A few thoughts on Fourth Party Risk Management. We all know the drill. It’s time for some annual festivity, frivolity and fake fir trees. Without wanting to sound like the Grinch, there is one thing that doesn’t take a holiday. RISK!
We hope that by now the mix of media attention, ICO & GDPR guidelines and the messaging we’ve produced at DVV Solutions have done a pretty good job of raising awareness of the issues and opportunities surrounding Third Party Supplier Risk Management.
But what if we look beyond the direct relationships your organisation has on a day-to-day basis? Think for a moment about the eco-systems and supply chains that your suppliers (and possibly unwittingly YOU) rely on to help deliver outsourced operations.
How securely and safely do they manage, process and support your commercial operations and sensitive Personally Identifiable Information (PII) data?
You’re only as Strong as your Weakest Link!
What if most of your key suppliers all rely themselves on one common supplier for a critical service? And what happens if that common supplier is attacked or breached? What’s the domino effect on your business? Here’s a few ideas on the potential risks and impacts of Outsourcing and Fourth Party Risks.
It’s still early days but Shared Assessments has shed some light on the increasing awareness and development of proactive thinking around Fourth Party risk:
“Responses to the very real threat that down chain parties can pose through access to crown jewels, such as intellectual property (IP) and personally identifiable information (PII), are beginning to show in the Fourth Party management arena. Twice as many outsourcing organisations (75%) now rely on controls of their third party to monitor Fourth Parties than two years ago; and 73% report they use contractual terms to achieve this process. Such efforts mandate all stakeholders within the supply chain become effective in establishing a rigorous third party environment with well defined: Roles and responsibilities, Reporting accountability and Well-documented processes and procedures.”
However, it’s not enough to simply amend and update contractual terms to extend cover of Fourth Party supplier liability. Remediation planning, finger pointing and litigation only serve to clean up the mess once systems have been breached, data has been lost or stolen, reputations are tarnished and costs have, most definitely, been incurred.
A more holistic approach to Supplier Risk needs to be taken. One that includes not only those suppliers you have direct contact and control over but also the extended network and ecosystem of Fourth Party subcontractors, suppliers and agents. But where to start?
Quick Tips for adding Fourth Party Supplier Risk as a strategic component in your TPRM program.
Think big strategy, but start small and simple
Ultimately, long term thinking should focus on finding and developing a suite of Third Party suppliers that are not only willing to engage in mutually-aligned TPRM strategies but also share common processes and platforms.
Whilst it is unlikely that you’ll start or maybe even ever end up there, going forward you can immediately consider adapting your new supplier search criteria and existing supplier evaluation. This should include an assessment and understanding of their Third-Party risk management and processes with a focus on alignment and shared interest between you and your Third Parties on Fourth Party risk.
Let industry regulations guide you
With Fourth Party risk assessment being a relatively new concept in GRC circles, industry regulators and guidelines should be a first port of call. These will likely refer to undefined “best”, “standard” or “appropriate” practices and measures with very little prescribed behaviours and actions.
However, when the auditors call they will certainly want you to be able to identify how you have developed processes and procedures that can clearly relate to any regulations and the associated risks they seek to address. So a defined and executed program of detailed remote and onsite risk assessments utilising industry-recognised methodologies such as Shared Assessments’ Standardised Information Gathering (SIG and SIG Lite) questionnaire sets and Standardised Control Assessments(SCA) is a good place to start from.
Collaborate with your Third Party suppliers
The good news in this is that your Third Party suppliers have a mutual interest and skin in the game when it comes to managing the risk their suppliers pose. That doesn’t necessarily mean they’ll happily open up their entire internal operations to you but you should find at least some level of shared interest and appreciation in the need for robust Third Party Risk Management. If not then this certainly should raise a red flags in the relationship.
Since you don’t have a direct contract with Fourth Party suppliers, getting access to information about systems, security policies and controls can be difficult. None of us would share this sort of information with a party not bound by confidentiality agreements, etc. and without a solid, legitimate “need to know”. This is why collaboration is critical and a shared strategy and approach will yield much more effective and accurate results.
Assuming you’ve found allies in your supply chain you’ll want to find out exactly who does what with your data and what gaps in either assessing or managing risk need addressing. Some starting points for understanding the current state of their TPRM and inherent risks in their supply chain should include requests for:
- A copy of their own supplier risk management policy;
- A full list of all suppliers they classify as critical and/or high risk; and
- Copies of their most recent annual review of each of these suppliers
Don’t forget GDPR!
Looking at the implications of Fourth Party Risk in relation to GDPR, Article 28(1)-(3): Processor Obligations provides a focus on the need to ensure sufficient guarantees that a third party processor has implemented appropriate technical and organisational measures. Processor obligations extend to subcontractors or sub-service organisations they may outsource data processing activities to.
Such extension of liability should be defined in your supplier contracts, including notifications and authorisations for subcontracting, and extend to the 4th, 5th & nth party based on the type of processing performed. This can be quite a simple process when engaging new suppliers but what about existing Third Parties and partners?
To help ensure GDPR compliance throughout your data supply chain DVV Solutions has introduced GDPR Third Party Risk Assessments that interrogate each data processor’s policies, processes and practices. The result is a thorough evaluation of their GDPR-readiness and any potential gaps in compliance that you may need to address ahead of the 25th May 2018 deadline.
Make Fourth Party Risk Assessment one of your
New Year’s Resolutions
You should treat Fourth Party risk like any other, applying the same level of rigour from your current Third Party risk assessment process. As ever, gathering assessments and risk profiles isn’t as easy as it sounds but this is where a shared approach with a willing partner will ensure greater levels of success.
Many suppliers may not have a full picture of their subcontractor landscape themselves or a clear grasp of who has access to different parts of your data and exactly what they do with it. Again, this should be a warning sign but is to be expected as many organisations are still in the early phases of TPRM maturity.
It is also highly likely that many Fourth Parties will be small to medium size businesses (SMB) where levels of IT and cyber-security sophistication can be significantly different to those of large corporates. Automated, software-based applications such as Small Supplier Risk Assessments that require much less direct involvement from the Assessed organisation can help in providing an effective alternative to traditional questionnaire-based Supplier Risk Assessments with much higher rates and speeds of completion amongst SMB’s.
As ever, there’s never a bad time to start thinking seriously about the security posture of your extended enterprise. DVV Solutions are here to help with a range of services and solutions to take the pain out of Third (and Fourth) Party Risk Management. For more advice and information:
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our online contact form
And please, no need to share any pictures from the photocopier at your office party!