Gary Lynam, director of ERM advisory at Protecht, explores the threats posed by tightening compliance regulations and how risk managers can mitigate them
Tightening compliance regulations are reflecting growing concerns about the serious, and often hidden, risks posed by third parties and how these potentially weak links could jeopardise operational resilience.
Gone are the days of relatively straightforward direct relationships with third-party suppliers and other external partners.
Today’s world of outsourcing and digital transformation has led to increasingly interwoven relationships with higher levels of risk that are complicated to contain.
To protect consumers, regulatory bodies in the UK have already introduced legislation to hold financial firms responsible for the resilience of services provided by their critical third parties (CTPs).
The Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have all set out measures and, more recently, the EU’s Digital Operational Resilience Act (DORA) will bring in another series of rules covering third-party and vendor risk management.
Beware of fourth parties
Recognising how interdependencies across vendors could play out is the first step towards being able to mitigate their associated risks and ensure business continuity if faced with disruption.
From providing critical infrastructure to managing supply chain operations and marketing platforms, vendors increasingly play a pivotal role in the operational resilience and commercial success of many organisations across industries.
Nowadays managing risks associated with these third parties is no longer enough, as these relationships have the potential to introduce further weaknesses when they are linked to fourth parties and beyond.
”Recognising how interdependencies across vendors could play out is the first step towards being able to mitigate their associated risks”
They can leave organisations vulnerable to another level of hidden risks, particularly cyberattacks. If any supplier in the chain fails to have effective security protection, then the repercussions can reverberate throughout the entire ecosystem.
As evidence, cybercriminals have already demonstrated that they can bridge easily into other systems without being detected. Recent examples at Twilio and Mailchimp show how these breaches quickly moved into third-party networks putting multiple businesses at risk.
Twilio’s breach impacted 1,900 of their own customers and Digital Ocean reported that the security of customers was threatened when an account with Intuit Mailchimp was compromised as part of a wider Mailchimp security incident.
Adding another dimension with AI
The arrival of AI presents yet another set of challenges, with specific legislation to regulate its use pending in the form of the EU’s draft AI Act.
Although, it’s worth noting that existing regulations including the recent Consumer Duty and the upcoming UK Data Protection Bill, already guard against the pitfalls of using automation in decision-making about customers.
Worldwide, organisations are grappling with creating policies to cover their use of AI, including banning it completely in some cases. But when it comes to third parties the issue becomes blurred.
With many manufacturers and suppliers promising to integrate AI into existing products and services, it’s likely that vendors will be using tools, data and services that rely on AI to some degree.
”Data sharing with suppliers introduces further data protection risks, as sensitive information might be mishandled or exposed accidentally.”
Consequently, they could be making decisions using third-party algorithms in the offerings they provide to their customers. And if these algorithms are flawed or unintentionally biased, they risk causing significant problems for the businesses they serve.
Additionally, data sharing with suppliers introduces further data protection risks, as sensitive information might be mishandled or exposed accidentally.
Although, it’s only early days in the evolution of AI, security concerns are being raised about employees sharing confidential information with tools such as ChatGPT, including providing source code and uploading recordings of confidential meetings.
While AI offers significant opportunities with its massive processing capabilities, minimising its potential for misuse does add another dimension to vendor risk management.
A unified approach to vendor risk management (VRM)
With more innovations in AI and new technology to come, supplier ecosystems will become more complicated and intertwined than ever before.
Having a unified risk management strategy with like-minded suppliers can benefit the operational resilience of all parties involved if deployed and maintained effectively.
Good practice requires a structured and systematic process which means initiating stringent upfront due diligence before approving and onboarding a vendor.
This should set out clear expectations of the relationship, and remove any vendors from the selection process that would undermine operational resilience. Setting out rigorous supplier selection criteria to mitigate risks will avoid problems further down the line.
It’s important to determine the criticality of each vendor based on the products and services they provide and use this evaluation to define the level of ongoing vendor monitoring required.
”Having a unified risk management strategy with like-minded suppliers can benefit the operational resilience of all parties involved”
Identify and evaluate the controls they have in place to manage risks and how they affect the resources they deliver, including how they extend to fourth parties, and agree on the frequency and detail required for controls assurance.
Consider contractual clauses which clearly specify requirements for assurance, and other operational resilience activities that suppliers are expected to participate in.
Treat vendors as part of the extended enterprise and take a collaborative approach to risk management. Include critical vendors in operational resilience processes and testing, such as cybersecurity incident response and management.
Support these processes with systems and tools which provide a single, integrated view of all vendors, risks, and operational resilience.
Streamlining risk management
Take advantage of risk management platforms to standardise policies and increase efficiency by centralising and digitising the risk management process.
Automated solutions offer the benefits of predefined templates, workflows, and controls that align with industry best practices and regulatory requirements.
”Organisations that have the vision to proactively collaborate with strategic suppliers to mitigate risks will be better positioned to maintain operational resilience”
By streamlining risk assessments, mitigation, and reporting, they promote uniformity across an organisation and its supplier ecosystem.
Two-way communication with vendors can also be recorded through such platforms ensuring vendors complete IT security and compliance questionnaires, respond to feedback, and commit to improvements for the future.
Organisations that have the vision to proactively collaborate with strategic suppliers to mitigate risks, whether apparent or which might arise in the future, will be better positioned to maintain operational resilience for themselves, customers, and their ecosystem.