5 best practices for third-party data risk management
It’s no secret that businesses today face an unprecedented range of risks due to changing macro- and micro-level dynamics in business, government and technology. Such developments include the acceleration of global interdependencies, data pervasiveness and saturation, data breaches, cyber attacks, supply chain disruptions, customer losses and shifting regulatory requirements in global jurisdictions.
All of these factors necessitate a smart, scalable and nimble risk mitigation strategy. Chief among those considerations, for many companies, is identifying reliable third-party suppliers and service providers to help manage business operations while focusing on strategic and growth imperatives.
Recent events leading to overshared data, breached data, operational failures and other incidents have prompted many businesses to re-evaluate how they approach third-party risk management (TPRM) as many of these situations were attributed to a third party. As such, boards of directors and their C-suite teams understand the critical need to be more focused and informed about their third parties, related risk management activities and key decisions, especially for those third parties deemed critical to the organization.
EY recently conducted its sixth annual global financial services third-party risk management survey. In a nutshell, it shows that many companies are continuing to make upgrades to the governance and oversight of this function. Yet, it’s clear that formidable challenges remain. To help businesses stay ahead of the curve, outlined below are five leading practices in third-party risk management from which organizations can benefit:
1. A comprehensive platform approach works better than solving individual problems with individual solutions.
Companies can’t solve individual problems with individual solutions or legacy GRC (governance, risk management and compliance) systems anymore. It is simply too expensive and non-comprehensive. There is a need for organizations to integrate technologies, tools and multiple systems toward a platform approach to tackle third-party issues in totality across the life cycle of the business process.
As institutions go through handoffs from a third-party contracting system to a risk management system — to either an issue management or a performance management system — these activities must be seen in the totality of the process. Trying to solve for technology capabilities in individual silos is insufficient and counterproductive. A clear end-to-end view and a focus on technology integration are essential to continued operational maturity.
2. Have one decision-making authority.
Decision ownership regarding third-party engagement is a complex topic that varies across organizations and is often forgotten in the context of a comprehensive operating model. For instance: Who is responsible for policymaking? Who takes care of strategy? Who owns the technology?
Organizations tend to falter when using decentralized programs or surrendering decision-making authority to specific subject-matter expert groups, which can be difficult to reverse. When groups of people within a business relinquish ownership, there is widespread confusion relative to who has the decision authority to effect change across an enterprise and notable inconsistencies in the execution of program expectations. This results in inefficiencies and a lack of accountability.
We have all heard the saying “it takes a village,” but in business, if everyone is accountable no one is accountable. Conversely, organizations that centralize these functions and draw clear responsibilities about who has decision authority are in better control of third-party management strategy, maturity and direction.
3. Keep the board aware of third-party breaches and incidents.
The scope and magnitude of third-party breaches carry significant financial, operational and reputational costs — necessitating more focused board involvement. In a practical sense, this means integrating third-party risk discussions into meeting agendas and articulating clearly for boards the potential risks across functions and operations that are related to critical third parties. Essentially, they need the “top line, big picture” scenario to make the best use of their time.
Since boards are typically removed from day-to-day business activities, they need a quick and efficient way to digest this information, with the right data points. Organizations should institute a practice of sharing a list of critical third-party providers and the areas of business they are overseeing, including key highlights or shifts in risk and/or performance. This will give the board the context, visibility and information necessary to make informed decisions about overall risk management approaches and how best to engage third-party risk providers.
Leading organizations also educate their boards on emerging risks to provide color for third-party-related decisions. For example, what is the organization’s cloud strategy and how might it and the related risks and underlying providers change looking out 12 to 18 months?
4. Consider fourth-party risks.
The ubiquity of data and efforts by regulatory bodies to ensure data privacy and protection (recent GDPR measures) means companies need to know where their data is and how it’s being used — at all times. As such, organizations may want to consider the risks beyond third parties and look into mapping their data and dependence networks to fourth, fifth and sixth parties. To obtain a more holistic sense of related risks across this network, organizations should be reviewing their third parties’ TPRM programs and understanding not only their third parties’ critical dependencies but also how data is being handled and used.
5. Have a solid plan to meet greater regulatory requirements regarding data.
Recent GDPR measures will strengthen and accelerate data privacy measures — necessitating a robust, comprehensive plan to better govern data. Organizations routinely deal with customer data involving multiple service providers; as such, they are responsible for safeguarding sensitive information. In most scenarios, end customers are unaware that they’re dealing with a third party that has access to their information.
Credit decisions, fulfillment and delivery of products, customer service call centers, collections and statement processing are all examples of activities that can be outsourced to third parties. Therefore, it is critical to have an established process and plan in place that compel third parties to meet your organization’s risk standards — whether they are related to customer data, IT vendor management or resiliency expectations, among others.
Light at the end of the tunnel
While organizations are working toward maturing their TPRM functions to meet and exceed regulatory requirements and thwart operational, reputational and financial risks, the complexity of managing third-party risk is only slated to increase over time.
While this is no doubt daunting, there is a real opportunity for businesses to take better control of their third-party risk management relationships, which can lead to cost savings now — and overtime by avoiding expensive breaches. This includes being proactive about assessing current third-party relationships; developing a clear plan that engages a range of internal stakeholders, which includes board members and the C-suite meeting regularly to review potential risks; and inculcating leading practices.