Most of the stress in our lives comes from trying to control things we don’t have control over. As individuals, there are a range of tools available to help us cope with change and deal with things that are out of our control. As organizations, however, we need to understand and find ways to manage things that are technically outside of our direct control.
We live in a highly-connected world where collaboration and partnerships are an essential part of the speed and way we work today. When we engage in these types of business relationships though, we need to share data, information and sometimes even system access with people and businesses outside of our organization. More and more, our ability to do this in a short time frame is becoming a business differentiator, but of course, this brings with it several new dimensions of business risk. In this environment, third-party risk management is becoming a huge area of focus within cybersecurity. Regulatory frameworks, both locally and globally, are also catching up and insisting that third-party risk be included in control reviews and statements of compliance. So, with the pressure of speed to market and the huge potential attack surface that is opened when we share data and systems, how can financial services organizations best manage their third-party risks?
Much like individual stress, the best way to start is to control the risks we can, really effectively, and to be clear about those we can’t. This will allow the business to make an informed decision about whether to support a third-party agreement. So, although it may sound somewhat counter-intuitive, the best place to start when it comes to assessing third-party risk exposure is with yourself. You should consider questions such as: do you have a comprehensive list of all third-parties that take or use your organizations data? Do you understand which systems have third-party access? Do you have a good grasp of shadow IT? Once you are confident, you have an accurate map of where all your data is and who has access to or uses it, the real work can then begin.
"Managing risks in context and understanding the whole risk picture is essential to managing third-party risk as effectively as possible"
Approaches to third-party risk management
Most third-party risk is managed by sending out questionnaires asking the third-parties to identify where they might have processes or systems which may create a risk. The issue with this approach is that the questionnaires are often not based on a good understanding of the risks they are trying to control, or they are either too complicated or generic to effectively identify all areas of risk. An alternative approach – one which will save more time in the long run and help identify risk more effectively – is to interview the people requesting access first to better understand what they are trying to achieve. Armed with this information, you can then assess whether the same outcome could be achieved by limiting the data shared with the third party or by finding a way to secure the information before sharing it, for example by obfuscating data or encrypting it. Again, the idea is to start with the elements within your control – your own data and how it is shared or encrypted, in transit and at rest. The benefit of this approach is that you may identify areas where existing or tweaked data controls or processes can avoid the need for investment in new systems. Third-party questionnaires absolutely have their place, but you need to make sure the questions are relevant, unambiguous and up to date. This leads us to the second part of the process, the management of workflows in third-party risk.
Workflow management is a very important element of third-party risk. Understanding which risks are your highest, and therefore need to be addressed first is critical. Accidentally classifying a high risk as a low one could have a disproportionate impact on your business, so it is important to carefully review your criteria to make sure you are categorising risks correctly. It’s also important to understand that risk triaging isn’t static. Following completion of some of risk assessments, it may be found that a vendor or system initially classified as low risk has far more integration or connection to systems than initially identified and should therefore have their risk category upgraded. Managing risks in context and understanding the whole risk picture is essential to managing third-party risk as effectively as possible.
Finally, the most important step is bringing it all together. It’s easy to spend a great deal of money on managing third-party risk without seeing a great deal of return. Instead of just filling out questionnaires and recording the results, organizations should think about including further interviews and process reviews once they understand the full risk picture. Often, risks can be mitigated more effectively by better controlling access to data, rather than asking the third-party to manage the risk and creating a situation you don’t have control over. Taking a holistic view and understanding which data and systems are connected enables you to continually lower the risks from third-parties and, as a bonus, enables business agility. And having an information security or risk management team that enables business agility can ultimately make a huge difference to the success of the business.