Third Party Risk Management - Consultancy, Assessment & Advisory

CEFPRO Risk Insights: Third Party Risk and the Cloud – Interview with Sean O’Brien, MD

Ahead of DVV Solutions sponsorship of the 4th Annual CEFPRO Vendor & Third Party Europe on 18th & 19th June, Sean O’Brien – Managing Director, DVV Solutions – spoke with Risk Insights magazine for a quick-fire interview on what to expect from our panel discussion on “Ensuring effective controls for cloud providers to understand where data is stored and pinpoint liability.”

CEFPRO Vendor and Third Party Risk risk Insights Banner

Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

I’ve been operating within IT GRC and Third-Party risk for over 20 years now, designing and delivering risk management programs and managed services in highly regulated industries throughout the UK, EMEA and the US.

I’m a passionate advocate for driving standardisation in both risk management processes and content in order to create greater efficiencies and scalability of TPRM programs. This is why I have been a long-standing member of the Shared Assessments Program and continue to take an active role in promoting and developing the adoption of their Standardised Information Gathering (SIG) questionnaire sets in EMEA.

Their “Trust but Verify” methodology is a foundation of our managed services and we ensure all our IT Security Assurance Consultants achieve their Certified Third-Party Risk Management Professional (CTPRP) and a Certified Third-Party Risk Assessor (CTPRA) designations.


In your opinion, how can we look to effectively pinpoint liability and what impacts will the new data protection issues cause?

It’s an old but important adage the “You can’t outsource the risk”. Without suitable due diligence in place, organisations will not understand what risks they face when they outsource a particular function or service.

Organisations continually struggle to fully assess their third-party suppliers, let alone their 4th, 5th or nth parties. Being able to pinpoint liability depends entirely on understanding all the parties involved and the roles and responsibilities each own. Translating this into a RACI/RASCI matrix will prove the simplest method for everyone to understand.

This makes risk management a team sport, both internally within an organisation through the development of risk committees where stakeholders are able (in theory) to align their objectives, frameworks and resources but also between organisations and their cyber supply chain. We always recommend a collaborative approach and given the increasingly extended enterprise outsourcing is creating it is vitally important for both you and your third parties to identify and track the downstream risks especially as regulators increasingly adopt the stance of applying mutual liability for security breaches.


What are the key considerations that need to be made when undertaking independent reviews on controlled environments?

As with any assessment, understanding what it is your going to assess and why form the basis for the exercise. Scoping the assessment, taking in to account your organisations risk appetite and risk tolerances provide some high-level insight. Completed questionnaires, output from whatever Continuous Monitoring tools you may be running and discussions with the Supplier Manager should give you an up to date picture.

Alignment of questions to the service provided, as well as alignment from questionnaire through to onsite assessment provide continuity of the assessment.

Finally, uniform metrics across the questionnaire, onsite assessment and continuous monitoring provide consistency and will stand up to regulatory rigour.


What challenges and opportunities could financial institutions expect to arise when transferring between cloud providers?

As with any relationship, it is human nature to always look on the positive side. Organisations rarely give a great deal of thought to exit planning.

Moving from one cloud provider to another can be fraught with difficulties, both contractually and logistically. Ideally exit planning should be a key aspect of any supplier onboarding process and be tied to the contract.

Equally, mid contract changes need to be assessed in respect of current exit plans.


What, for you, are the benefits of attending a conference like CEFPRO Vendor & Third-Party Risk Europe 2019 and what can attendees expect to learn from your session?

There are very few conferences with such a specific emphasis on Third-Party risk and based on our experience delegates can gain valuable insights from industry experts in an extremely focused agenda. The atmosphere lends itself to open and honest discussion so there’s a great opportunity for collaboration and for delegates to share successes and learnt experience with peers who have common challenges. I see our role is to help facilitate that discussion – we’re definitely not here to hard-sell.

Looking at our session, with the continuing proliferation of Cloud-based services, understanding and prioritising the various levels of risk the Cloud can present at both the platform and service/application level is key. During this year’s Cloud Technology panel discussion I hope we can provide attendees with an understanding of how to break down the daunting task of assessing risk in the Cloud.


Join us at CEFPRO Vendor & Third Party Risk Europe 2019

Date: Tues 18th June to Weds 19th June 2019

Time: 8:30 until 17:00, daily

Venue: The Tower Hotel – Guoman, St Katherine’s Way, London, E1W 1LD

20% Registration Discount: Register online and enter code “DVV20” for 20% off all delegate passes, including Early Bird Rates.