Why You Need a Flexible Third-Party Management Program

My week started with my son reminding me I needed to go to the bank and get him a new debit card. You may be wondering why I’d need to replace a 15 year old’s debit card. We just had to close his account due to a fraud alert. And, as a product manager who has been in the GRC (Governance, Risk and Compliance) industry for a long time, I made the decision to close the card, even though everything looked legit. Why?  

Because the questionable transaction occurred at a gaming company that has been breached in the past. 

Yes, I perform third-party due diligence even when I’m not working as a product manager for Onspring. 

Today is a rough day. Businesses are pulling out their incident response playbooks and responding to the CrowdStrike BSOD (Blue Screen of Death) news. 

While I feel nothing but compassion for those who are fixing the outage and managing the impact to organizations worldwide, I’m also feeling grateful for the opportunity to reflect on the importance of third-party risk programs. This represents a real-life example of why I encourage the clients I work with to understand the inherent risk of suppliers they integrate into their business processes and systems. 

Blurring Third-Parties

Third-Party Risk Management is the process in which an organization evaluates the risk a vendor (aka, third-party) brings to an organization. I have often seen third-party risk focused primarily on security risks. However, third parties also face the same risks any organization does: financial risk, compliance risk, IT operational risk, reputational risk, etc. 

We know we need to bring in outside organizations to help us achieve our organizational goals. In the best case scenario, third parties are sorted into risk tiers and reviewed on a scheduled basis based on that risk tier. But, there is always a balancing act in terms of bringing a supplier on-board to help with your company’s objectives versus the inherent risk that vendor might introduce to your organization. 

Today, the lines between where an organization ends and the third party begins is blurring. Our clients often don’t know we use third-parties to get our day-to-day work completed. Third-parties operate as an extension of us. If we have a third-party that manages our website and the website goes down, my customers see that my website is down, not that the website provider is the cause of the outage. Our customer support team will get the calls from customers, not our third-party provider. We’re all connected, and risk is never 100% eliminated. 

Even with well-known, reputable vendors, companies can implement controls managing the risk to a process a third-party handles. But, even with all the controls in place, mistakes can happen. We’re human. Regardless of how an issue arises, we all must manage the risk. And, we can do this through a third-party risk management program.

Onboarding New Vendors

As I look back on my experience in evaluating third parties and third-party management programs, here are some important questions to ask regarding your review process. 

When first bringing on a new third party and/or project to your organization, an issue could present itself. Three actions I recommend from the outset are:

1. Monitor incoming news and the third party’s response. Are they quick to correct the issue? Is their response to what happened fitting?
2. Review their compliance reports; for example, were there any exceptions in their change management processes? Was their response to the finding appropriate? 
3. Take this time to review alternative providers. Did you include other vendors in your review? Best practice recommends reviewing multiple providers when choosing a vendor. This helps your organization minimize the risk for a single point of failure, compare services provided, and confirm costs for the product are in alignment with the market.

Steps for Due Diligence

More often than not, a matter requiring attention will occur with an established third party outside of a regular due diligence review. Due diligence is the process where we review our established third-party relationships on a routine basis based on their risk. Here are eight steps I propose taking: 

1. Kick off an ad-hoc review of the vendors in question; evaluate your last routine review and ask yourself, “Did we miss anything?”. Look for ways to improve your process. We all need to commit to continuous improvement in how we evaluate and manage our business relationships. 
2. Review your contract – is there any recourse for business losses? Can you audit the third-party (right-to-audit clause)? 
3. If you have a right-to-audit clause, determine if you’d like to exercise your right to audit the vendor yourself. This is an important clause to have in your contracts. I have had third parties not release SOC reports to me because our contract did not contain a right-to-audit clause so make sure you include it when appropriate. 
4. Determine if the vendor has open findings from previous due diligence reviews. Are any of them related to the issue at hand? 
5. Revisit your risk appetite. Is your organization accepting too much risk when it comes to third parties? 
6. Review if management signed off on the third party when their risk was above your normal risk appetite. Consider if that decision needs to be reviewed. And, consider if your process needs to be updated to require a committee or board sign-off for third-party exceptions. 
7. Note the responsiveness of your account manager at the vendor. Are their updates about the issue helpful?Assess the customer impact. Do you need to release a statement to your customers on how you’ve been impacted?  
8. Review your process for flexibility and completeness. Are you getting adequate data that allows you to make the best business decision?

Finally, whether onboarding or offboarding particular vendors, you do need to consider how quickly a third party can be replaced, while minimizing further impact on your organization.  

Agile ways to respond to third-party issues both during and outside of the normal cycle are imperative. Having tools that allow you to perform ad-hoc reviews and add key learnings to your knowledge repository is a necessity. If we manage the risk correctly and implement the necessary controls, the response can be as simple as replacing a debit card.  

Want to learn more about Onspring? Click here to schedule a demo.