Being the master of all you survey is not enough in today’s business climate. Do you know the true risks which lie well below the apparent surface of your operations? Consider third parties – if you’re like most companies, you are increasingly dependent on third party entities to manage any number of a variety of critical functions, including IT, line of business applications, etc. You understand third parties create a much more complicated operational and risk picture, but what about fourth and even fifth parties?
Inevitably, with the growth in third party usage, third parties have grown themselves. Naturally, with this growth comes a third party's engagement of vendors that support their operations and help them to manage the increasing workload. These vendors represent fourth parties to your organization, and they do pose a risk that you may need to consider. For example, do you know where all of your organization’s data is stored and exactly who has access to it? If you are using a third party, be aware that it could reside with a fourth party in Europe, South Asia, or the Middle East and you might not even know it. These layers of service providers create increased compliance and security risk, and federal regulators know this is a major weak spot in the compliance picture. Compounding the risk picture is many companies’ reliance on their third parties to conduct downline vendor screening and management. Unfortunately, delegation doesn’t equal a shift of liability, so it is important that you ask your third party vendors how they manage the risks that their third parties present to your organization.
Although you may not want to execute risk assessments against fourth parties, it is important to continuously review your company’s third party risk management program to be sure you are doing everything you can to mitigate risk. Here are some areas to consider right now:
- Do you know the current risk management climate, including requirements and leading practices?
- What is your current vendor screening process with third parties? Does it include questions around the vendors they utilize?
- Have you implemented compliance and mitigation strategies that effectively address your threat picture and all components?
- What are your ongoing risk assessment and mitigation processes for third and fourth parties (and beyond)?
Pro-active third party risk managementis one of the keys to reducing overall operational risk. Start with a thorough understanding of your current and target state for your vendor screening and risk management program and identify the gaps that are leaving you exposed. Better yet, let CastleHill prepare this analysis for you, at no cost, as part of our GRCaaS offerings! For more information on third party risk management and how we improve the efficiency and effectiveness of our client’s programs, please view our GRCaaS offerings.