Many organizations use third parties extensively to augment their capabilities, leverage external innovation, outsource activities or cut costs. Third parties play an increasingly vital role in today's digital initiatives, but third-party ecosystems and supply chains are becoming more technical, digital and complex. The challenge is not as much in engaging third parties as it is in managing the risks to the organization's business objectives they bring. What's more, third-party risk isn't just one type of risk—it's a mixed bag that impacts the organization differently depending on their dependence on third parties, how strategic third parties are to their objectives or if they represent a single point of failure. Risks that are not managed correctly can result in business impacts, including financial losses, reputational damage, regulatory non-compliance and erosion of customer confidence.
The question I want to discuss today is: do most organizations know how their use of third parties is impacting their organization? Understanding the impacts can be difficult, largely because third parties can bring new and unknown risks to your organization. For example, third parties often require access to your organization's sensitive systems and data (e.g., customer, patient, intellectual property)—and it's likely not just that third party, but also their contractors, employees and even their own third parties (4th, 5th, Nth parties) who are accessing your sensitive data. Another risk is the cyber threats these third and Nth parties introduce once they have access to your systems and networks. One more concern is resiliency risk. Your organization has control over your own recovery and resiliency planning efforts, but little to no control over how resilient your third parties are and the downstream effects that could have on your organization.
There is no way to eliminate all third-party risks, but with good governance and risk management, you can implement sound oversight, focus on the right risks and reduce much of the impact to your organization. Let's discuss four areas in managing third parties, the risks they introduce and the impacts on the organization.
Understand Your Ecosystem
Third parties become a vital part of the internal ecosystem of your business when they support a particular department, become part of your product or service delivery, or provide vital expertise. It's critical to understand and manage how they fit in. Some ways to make this happen include:
- Document, track and understand the structure of the internal organization and the interdependencies between business processes, IT systems, locations, devices and data. Then track and map all your third parties (and 4th, 5th and Nth parties) to the areas of the organization they support. Treat this exercise as if they are part of your processes, systems and people.
- Determine the criticality of each third party through the results of business impact analyses (BIA) your business resiliency teams perform. The BIAs are done to determine the criticality and recovery objectives of an area of your business, such as a business process, department or location. As the third parties are mapped to the internal organization in the prior step, this helps you understand the relative criticality of each third party and then prioritize the actions you take going forward to manage them.
Contracting with Caution
A critical element in using third parties is starting off on the right foot. Every third party should be evaluated fully before engagement, contracts and service level agreements (SLAs) should be finalized, and all third-party engagements should be completed through formal channels. The onboarding process needs to be complete, consistent and timely for all third parties. Steps that should be performed include:
- Complete contracts, performance expectations and establish SLAs.
- Determine contract stipulations for the third parties' use of 4th, 5th and Nth parties and their accountability for them.
- Identify and evaluate risks of using the third party. Assess the risks prior to engagement to ensure the risks can be managed to appropriate levels.
Identify the Identities
It is imperative to define and secure third-party access to your organization's critical online resources, especially customer data. Pay special attention to the third party's use of third parties. Consider implementing a business-driven identity assurance strategy that affords users the freedom to efficiently and effortlessly access only those systems and data needed for their roles, without sacrificing the organization's information security posture or compliance obligations
Governance means having a standards-based, best-practices approach for managing the entire lifecycle of the third parties supporting your organization—including risk management. Properly managing third-party risk requires a programmatic, coordinated and risk-driven approach. To do this, you should:
- Manage third-party relationships across the full lifecycle, from initiation of a new or changing third-party relationship to termination of the relationship.
- Assess, mitigate and monitor the broad range of risks (e.g., information security, fraud, litigation and compliance risk, contract risk, financial risk, resiliency, financial viability, reputation, strategic risk, Nth-party risk, etc.).
- Focus risk management on the third parties that matter most.
- Monitor their performance to ensure third parties are fulfilling their commitments.
Again, do you really know how your third parties are impacting your organization's abilities to achieve its strategic objectives? That is not a "one and done" discussion, but—as you can see from the guidance above—an ongoing discipline you must have during each engagement with each third party. The level of discipline and effort should correlate with the third party's importance to your business objectives. The impacts to your business often manifest themselves in the risks you track and monitor, the metrics that show if the third party is performing up to expectations, and the success (or lack thereof) of their engagement with your organization.
# # #
Looking for more? Check out these additional resources to improve your third-party governance and risk management.
eBook: Manage Third-Party Risk to Advance Digital Transformation
A Guide to Managing Third-Party Business and Security Risk
RSA® Digital Risk Index
Are you struggling to gauge how much risk your organization faces from digital transformation? Take our quick self-assessment, and in a matter of minutes, you'll have a much clearer understanding of your digital risk exposure.
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity