When considering the current geopolitical landscape coupled with growing cyber threats and financial pressures, 12 sessions across two days solely dedicated to discussion of third-party risk management (TPRM) still doesn’t seem like enough.
Yet, each of those issues and more were examined as part of Compliance Week’s TPRM Summit held Monday and Tuesday in Chicago. A room of more than 100 compliance, risk, and legal practitioners exchanged ideas and best practices along with hearing from experts regarding the pain points impacting their organizations and where they’ve found success.
Below are five topics that came up frequently during the event.
Resource issues: “You take everything going on in our industry right now—more risks, new risks, less people—we’ve got to have systems in place to help us manage risk,” said Jeff Foresman, vice president of risk and compliance at information security company Optiv.
If emerging from pandemic lockdown had businesses excited about ramping back up onboarding of third parties, ongoing fears of a recession might have already stunted such plans for many organizations. Multiple panelists spoke of how gaining resource support is still a problem and won’t likely improve given the current economic forecast.
And yet, more than 90 percent of Foreign Corrupt Practices Act enforcement actions involve third parties, noted Morrison and Foerster Partner Charles Duross, who previously led the FCPA Unit at the Department of Justice (DOJ). Duross advised paying close attention to the resources the DOJ puts into enforcement efforts instead of the number of enforcements themselves to properly understand the capacity of the regulator.
Keeping tabs on nth parties: So much is out of an organization’s control when it comes to the businesses their third parties might employ. The best place to start with handling fourth parties and beyond is to define their materiality, said Linda Tuck Chapman, chief executive officer of the Third Party Risk Institute.
“Those are the fourth parties you want to know about it,” she said.
Evaluating your third parties’ TPRM capabilities is another impactful strategy, Chapman explained. “If your third parties and fourth parties are doing their job, chances are pretty good they’re doing the same things you are, which means your fifth parties (are managed) and so on. That’s as close as you’re going to get, unless you come up with some brilliant solution we haven’t thought of yet,” she said.
Another strategy to nip nth-party risk in the bud is to not allow outsourcing in contracts with high-risk third parties, said Melanie Gallagher, head of TPRM at financial software company Intuit. Alternatively, you can permit outsourcing—though with the caveat your company is able to review and approve.
Communication/points of contact: “One of the things I’ve found to be really effective is thinking about what’s your mission and what’s your objectives,” said Ellen Hunt, principal consultant and adviser at Spark Compliance Consulting, regarding educating the general workforce on their responsibilities. “… If you’re not connecting all the dots, it can be really hard for people to understand.”
This is an area where leadership support can make all the difference. Rodney Campbell, head of TPRM at Valley National Bank, said he starts with training the board before engaging relationship managers to ensure a top-down approach—a strategy echoed by several other speakers.
Practitioners engaging with mismanaged third parties might often find themselves asking, “‘Doesn’t anybody know what’s going on?’” Hunt said. Such lapses in communication underscore the need to identify specific points of contact as part of oversight efforts.
Cyber risks here to stay: Recently exposed vulnerabilities like Log4j and hacks of platforms including SolarWinds and Accellion have created shell shock for many companies—especially when data privacy laws make clear you bear ultimate responsibility for your data.
With Russian cyber threats a popular area of concern right now, Darren Hayes, associate professor at Pace University, remarked how politically motivated malware variants have a way of spreading. Consider “NotPetya,” which in 2017 made its way beyond its targets in Ukraine to multiple corporations that were forced to spend hundreds of millions of dollars to repair the damage done to their networks.
William Nelson, associate general counsel at the Investment Adviser Association, said data security should be seen as a prerequisite to data privacy. That includes physical security, which is often an overlooked aspect of protection. A single computer left open at your business or a third party’s could lead to a significant cyber incident.
Know your limits: Go slow to go fast. Never pretend you know it all. Don’t try to be involved in everything. These mantras were among hard lessons learned expressed by multiple speakers during the event.
“You can’t solve everything,” said Chapman. “But you can solve a lot of things by doing the right things and building the right processes and tools.”