When organizations engage third parties, they cannot overlook the importance of vendor risk management.
To compete in today's global marketplace, businesses routinely engage third parties, but every third party an organization hires comes with risk. That's why third-party vendor risk management must be a core competency of organizations that engage with external entities.
What questions should business leaders be asking to mitigate risk from third-party vendors, particularly around security and privacy. And has the nature of work during COVID-19 altered this picture?
Set the Bar High
When an organization engages a third party, it needs to establish clear expectations from the beginning of the relationship, says Phani Dasari, VP of Global Third-Party Risk Management at ADP.
"You want to make sure that the chain of trust is maintained with your partner network, partners have to adhere to the highest standards that you have as an organization," he says.
Dasari also recommends that as soon as an organization identifies the need for a third party, it should focus on that entity's inherent risk. In other words, it's the risk level your business faces when nothing is done. Also, develop an understanding of the third party's business and the extent to which it would touch your organization's data and infrastructure.
Evaluating a third party's inherent risk also requires analyzing areas such as its business resiliency capabilities, its ability to combat bribery and corruption, and whether it has the right data privacy program in place to facilitate compliance with relevant regulations, such as Europe's General Data Protection Regulation and California's Consumer Privacy Act. Having taken this step, organizations can then assign the third party to a risk tier, with "Tier 1" being the riskiest and requiring the greatest degree of oversight.
Put It in Writing
To avoid creating complicated contracts that spell out every internal control requirement in exact detail, Dasari recommends including language that sets the bar in line with industry standards, if not higher.
If a gap in the third-party's environment that would take time to resolve comes to light during the vendor due diligence process, Dasari suggests bringing it to the attention of the business unit that intends to engage with the third party and getting their explicit sign-off to continue working with that entity.
"The question that business unit needs to answer is, 'Do you agree to continue to do business with them while they fix this issue and accept the potential risks until then?'" Dasari notes.
He also stresses the need for contractual clauses that allow for checks outside of the annual assessment to determine whether the third party has fixed or is fixing any problems identified by your organization.
Remote Work Creates New Risks
In light of the current business environment and the impact of the coronavirus on third parties, Dasari sees a shift in the risk landscape due to some employees having no option but to take client information home. He also acknowledges the potential for a third party's employees to fall victim to a phishing scam that tricks them into clicking on a link that downloads malware to their device. Dasari's says, third parties should mandate their employees to use work devices for work purposes only. Enforcing these rules will lessen the risk of someone wandering off to a malicious website.
Dasari recommends that organizations ask third parties to explain how they plan to raise awareness of such risks and the countermeasures they have put in place to mitigate the potential impact of an attack or breach.
Above all, Dasari stresses the important role that communication plays in helping organizations understand the risks that third parties face and pose. For instance, as soon as the pandemic happened, Dasari's team reached out to all of his vendors to determine whether they were capable of running their business for the next 120 days and whether their business continuity plan was going to be effective in handling the disruption.
While some organizations may overlook the need for third-party vendor risk management, businesses of all sizes should set aside the time and effort to vet their partners. Most third parties possess the means to manage their risks proactively, but it never hurts to scrutinize and confirm the existence of a robust risk management program.
Protecting the security and privacy of our clients and their data from malicious activity is a top priority for ADP. For a current list of security updates and alerts, click here.