Third-party risk management: proof times are a-changin’
“The times they are a-changin’,” wrote future Nobel Prize winner, Bob Dylan. We cite it here because it reflects the state of business today. The signs of change are all around us, and they directly impact the dynamic relationship between your company and third parties like vendors and partners.
According to ISACA, the architect of the COBIT 5 framework for enterprise IT, “as the scope, scale and complexity of vendor relationships and services increase, the risk related to them and the importance of effective vendor management increase proportionately. Managing external vendors should be a key competency for every enterprise and can lead to optimally mitigated risk and significant benefits.”
Organizations have to rethink how they manage third parties. The risk and competitive pressures are too great to ignore. To compete and win, you have to assess the situation, adapt processes, and strike when opportunity presents itself.
There’s a battle outside and it’s ragin’
Indeed. In business, each week brings stories of advances in artificial intelligence, the Internet of Things, and quantum computing. The nature of business isn’t only the profit motive but also the quest for competitive advantage gained by adopting digital competencies.
McKinsey calls it the “digitization of industries” and paints a global picture of winners and losers. The winners are the companies and industries going digital. The losers are the companies and industries that tiptoe into digital. The battleground is digital adopters collaborating with more nimble third parties to compete and run faster.
Better start swimmin’ or you’ll sink like a stone
Dylan sang about standing up to the status quo. For business, it’s a mantra for taking action instead of inaction. No company wants to suffer through a bankruptcy or a fire sale of assets.
In an attempt to take action, most companies will pursue a broader adoption of third parties to innovate and gain efficiencies. With this explosion in valued partners, affiliates, vendors, suppliers, etc., it begs the question: are you a company or an enterprise?
Seeing your company as an enterprise means shouldering the burden of risk and performance. That’s why the third-party risk assessment, designed to help manage risk and spell out performance requirements, needs to evolve in areas like frequency and information security.
Reliance on a daily assessment like the one offered by SecurityScorecard exemplifies this. It collects and correlates data from hundreds of information security risk indicators and then produces a daily security rating on each third party that any student would understand–an A-F grade.
Success at evolving how you assess third parties is akin to swimming laps around the competition.
The slow one now will later be fast
In his last stanza that starts with ‘The line is drawn’, Dylan presents a view of the present and the future. It’s a hopeful message to the downtrodden citizenry.
In business, the message is from disorder can come a new order, that any organization can come from the lowest level of digital adoption and rise to the top. From a third-party risk management perspective, that means ditching manual processes like spreadsheets and point solutions that fail to integrate across the enterprise. You need a technology platform that’s designed for integrated risk management and can equip you to start conducting enterprise-wide risk assessments. You need assurances that third parties will continue to meet their obligations and have contingencies for service interruptions.
The right platform with an advanced third-party risk management process can help you meet the challenges around the corner and down the road. With regulations like GDPR going into effect May 25th, you may need confirmation that third parties are adhering to GDPR’s data protection requirements. Breach notification rules vary from GDPR’s 72-hour rule to HIPAA’s two-tiered notification based on the number of affected individuals. The point is, the right platform helps streamline and automate the compliance process.
Next year and the near future will bring about the continuing digitization of industries and the growing reliance on tech-oriented third parties. Dylan’s “The times they are a-changin” resonates today for business that’s increasingly relying on third parties and adopting digital competencies in order to remain competitive. To paraphrase Dylan, you may be slow but later, you may be fast.
Read about some of the highlights from our expert panel discussion.
Read on for our top five strategies for shoring up your company’s third-party cybersecurity defenses.
“If it sounds too good to be true, it probably is.” That helps explain the attraction and danger with assessment exchanges for third-party risk management.