Some Risk Managers rely upon reported findings from internal risk assessments as the primary source of risk data in their Third Party Risk Management (TPRM) programs. Too often this approach generalizes over time from a primary to an exclusive source. That’s a missed opportunity to leverage value from other contributors to your operations, by incorporating available data sources already in hand, often leading to undetected vulnerabilities and avoidable exposures to your enterprise. These sources could provide alternative perspectives, through the lens of different disciplines, unique detail data on third party performance, and discreet validations or challenges to self-assessment findings arising from internal risk assessments.
Third Party Data Choices
Some of the third-party sources of input to your risk management program are standard byproducts of audit, compliance, and procurement processes, particularly with respect to third parties. These processes may incorporate reviews of external audits by banks, regulators, government agencies, as well as services that monitor and evaluate the financial health of firms, such as Dunn & Bradstreet. Some of these services can represent a check or confirmation against internal assessment findings, while others may be a source of research leading to a curation and analysis of aggregate data. Services such as D&B® Direct, integrated into DoubleCheck’s TPRM solutions, are a representative example of such a detailed, maintained source of reliable financial performance information. Reports from regulators, particularly ones based upon standards, such as SOC and SOCII, or compliance data regarding performance against a known standard such as HIPAA, HITECH, General Data Protection Regulation (GDPR), or FINRA, to name a few, can yield a great deal of objective input to your risk evaluation performance. Independent reviews of your financial and accounting management by external auditors may offer further insights into controls effectively in force. They may also expose vulnerabilities in data management and retention to be addressed.
Discovery of a vulnerability in one area or function may or may not be indicative of a widespread matter. Often disciplines will take on more or less stringent control practices, depending upon their own perception of how valuable their resources might be, and how tempting they might be to malicious actors. However, discovery of a vulnerability in one area is reason to explore its extent across the enterprise. If your risk assessment process employs a framework, you may have also mapped specific controls to the components and categories of risk across that framework. One useful report to create would be one where you explore the prevalence of a specific control being used, or, better still, how often it is not. If you identify controls largely not in force, there are several possible reasons for this. The control may not be relevant to your business. It may be unclear or especially difficult to implement or maintain, or too costly in staff resources. In some cases, it may create more disruption and expense than the vulnerability justifies. You’ll need to explore which controls are necessary, avoided, and establish some alternative approach to address any significant vulnerability. Keep in mind that a weakness in one area may instigate others in related ones. These may not be obvious at first glance but the result of chained events, where, for example, a delay in patching servers in a distribution operation leads to service outages and missed performance metrics for product delivery. You likely can identify many others in your enterprise.
Integration, Instigation and Collaboration
Identifying third party data sources is a start, gaining access to them is the obvious next step, and with that, understanding how frequently these sources update or refresh content is important. There are calendars and schedules to understand and align where possible. If your risk assessments are annual, using the most current data from all sources makes the most sense. Where cycles are more frequent, it is even more important to identify the most recent and up-to-date iterations of any inputs, in particular from third parties, where you are a subscriber at best, and cannot control the timing and frequency of reviews, reports, or examinations. How you access this data is equally important. Ideally, you are using a GRC tool that offers data import features, or has already enabled integration features that only require authentication and configuration to enable. These would support automated integration into your risk databases and provide data in a form that’s ready to use without manual intervention or handling by any staff. The value here is that such features are flexible and readily extensible as your enterprise and risk program expand. In cases where such tightly integrated automation may not be possible with a third party source, structured forms coupled with dedicated data extraction tools may offer some amount of resource-light capture and collaboration. Often, these forms are built around MS Word or Excel based files or editable PDFs. They may require some testing and modification to reflect field name conventions or combinations and concatenations to tailor them to target database specifications.
Data expressed as numerical rankings, ratings, or scores may be less challenging to align and import that narrative text. Often, the content of narrative comments may not easily be extracted from its source context and assigned to a useful categorization readily meaningful in your database of risk information. However, standard outputs from third parties often reuse their own methods and structures, so this “translation” exercise may not need to be repeated often. The work may at first glance seem tedious, but can pay significant dividends to the value and accuracy of your risk processes. Keep in mind the intent; to provide your assessment’s subject matter experts and dedicated risk analysts with the richest and most complete picture of the current field of threats, weaknesses, remediating controls and alternative risk strategies deployed to make an informed evaluation of your current risk posture.
Some GRC tools provide input forms and methods already mapped to the assessment and reporting processes in their modules. Such tools serve as alternatives to more costly data extraction and transformation utilities. Also, dedicated services, where integration is an out-of-the-box feature, offer not only the value of this third party content, but ease of implementation and vendor provided updates when needed to keep the embedded service working seamlessly. Again, this is a product maintenance and reliability matter. Features that are part of a product offering are maintained through upgrades and patches. They require some testing but installation and continued maintenance will not involve detailed and complex service-by-service testing and segmented upgrades. That’s important to keeping administrative and support costs in line.
It’s also important to consider calendars and frequencies of data refresh when preparing to integrate external findings with those you gather internally. Your assessment schedule and frequency likely won’t directly align with external inputs. Alignment of time periods to the schedule and frequency of your internal risk assessments is important to preserve and enhance the relative relevance of this external data. Mismatching these could result in identifying issues that may have been remediated following a review or assessment finding. Often external sources from audits, regulators, and the like run on annual schedules. When including this data you need to align the most recent available but also take note of the relative gap between your assessment and the latest inputs from external sources. Those findings, when presented to your subject matter experts, may lead to questions and follow-up offering useful detail.
KPI’s, KRI’s and Metrics
Key performance indicators (KPIs), key risk indicators (KRIs), and metrics, in general, offer great opportunities to understand where your risk program fits within others from your industry. They also can offer insights to third party performance against contractual standards. Further, they can point out areas where your own operations meet, exceed, or fall short of expectations. Operating KPIs may tell you more than just how a service or process performs. Their value, compared to some expectation of performance, may allow them to serve the dual role as KPI, where a weak showing indicates a potential risk or vulnerability resulting from the process failing to meet a required standard. Other metrics, including ones monitoring control performance, can offer assurance of process control effectiveness and external management attention to important detail. In itself, these identify signs of an attentive and risk aware management culture.
Where Integration Offers Risk
How data integration occurs can offer an opportunity for risk on its own. If the integration is through periodic data transfers, how is this done? What controls secure access to or exchange with the external service? Is a secure pipe, encrypted with strong authentication controls in place? How are credentials managed? How frequently changed? What is the process for assuring the data offered has arrived without alteration? In the shadow of recent events at SolarWinds it’s vital to assure only unaltered data is allowed to be integrated and repurposed. The eagerness to acquire the benefits noted above from integrating external data sources for your risk program cannot of itself risk exposure of your enterprise to equal or greater risks through the interactive practices used to access and utilize that data. The specifics must be coordinated with your IT team to determine the best means of data access. The controls for file sharing are different than for real time access to an external data source or enterprise. Regardless, it’s important to design controls and implement practices to assure end-to-end security. An external source is an extension of your risk perimeter and requires the same attention as any other extended endpoints to your overall risk footprint.
Integrating external, third party data into your TPRM risk assessment and management practices offers clear value and opportunity to refine, sharpen, and position your risk management program within your enterprise and your industry. This input can serve as a control on internal practices, also aligning performance with market and industry expectations. There needs to be attention to security to assure external data is secure as is its access. These risks should not be minimized, but they should not outweigh potential gains offered by data integration. Clearly, incorporating such data offers a clear advantage, operationally and strategically. It is worth exploring. Where your resources support its inclusion it is a worthwhile enhancement to your risk management practice.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.