Third Party Risk Management - Consultancy, Assessment & Advisory

Understanding and addressing “Outsourcing Risk” – responding to the CBoI’s Nov 2018 discussion paper

Outsourcing Risk Cybersecurity Third Party Risk TPRMIn November 2018 the Central Bank of Ireland published the discussion paper “Outsourcing” providing findings and Issues for discussion based upon observations derived from their survey of regulated firms and ongoing supervisory engagement, risk assessments and reviews.

As the CBoI says themselves “These observations highlight the need to ensure outsourcing risk is a core priority within the risk management strategies of all regulated firms engagement in outsourcing activity”.

I am pleased to share the following excerpts from the formal response and feedback I delivered to this paper on behalf of DVV Solutions. The full response can be found here.

The Central Bank of Ireland (CBoI) and its regulated firms are one of many sectors that have a growing concern around the use of Outsource Service Providers (OSPs) as most struggle to cope with the increasing demands of data handling, updated legal requirements and the resources needed to manage, store and process data securely and effectively.

Outsourcing often alleviates much of the short-term burden of process management, and the immediate false sense of security is often a catalyst for systemic long-term risk development. Many organisations are unprepared for the eventual and inevitable impact of risks and particularly those which mature from deeply embedded poor practices. For businesses that are overly risk tolerant or perhaps unaware, risk management becomes a very reactive function rather than an embedded proactive process.

Success too is not without risk as organisations that undergo rapid growth particularly through acquisitions will often find themselves with processes and policies that are incompatible across business units. Individually these units may continue to function successfully yet there remains an underlying and increasingly compounded risk factor in that their internal functions do not integrate. This condition is exacerbated by the extent of supply chains and channel partners which together present a cocktail of anachronistic processes, policies and procedures.


Increasingly Regulated Environments

The paper commissioned by the CBoI has gathered valuable data within in its regulated membership framework around common threats, yet these are not confined to the financial sector alone. It supports outsourcing risk trends that we see in all sectors which are being compounded by the introduction and enforcement of regulations such as the European Union (EU) General Data Protection Regulation (GDPR) and the likes of the Privacy and Electronic Communications Regulations (PECR) and the Senior Managers & Certification Regime (SM&CR) in the United Kingdom (UK).

Despite a lengthily pre-implementation period, many organisations found themselves unprepared for GDPR in May 2018 and left planning to the first quarter of the year. As such, the supporting infrastructure and policies to assure compliance with the interpreted regulations were rushed out and therefore lack the foundations on which to build an effective ISMS.

And where data protection and security is concerned, risk can no longer be transferred or outsourced – it must be actively owned and managed by all parties concerned.


Procurement Led “Risk” Management

A fundamental flaw in outsourcing is that inadequate procurement due diligence and central monitoring is undertaken on supply chains. The complexity of dynamic components within this model makes oversight of a framework difficult to govern and report against. Lines of delineation, segregation of duties, roles and responsibilities are not clearly defined as different internal parts of the business often manage different parts of the external supply chain. While we typically see centralised and de-centralised models very frequently we have found that a federated model best meets these complex requirements.

In addition to management functions, we often find that operational components such as contracts, Service Level Agreements (SLAs), Key Performance Indicators (KPIs) and specifically Key Risk Indicators (KRIs) lack substance or are absent. This risk is compounded where organisations have a framework of internal federated stakeholders, who even under the same industry regulations are independently outsourcing critical services in isolation with no broader consideration or governance. Whilst risk-based checks on specific tasks may exist within these frameworks, the time and resources needed to suitably monitor OSPs is grossly under-estimated which in turn affects budget applications creating a degrading perpetual cycle.

When considering data handling in chain outsourcing, the risks are again compounded as tracking data becomes a hugely labour-intensive and time-consuming task unless there is a dedicated central monitoring and reporting program in place. The challenge is centrally gathering and prioritising high-value outputs from seemingly low-level inputs.

Traditionally, onboarding is undertaken solely by procurement and is guided by cost and commercials as the primary factors. When considering the wider impacts of data on an entire organisation, there must be a mechanism and a partnership with other internal business stakeholders such as but to limited to; Information Technology (IT), Quality, Environmental, Health & Safety (QEHS), Security, Estates, Legal and Commercial in order to fully define a scope of requirements and to understand the risks associated with outsourcing. This approach will also help to develop and maintain a data processing map and define data classification standards.


Developing A Risk-Based Approach

Although all risk can be measured by financial loss, the procurement process must be led by risk as the primary factor and not by cost as financial loss is a result of risk materialising. Having identified the threats, vulnerabilities and risks, a process of monitoring needs to be standardised and applicable to context and environment in which they exist. Defining a process of assessment, monitoring, risk identification, reporting and remediation can only be done through the collation of specific data and analysis and must be done by trained and experienced professionals as dedicated assets. Even more so, this needs to be done using a process which is both repeatable and consistent and which factors in every component within the service offering. Only once a standardised benchmark is established can an organisation begin to measure risk and make meaningful comparative assessments.

There are significant factors to consider prior to outsourcing any service and must be an integral part of the Invitation To Tender (ITT) as beyond that is too late. The ITT offered to potential suppliers should include a checklist which outlines the standard requirements around data handling to assess the risk. This should not be considered as the “minimum standards approach” as this encourages cost-cutting but rather as “the standard” to define a quality benchmark. Potential suppliers must be able to demonstrate that they have the expertise, policies and processes in place in order to effectively manage data and the contracted services that support its management and processing.


Tone at the Top

In addition to implementing recognised industry standards such as ISO for example, an effective way to address this is through the formation of an Information Security steering committee to oversee governance of the aforementioned issues, and specific to data protection. The members would comprise of formally appointed executives who advise and enforce policy through an Information Security Management System and Business Continuity framework.

The structure of this committee must have a degree of representation from all stakeholders to mitigate any conflict of interest. It is also essential that the organisation’s Information Security Management System forms part of the Business Continuity framework using a shared risk register.

The involvement of an external third-party risk management specialists will bring an independent and impartial overview with cross-sector expertise. This too is measurable in terms of time, cost and progress as many organisations lack the resources and funds to design, build and maintain a management system which a certified specialist would provide.

Culture is by far and away the hardest thing to change in any organisation and as such it is essential that senior management sets the appropriate tone to support third-party risk management.
A collaborative approach with positive cultural change led by executives engaging with peers, industry experts and recognised standards will ensure that a sound foundation is embedded within the organisation.

The full formal response to the CBoI discussion paper can be found here.


About the Author

Brad Horn, CTPRA is a member of the Information Security Assurance Consultants team at DVV Solutions. Brad is a highly experienced information security manager with a multi-sector background in risk management, business continuity and third party risk. He is fully conversant with GDPR and 2018 UK Data Protection and expert in the design, build and maintenance of information security management systems and risk management frameworks within large corporates. Brad is an ISO27001/2 Information Security Auditor with applied experience in ISO22301 Business Continuity and ISO31000 Risk Management.

Connect to Brad on LinkedIn