Key take-aways from CeFPro Vendor and Risk EMEA 2018
Sean O’Brien, Managing Director at DVV Solutions offer his thoughts and ideas on the state of Third Party Risk Management in the UK and Europe, and his key take-aways from CeFPro Vendor & Third Party Risk 2018.
I was proud to represent DVV Solutions at the recent CeFPro Vendor & Third Party Risk EMEA 2018 Summit in London. Like any industry event this offered a great opportunity to meet and greet a number of existing and new clients looking to learn more about how they can develop and build upon their Third Party Risk Management (TPRM) programs and supplier due diligence. But it was also a chance to reflect on how far we’ve all come in a relatively short space of time.
It’s easy to get carried away and forget that you’re more than likely preaching to the converted within such a focused environment. However, from recent evidence and discussions with clients and prospects there is much to be positive about in the development of TPRM in the UK and wider EU financial sector. So here are just a few of my highlights and thoughts on the current state of TPRM.
Risk isn’t just for InfoSec, Compliance and Assurance
A growing number of contacts and opportunities are involving stakeholders across the wider business rather than traditional owners of IT Risk and cybersecurity – such as Procurement and Operations functions. The skills and experience these teams can bring to the table should not be underestimated, bringing a broader experience of the processes and pitfalls surrounding supplier due diligence, relationship management and contract management.
Ultimately, collective ownership and management of risk, remediation and strategic planning within an organisation will provide the chance to create a more holistic and complete framework for TPRM and improve your ability to identify and respond to emerging risks as well as opportunities to improve the quality and security of the services provided by Third Party suppliers.
Resources need to be spent as wisely as possible
Results from the *CeFPro 2018 ‘Taking the Pulse of Third Party Risk Management’ survey highlighted that 65% of organisations do not believe they have “appropriate funding for the right people and skillsets” and 61% struggle to fully address the full lifecycle of third party relationships. These statistics are not wholly surprising given the relative infancy of TPRM models in the UK market that we come across and the reliance upon highly manual and time-consuming processes (e.g. spreadsheet and email based questionnaires, lack of standardisation and consistency).
In the short term this inevitably leads to a focus on priority or “critical” service providers – though it should be noted that this may not necessarily be where the greatest risk lies. In the long run, the challenge is to maximise any level of spend to provide as comprehensive and scalable a TPRM program as possible.
Content standardisation and workflow automation are two of the most obvious ways in which to improve speed and efficiency within the execution of Third Party risk assessments. For example, Shared Assessments’ Standardised Information Gathering (SIG) questionnaires and Standardised Control Assessment (SCA) procedures are being driven as independent, industry standards from which to build high-quality assessment criteria and processes
Skilled resource is in short supply
The path to the role of a Third Party risk executive can be varied – with backgrounds from IT/cybersecurity to supplier risk management, sourcing, auditing and compliance – with a large part of skills learnt on-the-job. This means there are very few “specialists”, and even fewer opportunities to independently learn the specific skills and techniques required to understand and assess the complex risks and regulatory issues the extended data supply chain present.
Formal qualifications such as CISSP, CISM, CRISC, PCI QSA and ISO 27001 Lead Auditor accreditation offer a solid breadth of knowledge to support a move into Third Party risk. However, Shared Assessments’ Certified Third Party Risk Professional (CTPRP) accreditation offers executives a detailed and tailored toolset that validates expertise, provides professional credibility and develops the necessary skills within the field of Third Party risk management to
• managing the supplier lifecycle,
• identify, rate and evaluate risk, and
• deliver an effective process for supplier risk assessment, monitoring and management
But headcount constraints will always limit the ability to execute. Managed “TPRM-as-a-service” offerings such as SupplierAssess are increasingly seen as cost-effective ways in which to improve the scalability of TPRM programs, leveraging the experienced, on-demand resources that service providers can offer.
We are moving beyond GDPR (just)
GDPR has inevitably been a large focus of attention for us all and will continue to be a core part of the conversation as 25th May has proved to be just as much of a start-date as it was a deadline and end-point.
Many organisations still have much to do to complete their GDPR compliance programs. However, the work undertaken to build GDPR-compliant practices is generating a much stronger appreciation of the legal, regulatory and moral obligations of data management, privacy and security and Third Party risk throughout the chain of command.
With GDPR’s headline-grabbing penalties I do not anticipate it taking too long until we see the raised profile of data privacy materialise into tangible additional resources made available for more robust risk and compliance programs. The first landmark ruling made in the wake of an inevitable significant breach will be a serious wake-up call for any board sleep-walking through its regulatory responsibilities (N.B. It will be interesting to see the fallout of Dixons Carphone’s latest breach).
Fourth Party Risk is coming under the spotlight
In many ways Fourth Party risk is essentially what Third Party risk programs have always been trying to target, but the recognised practice of identification and management of downstream suppliers is a relatively new concept in TPRM.
For those just starting out there are obvious contractual and commercial barriers to overcome to get beyond the first stage-gate in supplier relations, so as with the management of Third Parties we would always advocate ensuring you have the right to audit – be that the nth party themselves and/or your Third Parties’ own TPRM program and controls of downstream supplier risk.
Ultimately, the key to ensuring greater access, transparency and co-operation through the supply chain is going to come down to collaboration between each party. Most thinking points to building stronger relationships with Third, and subsequent parties – working together to create a more holistic approach to risk management, rather than splitting responsibility at each stage / supplier. By setting out clear expectations early in the supplier identification and due diligence process, organisations will be able to ensure buy-in to build stronger controls throughout the data supply chain in order for a viable and profitable commercial relationship to exist for all concerned.
Shared evidence networks can be an effective industry solution
Speaking of collaboration, the rise of the “Complete-Once, Share-Many” model of supplier sharing networks and repositories (such as the Third Party Network) are beginning to provide Third Party risk managers with the benefits of the traditional assessment process, but with much less aggravation. The shared effort within the industry ecosystem is making completed, verified, standard surveys more readily available to organisations while eliminating the tedious time-and-resource consuming process of collecting accurate data from suppliers. (*Two thirds of organisations polled use spreadsheets to track and manage the TPRM process)
The burden on suppliers is similarly alleviated, greatly reducing the effort required to answer the same (or very similar) questions and attestations multiple times for clients within the same industry, tied by the same regulation and risk domains. Ultimately this means that both first and third parties can spend much less time gathering controls data and much more time on what’s important: working together to decrease control gaps and reduce overall risk.
It has certainly been an interesting few months – especially with the frantic build up to GDPR coming into full force – and whilst there will always be financial, commercial and political challenges ahead (don’t mention BREXIT!) the Third Party risk management industry is definitely maturing at pace and is finding new and innovative ways to respond to the changing risk landscape.
I, for one, look forward to what the future holds for our market, and next year’s event.