 |
According to Deloitte, there are three main factors that have led to an increased focus on third-party risk in recent years. First, the economic downturn in 2008 caused organizations to look into reducing internal costs by pushing more business activity to third parties. Second, regulatory scrutiny of third-party relationships and management has increased, including the imposition of higher fines and sanctions for violations regarding third-party management. Third, organizations are becoming increasingly concerned about the fallout from third-party failures or security breaches and the effect these problems could have on their reputations. However, while corporate boards are taking a greater interest in matters concerning risks from third parties, this has yet to translate into clear accountability for or oversight of risks from third-party relationships. It is still all-too rare for a company to have an overarching view of the risks associated with its third-party relationships. The Need for Effective Insight To ensure effective oversight for third-party risk, it is essential that an organization’s top executives are fully aware of and involved with third-party management. Although aimed primarily at financial institutions, the updated guidance from the Office of the Comptroller of the Currency, published in 2013, applies to all organizations that engage in third-party relationships. Calling for organizations to adopt robust risk assessment and monitoring for all third-party relationships, it urges companies to ensure boards and directors receive adequate reporting on third-party relationships and that they are fully integrated into enterprise risk management and compliance frameworks. Further, it is crucial that a wide range of roles and business units throughout the organization are given responsibilities for third-party management. However, this must be done in an integrated fashion, rather than using the siloed approach that currently exists in many businesses. The process should include individuals responsible for procurement and supplier management, those responsible for compliance, information security, and business continuity risk, and both internal and external auditors. Maintaining Defenses KPMG has developed a following “three lines of defense” model that allows organizations to better define roles and responsibilities for risk while gaining more effective oversight of third-party risk. The first line of defense is the business owners, who are responsible for complying with risk management processes and procedures, implementing actions to better manage risk, and identifying emerging risk. The second line of defense involves those in the organization who are in oversight positions, referred to by KPMG as “standards setters.” People in these roles are responsible for establishing policies and procedures for risk management and providing insight on which areas of risk the organization faces. They are responsible for identifying enterprise trends, synergies, and opportunities for change in order to better manage third-party risk. The third line is the internal and external assurance providers, who independently evaluate and attest that risk management processes are adequate and appropriate. Third-party risk was identified as the eighth highest formidable risk faced by organizations in the Aon 2015 Global Risk Management Survey. This was the first time the issue entered the Top 10. Greater regulatory oversight and increased competition, which drives the need to cut costs, are key factors in its rise in importance, and these will lead to further attention to risks from third parties for years to come. Professionals who manage risks in silos or in a piecemeal fashion will likely find themselves battling against the tide. Businesses can ensure they remain competitive and avoid the increasing scrutiny of regulators and shareholders only by developing a risk management framework that provides effective oversight over third-party risk and ensures an integrated approach is taken throughout the organization. The post The Importance of Effective Oversight for Third-Party Risk appeared first on Speaking of Security - The RSA Blog and Podcast. |
