What COVID-19 May Teach Us About Third and Fourth-Party Risk Management

The public health crisis caused by the spread of COVID-19 has yielded many lessons in crisis preparedness and response.  If you are like most organizations, you are starting to adjust the outlook on the months/year ahead to determine where you will be focusing your efforts. As we have started to reflect on how COVID-19 could change the way our clients think about and prioritize risk, one thing has become clear – risk management practices must evolve to account for all possibilities.

COVID-19 is an ongoing education in third-party risk, and anyone shopping at a grocery, retail, or eCommerce outlet has felt the effects of how a reliance on third-party suppliers can lead to operational disruption. However, traditional third-party risk management (TPRM) practices address risk resulting from access to sensitive information assets. Service and supply chain risk – resource availability and resilience, single points of failure (SPOF), contingency planning and recovery practices – is often overlooked by a standard TPRM assessment that is focused on data risk. COVID-19 has helped illuminate the ways in which risk management programs can be adjusted to capture these broader risks and bring more understanding of the extended enterprise under the umbrella of TPRM.

Broadening Your View of Risk

The most pressing risks that third parties introduce on a daily basis continue to be related to the security and privacy of your information assets. Although the outcomes of the COVID-19 crisis are a long way from being determined, it is unlikely that data risk (cybersecurity, privacy, etc.) would cease to be of paramount importance. In a standard TPRM assessment, a vendor may be assessed based on both the security and privacy controls in place to protect data processed on your behalf. However, because risk management assessments are examining the design and (sometimes) the effectiveness of controls, there is no reason that these assessments cannot be enhanced to include additional domains and control activities that address risks to your supply chain. Existing TPRM support staff, who often have strong backgrounds in audit and controls, are well-suited to evaluate these areas and build a more complete picture of risk.

LevelUP’s TPRM methodology places particular importance on ensuring completeness of your third-party universe. However, without including all relevant risk domains, you will not be capturing a reasonably complete risk universe. Third-Party Risk Management practices should include supply-chain related domains that identify the risks that your vendor’s practices introduce, but also the risk that a vendor represents a single point of failure for your operations. Proper onboarding and classification of vendors based on type of service, size, geography, or other factors can yield the data points you need to get a greater understanding of your population of third parties.

Leveraging Existing Business Continuity Planning

Business continuity plans (BCP) could be a valuable source of information for TPRM professionals. Understanding the inventory and criticality of various business units can inform more targeted TPRM assessment activities. While BCPs may provide very strategic insights into how your organization would view a risk in a particular area, simply relying on business continuity planning may not be enough to evaluate the downstream risks resulting from a growing reliance on third parties. It is likely that the more tactical work of understanding risks at the level of each third party will fall to your TPRM team or other risk professionals. Accordingly, TPRM teams should be familiar with continuity plans to inform how vendors will be assessed based on service they support:

  1. Understand the criticality of various business units and operations and prioritize assessment activities accordingly;
  2. Understand business units that are particularly sensitive to downstream service and supply chain risks; and
  3. For vendors that support the identified business units, ensure that assessment activities include service and supply chain considerations.

In a previous post, Four Methods to Refine Your Third-Party Risk Management Program, we highlighted the need to partner closely with business unit owners to gain the context needed to adequately assess risk. Understanding how your organization organizes and prioritizes its operations, is yet another tool available to provide this context. Updated business continuity plans should be relied on for this, while TPRM activities help build a clearer picture of how likely/not likely that a risk leads to loss for your organization. This also highlights the need for BCPs to be regularly updated and tested (via tabletop exercises) to identify weaknesses where they may not be addressing risks that are most relevant to your business. The outcomes of robust TPRM activities may feed these exercises by highlighting likely scenarios that should be addressed by BCPs.

Conclusion

COVID-19 continues to be a primary concern for health and human safety. Organizations are still at the early stages of adjusting their near and long-term outlooks. As we continue to get a clearer picture of how this event may change many aspects of our life, it is indisputable that COVID-19 is already changing how organizations think about managing risk. Data risk will continue to be a primary day-to-day risk that needs to be managed. As organizations look to strengthen their practices for assessing broader types of risk, TPRM programs are a likely candidate to shoulder some of this burden. The ability to leverage existing tools to get greater context around your top risks, and the flexibility to add domains and controls that provide the details of these risks, indicate that TPRM programs must evolve quickly to provide relevant and insightful information on these changing risks.

Are you looking for assistance building, managing, or optimizing your TPRM program or business continuity planning (BCP) processes? Get in touch with us.