Governance, risk management and compliance (GRC) are growing disciplines with continuously changing identities. As more scrutiny and regulations have emerged, leadership teams and boards have realized they do not have a complete handle on their information security maturity levels and how to raise their levels to meet various compliance standards and mandates.
One of the many challenges GRC practitioners encounter is third-party risk management. When thinking of GRC, specifically for the governance of third parties, it may be viewed as a large web of networks and connections. In the center of the web is the glowing, thriving heart of the organization. Organizations have expanded their reliance on third parties, creating dangerous, boundless webs of third-party relationships. Relationships with supply chains and subcontractors further expand this web. Where does GRC fit into the web of third-party connections? The role of GRC is to ensure that these extended enterprise relationships share the same values and commitments to integrity that define the core organization. Managing this web becomes more challenging when the organization must manage the performance objectives, risk and compliance at the relationship, contract, facility and service levels.
The Unknown Risk
Organizations that expand with mergers and acquisitions and the addition of new customers and internal staff members often unintentionally create operational silos. Typically, the IT security team has processes and technologies focused on security, the enterprise compliance and ethics teams are concerned with antimoney laundering laws and corruption, and the accounting team has US Sarbanes–Oxley Act of 2002 (SOX) compliance mandates. Each business unit has its own procedures for managing third-party relationships. These silos result in not having a full picture of the spectrum of risk exposure in these relationships. Even large, complex and critical to business operations web expansions often rely on a once-per-year audit or security questionnaire. Often, the governance of these relationships is missing. Organizations can forget to explain how these third-party relationships deliver on the performance and objectives of the organization’s goals and values. Often, GRC experts neglect to provide context to executives on the "so what" of third-party risk, such as what the risk means for operations, revenue, staffing and budget.
For example, cyberevents such as data breaches are often of serious concern for third-party risk management. GRC experts must provide:
- Context as to the third party's relationship with the primary organization
- The impact of the data breach on the primary company assets
- The potential loss or impact value or lost operation hours
- Any potential disclosures to state and federal regulators
To answer the "so what" of third-party risk is challenging for GRC experts as there are unknown threats and a challenging and almost impossible requirement to quantify the monetary loss of a cyberevent and provide an estimate of how long the cyberevent will impact the organization. A solution to these challenges is strategic GRC third-party risk programming that will support effective and standardized communication across all business units and capture meaningful metrics.
Silo Breakers
To transform GRC with a focus on third-party programming, a strategic purpose and direction should be clearly outlined, including:
- Assessment of organizations based on the aim of reducing the risk presented by third parties to the organization
- Alignment with the broader business strategy
- Understanding that conducting assessments based purely on business demand will not strategically lower the risk profile
How will organizations move beyond this siloed, partial view of their third-party risk? In a holistic GRC program, it means that the organization is capable of reliably achieving objectives (governance) while addressing uncertainty (risk management) and acting with integrity (compliance) in and across the web of third-party relationships. In this model, each relationship still has an interconnected purpose.
Organizations can start to mature and transform their third-party GRC programs by baselining and standardizing key performance indicators (KPIs), which measure the performance and effectiveness of third-party GRC functions and processes, and key risk indicators (KRIs), which determine how much risk the organization is exposed to and what risk treatment plans to apply.
Some of the best metrics for measuring outcome-driven GRC capability are quantified and balanced risk profiling, vendor threat intelligence, context-driven compliance and global and local views of the supplier’s coverage. With quantified and balanced risk, organizations can analyze and understand the risk of doing business with a supplier and the associated mitigations.
With quantified and balanced risk, organizations can analyze and understand the risk of doing business with a supplier and the associated mitigations.
Vendor threat intelligence is collected through open-source intelligence data on the supplier base. An example of this metric would be the mean time to acknowledge (MTTA) for internal account managers after threat intelligence reveals an adverse event. Context-driven compliance builds on understanding the context and commitments of the third party. How compliant are suppliers with the organization’s internal control environment? Lastly, to build a global view and local lens of third-party organizations, the global supplier footprint must be known. Organizations should create a profile of the full coverage of the supplier footprint and ensure they are tiered appropriately for global business.
Advocating for Meaningful Metrics
Third-party GRC programming exists to effectively quantify and manage risk within the supply chain. How organizations report that risk to business stakeholders is as significant as capturing and quantifying the risk. However, the value of the reporting is negated if it is complex, challenging to understand and not placed in context. A mature third-party GRC program evolves from spreadsheets to purpose-built platforms that provide the required multistakeholder lenses on the data. The security team alone is not responsible and accountable for reducing supply chain risk. Organizations need meaningful metrics to inform the rest of the stakeholders of their required actions to manage risk collectively.
The inclusion of meaningful metrics allows for the maturity of the program to grow from being reactive to having a proactive security posture. Many organizations stay between the reactionary stages of the headaches and pains, with GRC practitioners juggling emails, spreadsheets, files and other tools. Eventually, programs move to programmatically onboard and score vendors for prioritized risk management, but this process is static, point-in-time and manual. However, with metrics, programming can move out of this manual spreadsheet process and automate vendor assessments according to the standards that matter to the organization, validating estimates with external, continuous cyber, business and financial risk monitoring intelligence.
Furthermore, third-party GRC programming can eventually proactively and continuously assess, monitor and eliminate vendor risk by fixing what is essential with built-in remediation guidance and best practices.
Solutions That Deliver
Although throwing more technology at a problem is not the only solution, it can be helpful. Third-party GRC programming is robust and with technology and GRC metrics capturing tools organizations can aggregate meaningful data and metrics and break down silos by standardizing how organizations challenge GRC. Only a few Software-as-a-Service (SaaS) third-party risk management tools are designed to facilitate third-party risk management. While not leaving the organization in a hopeless state, GRC practitioners are encouraged to utilize the Open Compliance and Ethics Group’s (OCEG’s) GRC Capability Model 3.0 Red Book—a well-received common industry framework for GRC.1 Organizations should also consider building a road map that includes technology and programming. A multiyear security road map considers how an organization should move forward with implementing security programs while closely aligning with business objectives. The road map consists of an organization’s existing security programs and where those programs need to advance but have the foresight and agility to consider tools and technologies that may have not yet been discovered or invented.
Conclusion
Effective GRC programming establishes an approach to ensure that the proper people get the necessary information when needed, objectives are established, and the right controls are put into place to address uncertain situations and act. A growing part of GRC is the focus on third-party risk management. The increasing use of shared IT resources through third-party relationships has deepened some risk and challenges associated with third-party vendor relationships.
GRC programs already implement risk management, typically focused on critical areas such as cybersecurity and finance. Third-party risk management shifts this thinking around the specifics of vendor relationships. A third-party approach should include strategic thinking around policies, procedures and processes, evaluating the vendor relationships similarly to other risk management solutions. To succeed, organizations must improve resilience and prepare for disruption to remain relevant and deliver value. A high-performing GRC program will deliver universal outcomes by balancing three aspects of its systems:
- Effectiveness in identifying unknown risk by identifying the web of interconnected third-party risk
- Efficiency in breaking down silos of information and monitoring the environment to see what develops to boost agility in third-party relationships
- Creation of an agile and resilient third-party risk program to collect meaningful metrics
Endnotes
1 Open Compliance and Ethics Group (OCEG), GRC Capability Model 3.0 (Red Book)
Roderick Chambers, CISM, CISSP
Serves as a public and private sector entities’ information security and intelligence advisor. He began his career in the US federal government, specifically in the intelligence community, where he served as an intelligence operations professional and technical collections lead. Chambers served as the former deputy superintendent and director of the cyber intelligence unit for the US State of New York State Department of Financial Services. As a career security intelligence professional with more than 15 years of field experience, he has designed, implemented and supported information security programs at organizations of all sizes worldwide.