Two’s company… and a risk: Third Party Risk Management

By GDFM 2 August 2019

Two’s company… and a risk: Third Party Risk Management

Introduction

70 million. This was the number of customers of the retail chain Target whose contact information, and/or credit and debit card records were stolen between November 27 and December 15, 2013.[1] This was not the result of sophisticated hacking or burglary. Rather the source was an air conditioning company with just a 100 staff. The company fell victim to a simple phishing attack and, because it was connected to Target’s internal systems for billing and contract management via a vendor portal, this allowed the hackers to access the extensive information Target held on their customers.

What is Third Party Risk Management (TPRM)?

Structured process to identify, analyse and control risks presented to a company, their data, their operations and finances by parties other than the company itself or their end-consumers.

Effective TPRM involves putting in place adequate internal policies and processes, as well as assessment oversight of external parties.

Companies need to treat intra-group service arrangements the same as external vendor outsourcing for the purposes of third party risk management. Companies should also address the risks from the downstream suppliers, vendors and subcontractors used by their third parties (i.e. fourth party risk).

This case may be a particularly serious one, but it is only one among many. In recent years companies have increasingly sought to outsource activities to reduce costs, and improve flexibility and efficiency. Case studies like the Target breach highlight that outsourcing and the use of third party suppliers can also bring serious risks.

Global Regulators have recognised the risks the increasing use of third party suppliers can bring, and so have brought in guidance to help companies manage this. The 2019 European Banking Authority (EBA) Guidelines on outsourcing arrangements state that “institutions and payment institutions should be able to effectively control and challenge the quality and performance of outsourced functions and be able to carry out their own risk assessment and ongoing monitoring”.[2] The FCA Senior Management Arrangements, Systems and Controls (SYSC) requires that companies “relying on a third party for the performance of operational functions which are critical” must “ensure that it takes reasonable steps to avoid undue additional operational risk”.[3]

Putting in place appropriate Third Party Risk Management (TPRM) is therefore an increasingly important topic for companies to address. As well as managing their risks effectively and efficiently, however, organisations can also use this as an opportunity to improve their functioning and performance through supply chain optimisation.

How can third party risks be managed?

Competition is encouraging more and more companies to focus on their core competencies while heavily relying on third parties to supplement this. The result of this is that a typical Fortune 500 company might use over 100,000 external third parties.[4] Being so widely interlinked within a network of third party relationships exposes organisations to vulnerabilities and places greater emphasises on establishing effective oversight and challenge over these business functions. Ineffective oversight and control has led to more frequent incidents involving third parties, most prominently in the fields of cyber security and data breaches (particularly relevant in the climate of tighter data privacy and security requirements under GDPR). The consequences can be severe, with operational, reputational, regulatory and financial costs.

Companies should therefore understand what third party relationships they have, why they have them and what services they perform. The following suggested steps can help to achieve this by embedding a focus on TPRM within the fabric of the business’ operations:

Documented and embedded policy: Companies should have an internal policy owned by the 2^nd line and embedded within the 1^st line for execution: relationship management, service delivery management and risk assessment etc.;
Outsourcing determination: Firms need to perform outsourcing determinations and capture the inventory of the services and processes being performed and by whom (i.e. whether they are performed in-house or by an external vendor party);
Supplier and service criticality assessments: Firms need to perform an initial risk assessment of the supplier and service; a number of measures can be used to evaluate risk, including geopolitical, reputational, financial, regulatory, cyber, privacy and operational related risks. Criticality can be assessed by the sensitivity of the data the third party has access to, and by plotting the severity of a given failure by them against the probability of that failure occurring. Third parties can then be categorised on the spectrum from Non-material providers (low probability and criticality) to Material providers (high probability and criticality);
Ongoing risk assessment: This is an ongoing activity, including risk assessment, service delivery management, and communication across the entire vendor lifecycle.
- For non-material providers, after doing a full risk and criticality assessment during on boarding, it is sufficient to simply attest or refresh the assessment annually
- For material providers this would involve on-site reviews to test that the service matches what is laid out in the agreement and its control environment meets the required standards. This would also entail recurring (e.g. annual) reassessments of the provider’s risk and criticality. A 2018 survey reported that 51% of the respondent organisations use site visits as part of their process to manage third parties[5];
Service delivery/ performance management: Companies should examine their providers based on active management oversight and against key performance and risk indicators (KPIs & KRIs) in order to monitor performance.

Supply chain optimisation

Greater recognition of the risks arising from the use of third parties has forced companies to concentrate on risk management. Well publicised cautionary tales, for instance an unprotected database of Instagram users with over 49 million records on Amazon Web Services uncovered in May 2019, have highlighted the costs of ineffective monitoring of third parties.[6] However, this has resulted in less focus on looking for opportunities to optimise the supply chain.

By paying attention to supply chain optimisation, and not just risk management, companies can reap a number of benefits, including: optimum placement of the inventory within the supply chain, leveraging supplier relationships which could provide more than one service, and a reduced third-party management overhead. These benefits are especially relevant in the current cost constrained environment. The management overhead on risk management is significant. Companies should take into account vendor concentration risk, as flagged by the EBA guidelines, in the process of supply chain optimisation. This means that they should avoid outsourcing to a “dominant service provider that is not easily substitutable”, or “multiple outsourcing arrangements with the same or closely connected service providers”.[7] Supply chain optimisation helps companies to balance controlling the costs as well as the risks in third party relationships. The following suggested steps can help to achieve this:

Assess supply chain inefficiencies: Companies should assess their supply chain for inefficiencies, as well as risks. This will highlight areas of waste where savings can be made. For instance different NHS hospitals paid between 35p and £16.47 for the same single pack of 12 rubber gloves, and recognising this duplicated product purchasing led to an overall cost reduction[8];
Exiting service agreements: A broader focus in assessing their inventory of third party relationships will also aid companies in exiting service agreements. Companies can examine whether service agreements still on their books are dormant or functionally defunct. This will then allow companies to decide whether to exit such agreements and thus end the enduring risks these passive third party relationships might present;
Consolidate third party suppliers: As well as the opportunities for cost rationalisation, firms can also rationalise from an oversight perspective. By identifying third parties that can perform multiple services, firms can consolidate their reliance onto fewer third parties. In 2015 University of Oxford IT selected a single cloud service management vendor. This allowed for greater efficiency and cost savings, through moving from five or six systems to one and merging three separate IT departments;
Better supplier relationships: Firms can also build better relationships throughout their supply chain. Through probing ways to optimise their supply chain firms will develop a better understanding of their third party suppliers and the services. This knowledge can then be leveraged in negotiations, increasing the firm’s agility in choosing and switching suppliers;
Greater standardisation: Companies are beginning to develop standardised approaches to dealing with their third parties. This standardisation offers greater efficiency and consistency for companies’ supply chains, in contrast to the previous ad hoc approach. For example there is an emerging industry standard in common third party assessment templates, such as the Vendor Security Alliance Questionnaire which companies can employ to vet their supplier’s security practices.[9]

Summary

Companies’ management of their third parties need not only be a risk management exercise, it also offers the opportunity to improve performance. The suggested steps for handling TPRM and supply chain optimisation in this article can complement each other. For instance an outsourcing determination could also highlight inefficiencies and dormant or defunct service agreements. It is important to have a robust TPRM approach in place, but an overriding focus on this alone means that companies may miss out on the benefits from undertaking a broader reassessment of their supply chain.

[1] Source: What Target and Co aren’t telling you: your credit card data is still out there, Brian Krebs, The Guardian, 10 January 2019.

[2] Source: Final Report on EBA Guidelines on outsourcing arrangements, pg. 7, European Banking Authority, 25 February 2019.

[3] Source: FCA Handbook SYSC, 8.1, Financial Conduct Authority, 3 January 2018.

[4] Source: Security Risks of Third-Party Vendor Relationships, Caroline McDonald, Risk Management Monitor, September 20 2018.

[5] Source: 2018 Global Benchmarking Survey – Third Party Risk: A Journey Towards Maturity, pg. 22, The Center for Financial Professionals and Aravo, 29 June 2018.

[6] Source: Instagram: Facebook probes breach of millions of influencer accounts, BBC News, 21 May 2019.

[7] Source: Final Report on EBA Guidelines on outsourcing arrangements, pg. 41, European Banking Authority, 25 February 2019.

[8] Source: NHS spends £16 on rubber gloves which can be bought for 35 pence, Laura Donnelly, The Telegraph, 8 November 2017.

[9] Source: VSA Questionnaire 2019, Vendor Security Alliance, 22 January 2019.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.