Risk briefing: When to walk away from a third-party supplier

The growing complexity of supply chains means that effective third-party risk management cannnot simply consist of a snapshot a risk profile at a certain point in time.

Speaking at the 5th global cyber spotlight event hosted by Standard & Poor’s Renana Friedlich-Barsky who until this month was deputy CISO at Paypal, warned that more needed to be done and that included having the strength to advise the business to simply walk away from third parties who pose too big a risk.

She added that at present, many organisations rely on email questionnaires, manually updated spreadsheets and sample data to track third parties. However, businesses must look toward a more centralised and data-driven approach to support strategic risk management decisions. There is an aim to capture a sophisticated picture of overall risk and use additional capabilities, such as automation and external reports, that deliver real-time information.

While third party risk management programmes have traditionally been driven by regulatory pressures, other forces, such as data breaches, supply chain disruptions and board pressures have emerged as additional drivers for TPRM investment in recent years.

Last Year, EY issued its global third-party risk management report which found risk managers ranked cybersecurity and digital risk as the top risk domains included in their risk inventory reporting, followed by strategic risk, financial viability risk and environmental, social and governance (ESG) and sustainability risk. Organisations are also re-examining risk governance and integrating ESG commitments into third-party risk assessments.

For Friedlich-Barsky the issue remains that systems need to be created that will allow risk managers to have a real time view of the risks. She said: “Third party risk has been here for some time. The challenge is that all too often what risk mnaagers have is simply a snap shot of their third party risk at a certain time. 

“We can look at proposals and agreements we have signed with those third parties, which may include areas such as data security and standards, but we do not have the resources to identify the risks during the entire life cycle of our agreement. How do we stop simply being reactive? Is it a case of continued conversations? At present, we do not have a clear answer.”

She said that one approach is to analyse vendor questionnaires, but that this must be done through a clear framework. She said: “We need to understand access and data flows. This is an area where we may well want to have some influence on third party security systems to ensyre they are of a level we are comfortable with. We need to establish a framework that will perform the assessment at onboarding and then at key stages of the relationship such as at contract renewal.

”The reality is that businesses have hundreds of third party vendors. We need to take a risk based approach and must have a framework where there are more touchpoints and greater communication with those who have access to our most sensitive information. We talk about assessments, such as testing for vulnerabilities, but it depends on the application. Some will send any enquires to their legal teams where the reply is all too often simply ‘no’. We need to move beyind the onboardihg questionnaire .

She said that businesses need to assume that at least one of their partners will get breached in the next year and plan accoridngly. This means considering responses and communication plans before an incident happens. 

On the thorny topic of artificial intelligence, Friedlich-Barsky stressed that the use of AI in the business comes with complexity. Firms must decide who has access to the tools and what questions they’re allowed to ask.

She said: “We are still in the early days of AI and because of that we have the opportunity to examine it from all angles and we can do so securely. That opportunity will also allow companies and risk managers to put in place the tests and requirements that will enable the business to fully evauate the risks.

“The biggest issue is you have to know when you need to put the foot on the break, and say we can no longer work with you. We need to be able to call it out when a risk is simply too great. Security professionals need to invest in their relationship with the business.

“If the business does decide to go forward with a partnership that you feel is too much of a risk then you need to be able document the reasons. It means that if things do go wrong in the future, there is evidence that the risks were fully assessed. 

Using this approach, leading organizations are now able to test thousands of third-parties, rank them across risk domains for criticality, and then develop a focused response, said Scott McCowan, EY Americas Risk Management Leader. “As companies continue to lean into their third-party network, a data-driven approach to screening allows for better coverage, real-time data, continuous monitoring and targeted assessment activities.”