Summary: There is a growing interest to call third-party risk management ‘Extended Enterprise GRC/Risk’ instead of third party. The reason for this being that the modern organization is not defined by brick-and-mortar walls and traditional employees. Today, third parties are part of the organization and that is an extended enterprise. Talking about “third parties” as such makes it feel that these relationships are more of a commodity that can be scrapped instead of being a vital part of the organization and what it delivers.
Imagine the loyal customer of a small community financial institution, a regular user of its mobile app. The app may be the primary way the customer manages their accounts, their most frequent interaction with the institution’s entire business. For the customer, this app, trusted with their sensitive financial information, is effectively the institution’s entire brand.
For the institution, this critical app may also be the product of a third-party fintech provider – an organization the customer would likely never know existed.
Often indistinguishable from in-house products or services, many third parties now provide services that are better or more economical than anything an organization could pull off on its own.
This profusion of closely integrated, critical third parties has given rise to the concept of “the extended enterprise,” a growing recognition that relationships go well beyond a simple transaction and can be as important as an internal business unit.
Third-party services appear almost mandatory to compete in today’s business environment. Yet, are organizations doing enough to treat the closely integrated third parties of their extended enterprise with the same risk management standards as an internal business unit?
While the proliferation of third-party services is a well-established trend, headlines continue to abound where an incident at the vendor level – a cyber breach, a service interruption, unethical practices – came back to damage the client organization. Even though an outside organization may be to blame, the risk, and consequences, are shared throughout the extended enterprise.
It is not surprising in this reality to see that risk leaders continue to cite third-party risk management as one of the top challenges in their professions.
Third-party risk management – a growing challenge
In practice, “digital transformation” has often boiled down to a pivot to the extended enterprise – the outsourcing of traditionally in-house operations to best-in-class external providers. Why suffer the expense of keeping up a data center when someone else’s data center can deliver equivalent cloud services over the internet? Why manufacture a part in-house when digital plans can direct a third party to do so perfectly and more affordably?
Digital transformation has helped fuel an explosion in the use of third parties. An average of all responses to a 2020 report by Ponemon Institute and Cyber GRX showed a typical organization uses 5,884 third parties. While some businesses will have far less, some have far, far more. For example, retail giant Walmart said it has more than 100,000 suppliers globally, and noted that many of those suppliers in turn have their own suppliers.
Walmart’s accounting came as part of a statement of standards for sourcing responsibly made products. The organization’s values extend to those it chooses to do business with. Even for a small organization, this same logic often applies.
The challenge comes in applying those values during the third-party vetting process, and for that matter, throughout the course of the relationship. Ethics are just one dimension of a third-party risk assessment – the security of sensitive shared data and the risk of political sanctions are a small handful of others.
Information risk deserves special concern. The ability to seamlessly share data with third parties over the internet, and the ability for third parties to deliver many important services via the cloud, is one of the core mechanisms driving the business opportunity of the extended enterprise. Yet, it is a major driver of risk as well – that same connectivity can provide inroads for a cyberattack that puts the client organization’s own operations at risk.
With many considerations and a potentially vast number of third parties, it can become a major task to effectively assess third party partners and monitor them on an ongoing basis. Not all third-party relationships will hold a high strategic value warranting the greatest level of scrutiny, but do organizations fully grasp the vendors that belong on that list?
To complicate matters further, risks often span different functional areas. One business unit may own ethics and compliance, while another owns cyber risk. This increases the chance that a third party may not receive proper scrutiny across all areas of risk, especially over the long term. While the vast majority of organizations assign an executive-level role to the job of risk integration, that specific role differs, potentially suggesting that no clear-cut best practice exists for how to approach this problem.
The extended enterprise – a new world
Recent socioeconomic events, the global shift to a remote workforce and increasing reliance on third parties are all driving a heavier emphasis on the concept of the extended enterprise. This requires risk management leaders to have a seat at the table, and for organizations to have a culture that treats third parties with the same risk standards that would apply to an internal business unit. The dimensions of potential risk involving third-party relationships are complex and varied, emphasizing the importance that business units speak the same language when it comes to assessing risk.
Because the extended enterprise is only as strong as the sum of its parts, ensuring its strength is mission critical to business success. Third-party risk management is more important than ever for its potential impact to business reputation and critical customer relationships.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.