Can you tell the Risk Insights readers about yourself and your professional experiences?
Michael Lucas is an industry thought leader in Third-Party Risk Management and Information Security with Crowe Horwath. Michael manages Crowe’s Third Party Assessment Team, coordinating a dedicated network of assessors around the globe. He specializes in using innovation and automation to tackle third party risk management challenges like the overwhelming numbers of third party relationships. Many of Michael’s clients initiated projects due to data breaches, and, with Crowe’s help, have revamped their programs to prevent recurrence. Michael is currently on secondment and resides in London with his family.
Michele Sullivan is a Partner in Crowe’s Horwath’s Risk Consulting Practice and serves as the global leader of our Third-Party Risk Management solutions. Michele has over 25 years of experience and focuses on leading large, complex projects and has focused primarily on the financial services industry. She regularly advises clients on building, improving, and remediating risk management programs, as well as designing solutions to improve related practices and strategies. Michele has been responsible for strategic direction, tactical execution, change management, and client satisfaction for many of the Firm’s largest financial services clients. In addition, Michele services on Crowe Horwath’s Board of Directors; the seven person governing body elected by the firm’s partners.
Can you outline the regulatory landscape surrounding third party relationships and third party risk management?
Risks presented by third-parties continue to be front of mind for regulators. While expectations continue to increase, we have seen some flexibility on programme maturity, as long as progress is being made within committed timeframes. Key areas of focus have included ingoing monitoring of third-party relationships beyond the due diligence phase and improved reporting within the established governance structure. We believe that much of this is occurring due to the concentration of third-party providers and efforts to assess and manage elements of concentration risk, as well as the increased utilization of fintech relationships and their unique risks and benefits.
With respect to monitoring of third-party relationships beyond the due diligence phase, there is increased scrutiny on establishing processes to ensure that service providers are delivering on promises outlined in their contracts. Essential elements include ownership of the third-party relationship and contract provisions, precise understanding of the nature of the relationship, the ability to identify changes in the relationship and the third-party providers risk profile, as well as effective governance practices including credible challenge and escalation. The scope of monitoring activities around contractual obligations for mission critical third-parties is best managed through continuous automated processes.
There are heightened expectations for more oversight and reporting on critical third party activities. Most often these expectations extend to the board level. We recommend that our clients establish regular, consistent reporting on programme scope and results. Effective reporting on programme scope may include data on the third-party population, inherent risk levels of third-parties, changes to the population or the more significant relationships, and ownership over critical elements of the programme. Reporting on programme results could include increases or reductions in risk of the portfolio of third-parties, third-party controls against baseline frameworks for the most critical third parties, trends, and quadrant reporting. The combination of programme scope and results foster appropriate oversight and governance in most organisations.
What safety measures would you advise when hosting data across jurisdictions?
Businesses are prohibited from transferring personal data outside the European Economic area to a country that does not have adequate data protection. A list of “approved countries” is available from the European commission’s website, which includes: Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, State of Israel, Isle of Man, Jersey, New Zealand, United states (Under EU-US privacy shield), Eastern republic of Uruguay. Standard data protection clauses (i.e. Model Clauses) adopted by the Commission is the standard that regulates cross-border data transferring.
Organisations that currently host data across international jurisdictions or are considering such an arrangement, should:
1. Review their existing and planned business operations
2. Identify all circumstances in which personal data are transferred to recipients located outside of the EEA
3. Ensure that for each such transfer, the organization has in place a data transfer mechanism that complies with the requirements of the GDPR
4. Personal data transfer should be monitored very close by the organizations
Further, GDPR seeks to introduce other mechanisms to legitimize international transfers of personal data, including, for example:
• Transfers on the basis of standard data protection clauses adopted by a DPA and approved by the Commission;
• Transfers pursuant to contractual clauses between the controller or processor and the controller, processor or the recipient of the data in the third country (where such contractual clauses have been authorized by the competent DPA);
• Transfers on the basis of an approved code of conduct (e.g. a code of conduct dealing with the transfer of personal data to third countries that has been approved by the relevant DPA)
• Transfers pursuant to an approved certification mechanism (e.g. a data protection seal or mark that has been issued by specified certification bodies or by the competent DPA on the basis of criteria approved by the competent DPA or the European Data Protection Board).
• In the last two cases, the transfers must also be on the basis of binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
What are some of the challenges in following the risk management process post-termination?
Closure of third-party relationships must be an end-to-end process. We typically recommend the following leading practices:
• Inclusion and confirmation of data destruction requirement abilities within the contract
• A clear distinction of “dormant” and “retired” suppliers within the programme
• Requirements of Destruction Certifications to close or terminate a relationship or contract
• Escalated retirement approval if data still exists with fourth parties (i.e. third-parties to a company’s third-parties)
• On-going monitoring of suppliers where the contract may have ended, but their access to your assets is in “run off” mode
How do you see the role of the vendor and third party risk management professional changing over the next 6-12 months?
We are seeing concentrated efforts to increase the compliance and effectiveness of programmes, while balancing resource constraints. Professionals leading third-party risk management programmes are focused on boosting maturity by –
• Focusing on higher risk areas such as information security or compliance
• Utilizing specific subject matter experts for assessments
• Requiring written remediation plans from third-parties and monitoring progress on activities
• Not fully relying on shared assessments; identifying specific, relevant risks and performing periodic assessments and continuous monitoring
• Leveraging technology to monitor, drive workflow and improve reporting.