Matthew Moog, General Manager, Third-Party Risk Management, OneTrust

Below is an insight into what can be expected from Matt’s session at Third Party & Supply Chain Risk USA 2023.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

Why is it so important for organizations to monitor third party risks with business justification metrics?

The continuous monitoring of third party risks is paramount in today’s ever-evolving business landscape. One primary reason is the dynamic nature of the risk environment. Third parties can experience changes in their operations, ownership structures, financial stability, or regulatory contexts. Such shifts can drastically modify their risk profile, potentially catching organizations off-guard. By keeping a constant eye on these entities, businesses can swiftly detect and adapt to these changes, ensuring their strategic decisions are based on the most current risk information.

Operational continuity is another significant concern. Disruptions or failures in third party operations can ripple through an organization, leading to production halts or service interruptions. For instance, difficulties faced by a key supplier might derail an entire product line. In parallel, the reputational stakes are high. In our interconnected global economy, any missteps by a third party, be it a data breach or unethical practices, can rapidly reflect negatively on the affiliated organization. Negative publicity can erode customer trust and brand value, even if the organization isn’t the direct culprit.

From a financial and regulatory standpoint, the implications are profound. Unexpected risks emanating from third party relationships can precipitate substantial financial losses stemming from operational disruptions, potential litigations, or regulatory penalties. Moreover, as regulatory frameworks tighten, companies are frequently held accountable for the actions of their third party affiliates. Therefore, consistent oversight is essential to ensure that these partners adhere to compliance standards, preserving the organization’s legal standing and reputation.

Lastly, using business justification metrics aids in proactive decision-making. It helps organizations weigh the benefits against the risks, ensuring that third party affiliations align with the company’s broader strategic objectives and risk appetite. Monitoring third party risks with business justification metrics provides a holistic view of external interactions, promoting informed, strategic, and secure business decisions. Ultimately, continuous third party risk monitoring transforms the organization’s approach from reactive to proactive, allowing it to address concerns before they escalate into significant challenges preemptively.

What are your top tips for organizations to look out for third party risks?

Create a comprehensive risk assessment framework​
Develop a risk assessment framework that categorizes third party vendors based on their criticality and potential impact on your organization. This will help prioritize monitoring efforts and allocate resources effectively.

Establish Key Performance Indicators (KPIs)​

Define and track KPIs related to third party risk management, such as response times to security incidents, patch management compliance, and adherence to contractual obligations.​

Establish clear contractual obligations​

Ensure that all third party contracts include specific security and data protection requirements, compliance standards, incident response plans, and access controls. Regularly review and update contracts to address changing risks and regulatory requirements.​

Enhance monitoring with external data and risk ratings​

Assessments are singular, point-in-time evaluations of a third party’s risk posture, and it is difficult to track meaningful risk metrics that change over time​. External data sources and risk ratings can help to fill in the gap and keep you apprised of what your third parties are up to.​

Automate responses to changes in risk scoring​

Automate response actions as risks arise by listening for data changes and creating triggers to notify stakeholders, flag risks, and kick off reassessments.​

Re-think when a traditional risk assessment is necessary​

Triage third parties and automate evaluation procedures by leveraging risk data to tailor evaluation and assessment depth. In some cases, bypassing assessments altogether and deferring to continuous risk monitoring may be an appropriate workstream to manage a lower-risk third party. 

Use monitoring data to validate assessment responses​

When a third party responds to a risk assessment, compare monitoring data and insights against their responses and flag inconsistencies for further examination and follow-up.​

How can organizations automate incident responses when new risks arise?

The ability to swiftly respond to new third party risks and incidents is pivotal for organizations aiming to maintain operational integrity and protect their reputation. Automating incident responses has emerged as an effective strategy to enhance this agility. At the heart of this approach is the integration of external threat and risk intelligence data with internal systems. By harnessing the power of external data, organizations can obtain real-time alerts about new vulnerabilities or threats linked to third parties. These platforms accumulate and scrutinize data from diverse sources, ensuring that businesses are continually updated about emerging risks, thereby facilitating immediate and appropriate action.

Leveraging external third party risk ratings data can significantly enhance an organization’s incident response capabilities. By integrating these ratings into their risk management framework, companies can obtain a more granular and objective view of potential vulnerabilities associated with their third party vendors. When these ratings indicate heightened risk levels or changes in a vendor’s risk posture, they can automatically trigger incident response workflows. This proactive approach ensures that potential threats are addressed in their nascent stages, allowing for rapid mitigation. Moreover, by utilizing external data, organizations benefit from a broader perspective that amalgamates various global insights and threat intelligence. Consequently, this not only streamlines the incident response process but also enriches it with comprehensive, real-time data, facilitating more informed and timely decision-making.

In addition, regular feedback loops and post-incident evaluations should be established. This ensures that the system not only responds to threats but also learns from them, adapting its reactions over time to provide an ever-evolving and robust defense against third party risks.

What impact can human error have when monitoring third party relationships? How can this be minimized?

Human error can significantly influence the effectiveness of monitoring third party relationships. Missing vital indicators or misinterpreting data can lead to undetected risks. The lack of standardized processes can result in inconsistent oversight, and biases or inexperience might skew risk assessments. Additionally, errors in data entry can distort crucial information, affecting the entire risk evaluation process. Communication gaps, a common result of human error, can prevent the right parties from being informed about risks timely. Manual processes sometimes lead to delays in addressing emerging threats, potentially escalating them. Furthermore, overlooking regulatory compliance elements can expose organizations to legal penalties and reputational harm.

To combat these challenges, organizations should implement standardized procedures for consistent monitoring, reporting, and response to risks. Regular training sessions can enhance staff understanding of third party risk management and the associated tools. Utilizing automated tools can provide more consistent oversight and reduce manual errors. Instituting review processes, where monitoring results are double-checked, and implementing role-based access controls can prevent accidental data modifications. Comprehensive checklists ensure thoroughness, while automated alerts can notify of potential risks. Periodic audits, both internal and external, can further ensure compliance and accuracy. Importantly, fostering a culture of responsibility and a pervasive understanding of how an organization approaches risk appetite will motivate employees to prioritize the accuracy and integrity of their work in third party risk monitoring.