply chain relationships including not only suppliers of components of their products and services but also software and IT services providers.
Business resiliency including continuity and crisis management must be ingrained in the organization to deal with a wide variety of events - from physical events to IT disruptions.
In this example, the connection between different dimensions of risk management is evident. Unfortunately, third party risk management can be a resource challenge. As your organization spreads its connections to outside parties, inherited risks become a significant issue.
Organizations struggle to efficiently manage and govern these third parties because traditional methods aren’t scalable. Many times, third-party relationships introduce unpredictable, inherited risks that can lead to surprises and potential losses. When third-party oversight is managed differently across an organization, it creates gaps due to inconsistencies when identifying, assessing, and managing risk from the third parties. Finally, with inconsistent and incomplete governance processes, organizations cannot get a complete and accurate view of the risks introduced by third parties to their organization.
Fundamental to the strategy of dealing with third party risk is a clear view of your third-party ecosystem such as vendors, consultants, and service providers. Formalizing third party risk management via integrated processes enhances all of risk management. Better yet, resources can be focused on the most important and impactful activities. When we look at Archer customers, enterprise and operational risk management is a prevalent entry point for third party risk management. Our customers who own enterprise and operational risk management use cases are almost twice as likely to own third party governance use cases. IT and security risk management use cases are another adjacency we see. Almost 40% of our IT and security risk management customers also own third party use cases.
As regulators are establishing increasingly higher standards of accountability for the oversight of third-party relationships, expanding your strategy to third party risk management is especially pertinent. While many organizations have some programs or risk assessment processes in place related to third party risk, the wide spectrum of potential business impacts requires organizations to take a step further towards third party governance. Enterprise and operational risk, compliance or IT risk programs are excellent steppingstones to begin integrating third party risk management efforts.
If your organization is struggling with any kind of supply chain or third-party disruption, read our short paper on suggestions to refocus your organization on the basics of vendor and third-party risk management. In addition, you can read this complimentary Gartner report: “Monitor Key Risk Criteria to Mitigate Vendor Failure.”