Seating third parties at the risk table
Federal, state and local agencies, higher education institutions and commercial organizations rely on third parties to provide products and services, and to enable the achievement of their missions. Bringing on third parties also introduces risks such as cyber and information security, compliance, financial viability and reputation issues. Recent federal executive action (Executive Order 14028), guidance from NIST (Key Practices in Cyber Supply Chain Risk Management – IR8276) as well as increasing vulnerabilities have prompted organizations to place a greater emphasis on third-party risk management.
At its core, this approach enables organizations to monitor and assess the risk posed by third parties based on an understood and acceptable risk tolerance. Under the overall umbrella of an Enterprise Risk Management function, organizations can synchronize management of third-party risks in a way that is commensurate with their overarching risk strategy.
On Oct 17, the Partnership for Public Service and Deloitte & Touche LLP held a working session—moderated by Deloitte Managing Director Cynthia Vitters and Deloitte Senior Manager Jeff Welch—entitled “A Cross-Sector Look at Third-Party Risk Management.” The sessions featured panelists Thomas Brandt, chief risk officer of the Federal Retirement Thrift Investment Board, Robert Clark, chief audit and compliance officer at Howard University and Rosa Underwood, IT specialist in the Office of Information Technology Category at the General Services Administration.
This session focused on the integration of third party risk management into organizational systems and what synergies can be developed by applying internal risk principles to an organization’s third-party ecosystem. The discussion opened with panelists sharing examples of third party risks and how they can range anywhere from breakdowns and non-compliance with service providers or supply chain disruptions affecting the sourcing of hardware. In academia, universities must factor in public and private sector responsibilities to manage third party risk.
Takeaways on third party risk management
During the session, panelists emphasized the following considerations to keep top-of-mind when establishing a third party risk management program:
- Plan ahead and be more proactive instead of reactive in all facets of the third party risk management process. Gain more visibility into your third-party environment, risks posed by them and evaluate their performance more frequently.
- Educate all functions of an organization (mission, procurement, legal, IT, risk and senior executive leaders) as to the risks third parties bring to an organization.
- Break down silos, share information and proactively review your risks and opportunities to cultivate a risk averse culture.
- Define and communicate roles and responsibilities of all stakeholders during the third-party lifecycle.
How can you further mitigate your risk exposure? These five recommendations can help incorporate the insights from our working session into your organization:
- Understand your supplier and vendor relationships, specifically the impact they have on your operations and how your overall reliance on these relationships can help guide risk management efforts.
- Establish governance and formalize a baseline structure as to how your organization can manage the evolving third-party risk landscape.
- Create a shared vocabulary to streamline comprehension of varying types and sources of third-party risk, thereby establishing a clear understanding of how you will manage these risks.
- Integrate third-party risk management into your overarching enterprise risk management program (if it exists) to better connect risk processes and extend your risk management expectations beyond the four walls of your organization.
- Consider the use of technology in the facilitation of your third party activities as a means to drive efficiencies, but also break down siloed information repositories.
This blog was co-authored by the Partnership for Public Service (Will Kimball and Triveni Patel) and Deloitte teams, including Cynthia Vitters, Dave Mader, Larry Koskinen, Jeff Welch, Ryan Murphy, Varun Malhotra, Eliza Clark and Mark Stofanak.