The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
Rachael Ward, Head of Risk Oversight, Operational Resilience & Technology, FNZ Group
Risk Assessments are imperative tools in enabling organisations to identify risks and areas of exposure related to third and fourth parties, in line with business strategy and risk appetite. If done well, they enable firms to accurately assess the impact of identified risks to an organisation should the risks materialise, and enables an organisation to choose an appropriate course of action.
Risk assessments are highly important when it comes to material outsourcers and critical suppliers (especially those who hold or process sensitive data) ensuring that organisations are aware of services supplied by vendors, the associated risks, how these risks are controlled and how an organisation can be impacted should risks materialise and services fail, be disrupted or become compromised.
Risk assessments are also critically important as a directive within the EBA guidelines on Outsourcing Arrangements, including continuous monitoring of associated risk profiles and areas of concentration.
Nth parties pose similar albeit higher risks to organisations as third parties, however are more difficult to identify, manage and monitor through the extended supply chain.
In some cases, Nth parties may not be regulated or under the same obligations as outsourcers and critical suppliers, which can make supplier engagement, control and influence over how they manage their risks, and extraction of required data to understand the supply chain risk profile, more difficult.
Organisations should consider this when discussing their vendor risk profiles, and should seek extra assurance in this space, for example asking their third party vendor for a specific risk assessment or due diligence materials on their own supply chain if this information is available.
It’s important to set context on what is considered granular data, and even more important to collect the right data. Granular data related to vendor risk management includes detailed risks within an organisations and a vendors risk taxonomy, knowledge of how services align to an organisations Important Business Services, cyber information such as the level of patching and vulnerability management, outcome of Business Impact Assessments, Disaster Recovery capabilities and much more, information on risk events and subsequent management and much more.
Granular data like the above enables more effective and targeted management of supply chain risk. Understanding lower level details of risk, enables management to focus in areas of concentrated or higher exposure, identify trends and insights, and drive remediation discussions where required.
Publicly available data can be a rich source of information. This information should be validated and if legitimate and from a trusted and reliable source, should be used to inform risk assurance activity. Information available in the public domain can enable an organisation to either validate that the right choice has been made regarding a supplier relationship, or alternatively enable insightful discussions on the supplier risk profile and associated management.
This can be particularly when it comes to targeted areas of concerns such as Information Security / Cyber risk (e.g. understanding a suppliers cyber posture and areas of weakness related to network security, application security, patching cadence or others) or understanding historical performance of a company, any adverse media coverage or areas of concern within the industry (e.g. any material risk events related to the supplier).
Organisations should seek to build effective, long lasting relationships with vendors, ensuring vendors understand the business they are supplying, and vice versa. Organisations should understand the operating environment of their suppliers (e.g. whether they are regulated, the complexity of business model etc).
This should inform the level of information organisations require, and clear expectations with regards to what information is required in order for the business to succeed should be set e.g. Due Diligence documentation.
Organisations could reduce overhead on the vendor and find alternative ways to validate controls, by using existing materials such as existing internal and external audit findings, existing risk assessments, vendor financial records or annual reports, and other relevant publicly available information.
Lastly, once information requirements are clear, these should be built as a clause into the vendor contract to ensure requirements are met not only at the procurement stage, but at each point of vendor review.
You may also be interested in…
Have you made your free account?