With mask mandates lifting and nearly half the country’s population vaccinated, it’s easy to think the COVID-19 pandemic is behind us. Your organization’s third-party risk management (TPRM) program would beg to differ.
Many businesses are still sorting through the new layers of risk that have emerged over the last 16 months. Cyber-security controls stressed by remote work are facing further disruption amid a recent surge in ransomware attacks, global supply chains remain in disarray, and financial aid businesses and individuals are receiving won’t last much longer.
It is against this backdrop that Compliance Week virtually held its annual TPRM conference. The two-day event, beginning Tuesday, kicked off with a keynote from Linda Tuck Chapman, CEO of the Canada-based Third Party Risk Institute. Chapman was quick to note during her discussion the effects of the pandemic on TPRM practices in general and how companies have managed the disruption.
“Third-party risk management is not a proprietary secret. … If you don’t see what you need in your third parties, share some of your tools with them.”
Linda Tuck Chapman at TPRM21
“The pandemic and the ripple effects are going to be with us for some years to come because of the impact it’s had—such catastrophic impact—on business and our practices,” she said. “Those companies that invested in third-party risk management and had a really good idea who they were doing business with … are the ones that have come through this the best.”
It isn’t all gloom in looking toward the next few years. For one, COVID-19 has brought about an “awakening” for the C-suite, as Chapman put it. Executives are now more likely to recognize third parties are an essential part of the business, and that comes with greater commitment toward chief compliance officers in their quest to manage the associated risks.
CCOs looking to embrace the opportunity for additional support should begin determining the best way to make their case for funding. Chapman’s advice: Start with the business rather than the compliance requirements.
“If you can find a way to step back, look at the business value, and do the math on what the manual cost is of doing a good job managing your extended enterprise, I think that is the foundation for a very powerful business case,” she said.
Top risk areas
TPRM flows in many directions, but Chapman took care to focus a portion of her discussion on what she feels are currently the top three areas of risk for companies:
- Business resilience
- Financial health
One need only look at last year’s SolarWinds hack to gain an understanding as to why cyber-security should be atop the list. The massive data breach that compromised the software vendor quickly proved far broader in scope than originally thought, with close to one-third of the victims not even running the SolarWinds Orion product that was initially considered the entry point for hackers.
The Securities and Exchange Commission last week announced it is investigating SolarWinds clients regarding the breach. The probe reportedly seeks to determine whether businesses affected properly disclosed their exposure.
“You can’t turn around today without hearing about another serious cyber-attack,” Chapman said. “It’s rippling through organizations.”
Fourth parties (and beyond)
To conduct due diligence at the fourth-party level is near-impossible for the average-size company, Chapman noted. Instead, the focus should be on building relationships with your third parties, including through collaboration.
“Third-party risk management is not a proprietary secret,” she said. “The more we can share about how to do this right, the better we’ll be as consumers of services and at protecting ourselves from bad actors. … If you don’t see what you need in your third parties, share some of your tools with them.”
Trust in your vendors will make it easier to work with them on understanding how they select, screen, and manage the relationship and the risks of their third parties. From there, Chapman advised focusing on recognizing which fourth parties are “material”—with getting legal involved to define that term and put it in contracts among best practices to consider.