By Lee Bristow, CTO of Phinity
If your business uses third parties to support core operations (and most do, from SMEs to corporates), you’ll know they need to access essential data. Without this, they can’t deliver the services you require.
Therefore, alongside this new relationship between you and your third party suppliers, comes a new responsibility for you.
You now have an ethical and legal onus to protect the customer information entrusted to you.
Data breaches are going up.
The devastation that a data breach leaves in its wake is obvious. And the media reports that accompany data breaches leave no doubt as to the financial and human consequences.
At the same time, ongoing research into risk management, auditing, information security and supply-chain risk management hasn’t stemmed the data breach tide. Instead, numbers are going up. In March 2021, Lexology reported a 10 percent increase in data security breaches in the EU and UK in 2020.
Suffice to say, this is a problem that isn’t going away.
Third-party risk management (TPRM) is often considered a procurement issue.
It’s not.
As organisations outsource more operations, almost all significant risk factors are affected.
The outcome is that all businesses must rely on complex relationships with multiple third and fourth parties (such as subcontractors) to deliver any service or solution. The keyword here is “complex”.
South Africa is in the news due to the Omicron variant presently. But the country also provides a cautionary tale about just how susceptible businesses are to data breaches via third parties.
Journalist Pierluigi Paganini detailed how one of South Africa’s largest banks, Nedbank, was impacted by a relatively small organisation that provided SMS marketing services.
The provider, Computer Facilities, experienced a security breach that affected 1.7 million Nedbank customers.
Nedbank landed all the bad publicity.
But the problem was not with the bank’s information security capability.
Rather, it was with the third party.
Large organisations, such as banks, have intricate, cross-team processes that frequently don’t support a risk-based approach. Procedures are too rigid and don’t cater to smaller start-ups, sole traders and niche suppliers.
Without automation, a quick, balanced and proportional response at scale is almost impossible.
To respond well to a data breach, several factors need to be considered. These include:
- Organisational size
- Jurisdiction
- Service type being provided
The current state of TPRM.
TPRM began as an information security problem. Then it became a privacy problem.
And now it’s a challenge that involves the entire organisation.
One of the traditional approaches to TPRM involves using legal means to manage third-party risk.
And legal contracts are an essential part of any third-party relationship management process.
However, once the data has left the building, enforcing a contract amounts to little more than beating the third-party with a stick. The data is already gone.
There is overwhelming statistical evidence and academic literature that highlights how ineffective and impractical current approaches for dealing with TPRM are. Take the latest survey from Deloitte, for example.
Key findings include:
- 29 percent are putting greater focus on ethical responsibility.
- 17 percent had faced a high impact incident relating to third parties.
- 47 percent are adopting third-party risk management to be a more responsible business.
- 59 percent believe third-party processes are not flexible enough to assess all third-parties.
- 41 percent invest in third-party risk management to reduce costs.
- 54 percent are prioritising risk domain ownership and coordination.
- 57 percent of respondents are establishing a centre of excellence to support federated operating models.
The building blocks to a better way: ethics and automation.
A better solution, and one with the ability to truly curtail data breaches, is to view your third-parties as strategic to your success.
Currently, most businesses manage third-party risk at a siloed level.
The same Deloitte study found that 65 percent of programmes were funded by information security budgets. Often there is little focus and investment in a robust TPRM programme, as the business can’t see the value yet.
Thankfully, there is a growing trend to adopt robotic process automation (RBA) in the creation of better efficiencies.
Combining risk management with RBA ensures proper stewardship of third parties. And far more power in the pocket of the organisation.
Then comes behavior. The other essential piece of the puzzle.
Questioning whether the third-party operates in a way that aligns with your company’s ethical standpoint is a good start.
It’s encouraging to see that many organisations are already creating centres of excellence that include ethical codes of conduct for employees.
When integrated into a TPRM programme, these codes can act as behaviour markers for possible and future risks. Hence, these markers can highlight just how sustainable a third-party might be.
Quite simply, you’ll know from these markers whether you should begin a relationship with a third-party in the first place.
Pulling together the strands of risk management and ethics ensures greater transparency between parties, resulting in open and trusting relationships.
We see this in our own personal relationships, where we can handle close engagement with a few people in our lives.
But when it comes to managing relationships with thousands of third-parties, and tens of thousands of people across networks, we need a structured discipline.
The answer is to combine TPRM, RBA and ethics into a single platform that creates this structure.
The bottom line is clear.
The cost of implementing the correct frameworks far outweighs the implications of security breaches, fines, loss of trust and brand damage.
