Why your company needs a third party risk management framework

[U]se of third parties does not diminish the responsibility (a) board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws…OCC Bulletin 2013-29

Introduction

Everyone is familiar with the term “risk management.” ManagementHelp.Org defines it as “attempting to identify and then manage threats” which could severely damage or shut your business down. The types of data at risk include:

• Protected Health Information (PHI)
• Personally Identifiable Information (PII)
• Payment Card Industry (PCI) transactions
• Intellectual Property

Add the term “third party,” and pretty soon you get into the nebulous span-of-control realm were an outside party, originally thought to be a resource, can complicate risk management exponentially. Third parties are vendors, customers, partners in joint ventures, and even “fourth parties” enter into the mix to the extent they provide additional exposure.

What is TPRM?

As a subset of risk management, if you outsource or rely on third parties for products, processes, or data collection, you need a third party risk management (TPRM) plan.  Like ordinary risk management, TPRM is a process where you analyze and control risks to your company–its data, operations, and finances. However, the threat is from those other than your own company.

What are the consequences of third party data breaches?

Ask yourself this question, “Are your company’s welfare and reputation at the mercy of a third party?” If the answer is yes, you need to know what safeguards and controls that third party has to protect both its and your interests.

If you are doing business with a weak link in your security chain, you are exposed to the below consequences:

• Regulatory fines, more government scrutiny, draconian remediation. Government oversight and enforcement tends to stress making an example of those who either carelessly or purposely violate law and regulations.
• Civil litigation, criminal prosecution, class actions, jury awards. Failure of due diligence when your data is in the hands of a third party will likely make your company the “deep pockets” target by a third-party.
• Loss of value, along with investors and customers, diversion of assets to capital expenditures. When your reputation is harmed after a security event, customers tend to go away quickly, regardless of where the breach originated.
• Damage to your reputation through press and media exposure. In public relations, as in politics, perception is everything.
• Market drift and competition shifts. While you are defending your brand, or reacting to the litigation, you are no longer attending to your core business.

What are the basic elements of a TPRM?

If Target had focused as much on information security as they did on the 2013 Christmas holiday season, they might have avoided the disastrous HVAC “leak.” There was plenty of guidance available. For example, PwC’s Comprehensive Viewpoint of Third Party Risk Management provides a roadmap and insight on how companies can manage the risks of vendor relationships.

Highlights:

Market pressures continue to drive the need for TPRM. Market drivers are the continuing “substantial reliance” on third parties. (Outsourcing is cheaper and more efficient.) But vendor-sourcing decisions frequently overlook key risks. Likewise managing third party risk is a complex process involving identifying the risks that matter, focusing on which third parties to review, and taking effective action when an issue arises.

Regulatory pressures are likewise mounting. The PwC viewpoint presents a 20-year timeline of government acts and regulations beginning with the 1996 federal HIPAA, Health Insurance Portability and Accountability Act.  The timeline illustrates the increasing involvement of state governments, who have passed their own laws governing data protection. The regulatory landscape, then, is ever more crowded.

In addition to the challenge of “effectively managing vendor-related risk,” nowadays companies need to pay more attention to  “stratification.” Many organizations, according to PwC are “applying the same level of risk analysis to all their vendors,” instead of focusing on vendor services carrying the greatest risk.

TPRM benefits to an enterprise include cost savings, quality and standardization control, reduction of risk, increased flexibility and efficiency in controlling third-party relationships and a better value to shareholders through:

• improved compliance with federal laws and regulations
• a lower profile within the regulatory community
• better training and placement of resources

What is the TPRM lifecycle?

The process is a triad of assessing, sustaining, and transforming a business’s TPRM beginning with a program diagnostic, culminating with vendor assessments coming up with a risk score for all outsourced services and vendors. The goal is to develop a clearly focused strategy to respond to potential risks to stay safe and compliant.

Conclusion

In today’s business environment, it would be impossible to find a company that has no contact with a vendor our outsourced service provider. Those convenient interdependencies come with risks, and companies need to couple their risk assessment management with the realization that third parties need to be assessed, monitored, and brought into the mix–for everyone’s benefit.

Can we help you?

We’ve developed the third party risk management strategies used by many members of the Fortune 500 and have worked with major consulting firms on developing third party frameworks for use with their clients.

Learn more about our approach to Business Continuity in our Ultimate Guide to Business Continuity and then contact us today.