Another day, another report looking at challenges of third-party risk management. This time the report is from software firm Prevalent, and it’s worth some attention for the conflicting perceptions about third-party risk that it calls out.
Foremost, the report is interesting because it defines third-party risk as a cybersecurity and supply chain issue, rather than an anti-corruption and compliance issue. For example, 87 percent of respondents (about 150 people in all) said they assess third parties to assure that those parties “do not introduce risks to our business that could negatively impact us” — which is a fancy way of saying “cybersecurity risk coming up through our supply chain.”
Only 60 percent said they assess third-party risk for more compliance-centric concerns, such as data privacy regulations.
We could say that’s progress: companies now see third-party risk management as a necessity, something they should do regardless of any regulations might be forcing the issue. (Indeed, 22 percent of respondents said that within the last year a supply chain disruption affected their own ability to deliver goods and services.)
On the other hand, this report also begs larger questions: If third-party risk management is a necessity for smooth business operations, then shouldn’t we define third-party risks comprehensively? And shouldn’t companies strive for a single, comprehensive approach to third-party risk management, rather that have several different risk assurance functions all taking their own bite at the same apple?
That’s what stood out to me more than anything else in the Prevalent report: that it uses the same words that ethics and compliance officers use, to describe very different things. For example, 39 percent of respondents said they currently do not track anti-corruption risk among their third parties even though they should. But 88 percent of them do track cybersecurity risk, and 73 percent track cybersecurity risk. See Figure 1, below.
I suspect these answers are a result of who submitted responses to this survey; Prevalent said 76 percent worked in IT or IT security. But I also suspect that if we went back to those same businesses and polled their ethics & compliance or legal folks on third-party risk management, we would see very different answers.
And that’s my real concern here: we have different groups viewing the same pressing but ill-defined threat — third-party risk — in starkly different ways.
Third-Party Risk Differences at Scale
Some ethics and compliance professionals might dismiss all this as an academic point. “CISOs have their third-party risk headaches, I have mine, and I gotta get back to my due diligence investigations.”
I can understand the sentiment, but it’s short-sighted. As businesses become ever more tightly coupled to their supply chain, and operations become ever more precise in their forecasting and execution (thank you, software revolution); and the global business environment becomes more highly regulated — all that places enormous emphasis on effective governance of your supply chain.
Except, our corporate overlords in the boardroom don’t want a constant stream of reports from multiple Second Line of Defense functions, each one providing assurance over a different aspect of third-party risk. They want to know that the supply chain is under control so the organization can pursue its business objectives.
When you view third-party risk management that way, it has profound implications for compliance programs and corporate reporting. Multiple risk assurance functions — above all, ethics & compliance and IT security — need to consolidate their efforts into one unified program of third-party risk management.
That would be hard at the best of times. It involves a lot of collaboration on basic risk assessment, to understand the ways that third parties could introduce risk to your business; and a lot of detail work on crafting questionnaires for third parties, or pulling the right sources of external data, or developing the best “risk score” for each third party based on all those factors.
Then there’s the small point that regulators and investors keep expanding their own demands for risk assurance. If you’re a defense contractor, the Pentagon is about to start piling on new demands for cybersecurity risk assurance with its CMMC compliance requirement. If you’re a publicly traded company, the SEC (mark my words) is going to push for more understanding of climate change risk. And so forth.
So what’s your technology strategy to meet those compliance demands? How will you build a third-party risk management program that works today, and is robust enough to include even more expansive demands for third-party risk assurance tomorrow?
You tell me. [email protected].