The Expanding Business Ecosystem
In this blog series, I use SR Bank (Some Random Bank) as an example organization undergoing a series of digital initiatives to unlock new value for its customers and exploit opportunities in the market. A major part of SR Bank's strategy relies on an ever-increasing and expansive ecosystem of third parties to broaden and optimize their capabilities. SR Bank leverages capabilities of external partners to grow and compete in the market. They also leverage more specialty skills in terms of consultants to enhance their business. These third parties are in addition to an array of other providers – from utility services to contractors and seasonal workers to custodial services at their banks. The benefits are plenty - cost savings, an extended labor pool, expertise and innovation.
The resulting relationships also complicate existing risks to the organization and scrutiny by their regulators. Each third party brought its own nuance of digital risk. Some utilized new network connections or accessed internal systems. Many shared data. As SR Bank's digitally connected ecosystem grew, it required more efficient and risk-based governance. They found their usual methods of risk management were not scalable for a growing third-party ecosystem. This was the challenge placed on a set of key individuals across the enterprise.
The Different Dimensions of Managing Digital Risk
Third-party risk is a common topic when it comes to discussing key issues challenging organizations today. SR Bank's situation is a good example of the multiple dimensions of risk at play when it comes to digital expansion. The different stakeholders in this scenario feel different pressures and priorities.
Theresa, the Chief Risk Officer, is concerned about the inherited risks from these emerging, and increasingly critical, vendors. Her view into the risks – and potential systemic issues – diminshes daily as new providers and vendors are added to SR Bank's already challenging ecosystem. Her concerns run the gamut of potential risks arising from third parties: data breaches, fraud and theft, business interruption, regulatory compliance violations, reputational damage, and failed strategic objectives from poor performance. These new risks are fast-moving, complex and often unforeseen because they emanate not only from her organization's activities, but from the third and fourth parties engaged with SR Bank business.
Next, information security is already a growing concern and adding third parties into this mix creates another layer of challenge. Charles, the Chief Information Security Officer, implemented vendor security risk assessments to identify potential areas of concern, but his manual processes are falling way behind. Even the mix of security technologies his team deployed is complicating things. While they implemented many layers of defense, rationalizing his investments and showing 'bang for the buck' is getting harder – plus his team just had that much more data flowing in, making it increasingly difficult to act on what was important. His team not only grapples with how to quickly and effectively identify security risks, they are tasked with keeping up with the constant churn of new identities and devices coming from third parties accessing SR Bank's systems. While the customer-facing systems had priority, there is also a host of new internal applications, cloud services and other business support systems that must be secured.
Finally, there are several other stakeholders with skin in this game too. Sharon, the Chief Information Officer, has concerns about the API environment they are implementing and providing support to more and more external parties. This emerging web of connectivity not only has security impacts, it also affects the bank's resiliency. Legal and compliance implications concern Paul, SR Bank's Corporate Counsel. As more customer data is collected and shared with external parties, data privacy has become a daily discussion, along with the regular slew of regulatory concerns he already has.
In short, the growing number of third parties in their ecosystem, the complexity of the relationships, the increased regulatory scrutiny and the myriad of ways risk may arise because of third-party relationships increases the likelihood that SR Bank could be adversely impacted by these outside parties at some point in the relationship.
An Integrated Approach to Manage Digital Risk
This is not an uncommon scenario across risk domains. Whether it is third-party risk, cybersecurity, compliance or resiliency, different stakeholders have different priorities. However, you must efficiently manage risk in a coordinated way for each stakeholder to fully achieve their objective. Managing digital risk requires a programmatic approach, as part of a truly integrated risk management strategy. In SR Bank's case, several stakeholders benefit from an integrated approach.
- Theresa, as CRO, wants visibility into the key vendors and relationships that have the most impact on SR Bank's overall risk profile. By assessing vendors based on their role in the business, risk issues could then be prioritized, and Theresa can align investments and risk management initiatives towards high-risk scenarios.
- Charles wants to advance SR Bank's security posture through optimized identity management and security monitoring processes as well as improved leverage of existing security technologies.
- Other stakeholders, like Sharon and Paul, want to benefit from more insights into the roles of various vendors and service providers and align their respective efforts.
- Overall, this team wants to feel more confident in addressing risks while supporting an ecosystem that delivers high value to the business.
- These different objectives are increasingly difficult to achieve with a siloed approach.
I discussed the concept of vertical and horizontal alignment in the first of our Leaders Series on Digital Risk. As digital initiatives evolve business operations, the 'weakest link' becomes an amplified factor as any issue can quickly escalate into a major business risk. Your approach must focus not just on the tactical challenges but take into consideration adjacent risks in a broader view. It must be a portfolio of processes and technology enablers that approach key risk areas with a combination of tactical operations blended together in one strategy.
Traditional, siloed approaches create 'blind spots' in understanding the true nature of risk as visibility is disrupted by the 'cracks' between functions. Organizations can miss key insights to drive actions that can make the difference in making the right business decisions. Therefore, there must be an integrated approach – one that connects vertically from strategic objectives to operational practices and horizontally across risk management domains.
- Vertically: Risk must be understood in the context of the business. Teams and processes must be established that connect the strategic to the operational. Events must be inherently measured against the impact to the business as technology solutions are utilized within each domain to optimize processes.
- Horizontally: Risk management across risk functions (security, compliance, resiliency, operational, third party, audit, etc.) to address risk domains. As each domain matures, the contribution to the whole should be felt. (A rising tide raises all boats.) This horizontal integration breaks down the siloes and given each of these domains are connected through digital operations, the overall risk is reduced.
I have written about these concepts before and the principles apply even more so in this highly volatile digital world. Sharing data, leveraging processes and more strategically aligning different risk management functions results in a much stronger capacity to manage risk – and more importantly, help your business innovate and leverage technology.
# # #
Register for our executive webinar series on digital risk management to find out why risk management is so critical and how companies are addressing digital risk.
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity.