Effective Third-Party Risk Management During COVID-19 and Beyond

Paul Kooney, Managing Director Security and Privacy
Brian Kostek, Managing Director Risk and Compliance

Organizations that rely on third parties to perform key services or deliver critical goods have had those relationships tested in 2020 as the COVID-19 pandemic caused critical vendors to become temporarily unavailable, change how they provide services, or forced them to go out of business altogether.

Exports from China and other countries have been heavily impacted as factories were taken offline due to sickness or mandatory shutdowns. This has caused shortages ranging from essential goods, such as Clorox wipes and toilet paper, to shipping delays of anything from auto parts to medicines. And cyberattacks have not abated as hackers continue to look for exploitable weaknesses in hastily provisioned remote working environments or other opportunities.

To effectively manage such risks, companies need to rise to the occasion and embrace innovative third-party risk management (TPRM) technology and techniques.  

Effective Third-Party Risk Management

Today’s business ecosystem is built on third-, fourth-, and even fifth-party relationships. It is important to assess these relationships and prioritize them, not only for compliance reasons, but to determine which are most important to the company’s value proposition. An effective assessment should not only identify key risks, but also the critical points of failure by examining shifts in production, product offerings and delivery; verifying and validating backup plans; and then continuously monitoring to stay ahead of the risk curve.

Effective TPRM requires a clear understanding of the critical inputs and outputs third parties provide in the supply chain, and the controls that are in place to avoid failure at those points. TPRM must ensure that there are backup plans to mitigate those risks, especially in cases where backup vendors or the ability to bring a process, product or service in house is required to meet market demands.

During the pandemic, for example, the move to remote working has created contractual infrastructure security conflicts. Those conflicts necessitated the creation of mitigating controls to ensure that the vendor is able to maintain access to employees and that their supply chains and data security are intact and functioning effectively. That includes making sure they are still providing the right level of access, the right security controls and the right compliance controls – across geographies, power grids and technology platforms.

Although many of these changes were necessitated by the pandemic, the conversations and process improvements created in response to this temporary situation have accelerated and brought to light the need for companies to evolve from manual annual risk profiles and periodic questionnaires into more active, automated continuous oversight. Dynamic monitoring of third-party risk ensures that critical vendors are reacting to changes in the risk environment and are able to continue to meet their obligations over the long term.

TPRM and Business Continuity

Although TPRM is often viewed as a compliance function, third parties also play a significant role in business continuity and information security. Organizations that understand the overlaps and maintain a continuous feedback loop among these three disciplines will be the most resilient and adaptive in times of disruption and change.

A problem recently faced by a Protiviti client illustrates the connection between resiliency and business impact analysis well. A cloud-based chat tool run by a third party went offline, effectively shutting down a main business function of the client. This critical failure occurred because the reliance of the business on this third-party tool was not properly captured in the company’s TPRM business impact analysis. A Protiviti team helped the client factor this in and design mitigations to prevent such a disruption from happening again. This kind of integration is invaluable in ensuring business continuity and resilience, and even more important in the environment we’re in today.

Many organizations have had to perform this kind of integrated analysis as they transitioned rapidly to a remote working environment. This was a difficult process in the heat of the moment. On the upside, the exercise has elevated the general level of knowledge on the topic, and going forward, companies are going to be asking smarter questions, not because they are required to but because they know it is important. Companies will emerge with a better understanding of the inherent risks involved in their relationships with third parties and the value being generated by those relationships that requires protecting.

Doing More With Less

With the likelihood of unpredictable events – pandemic, socio-political, economic – rising, and as regulatory requirements become more complex, there is an expectation that companies move away from traditional check-the-box annual TPRM compliance reports to a more active and ongoing understanding and verification of how third parties are adhering to requirements and meeting the demands of the business.

Knowing what to do and having the resources to do it, however, are two separate challenges. There’s an existing workload that isn’t going away – bad guys aren’t stopping trying to attack systems, for example, and they still need to be monitored. The number of third parties and third-party risks continues to grow, even as resources are being scaled back. The objective, as always, is to do more with less. The good news is that there are tools that can help.

Companies should be evaluating all manual TPRM processes with an eye toward automation. Continuous monitoring would be difficult if not impossible using traditional manual data gathering via questionnaires. By setting up automated data flows, feeds or other mechanisms, companies can continuously hold third-party vendors accountable to contractual requirements, rather than trying to verify them after the fact or with annual spot checks. The same tools can be used to monitor data security and privacy, using different data points.

Industry consortiums are stepping up to provide affordable datapoints, and it is likely that new operational and compliance control frameworks will arise, similar to COSO and NIST, providing common controls that can be shared more broadly among different organizations.

Although much of this discussion about third-party risk currently has been precipitated by the COVID-19 pandemic, many of the changes discussed are likely to be permanently adopted. One lesson that has come out of all of this is the idea of TPRM as a business enabler. Instead of just thinking of it as a compliance requirement, companies are realizing that getting better information from and about their third-party vendors, and getting that information faster, enables them to make better business decisions and continue to serve their customers securely and without interruptions.

To access an on-demand webinar on this topic, register at this link. To receive regular updates from Protiviti thought leaders on a variety of topics, consider subscribing to this blog.

Add comment