Mar 25, 2024
Show Notes
Craig Callé talks about third party risk management (TPRM), with an emphasis on cybersecurity. TPRM is a subset of Governance Risk and Compliance (GRC), which aims to help organizations achieve their objectives, address uncertainties, and act with integrity. TPRM is crucial as over half of all data breaches occur through insecure third parties. Companies need to understand their third party relationships and monitor them more carefully, which requires a variety of tools and processes. Craig explains that TPRM can cover a variety of risks, including cybersecurity, but also financial viability, compliance with privacy, sanctions and other regulations, reputation management, supply chain issues, and alignment of ESG and sustainability objectives.
Defining GRC and Third Parties
Craig explains that GRC is a broad category that includes TPRM, but also enterprise risk management (ERM), business continuity or operational resilience, policy management, controls compliance, privacy and ESG. ERM typically includes a risk register, which compiles all the potential threats that can affect a company, and it is crucial to building a more predictable and measurable system to achieve its objectives at the lowest possible risk.
He mentions that the term “third parties” should include not just vendors and suppliers, but also often overlooked entities such as outsourced service providers, software as a service (SaaS) apps, cloud hosts, contractors, ecosystem partners, technology partners, and financial counterparties.
GRC Frameworks
He mentions that a lot of the governance aspect of GRC work involves picking a suitable framework and building a program around it. For example, in cybersecurity, a popular standards body would be NIST, and he mentions a few others that give leaders a roadmap apropos to achieving high standards of operation.
Organizational Relationships
The head of GRC is responsible for ensuring that the organization operates within its control frameworks. For example, in a Fortune 500 company, the executive responsible for GRC might report to a Chief Risk Officer, if there is one, with a dotted line to the board audit and risk committee.
Since many TPRM programs have an exclusive focus of cybersecurity risk, the head of TPRM often reports to the Chief Information Security Officer (CISO).
Third Party Risk Management Responsibilities
The head of third party risk management is responsible for several processes, such as onboarding new third parties, periodic audits, ongoing real-time monitoring, reporting functions, and investigating and dealing with incidents and responses. However, the responsibilities depend on the organization’s level of maturity and the complexity of the process. Craig offers a few examples to clarify the complexities that have to be taken into consideration, including the fact that risk management processes can be seen as blockers, and additionally, offers a tip on how to overcome this issue.
Software for Third Party Risk Management
Craig talks about the importance of selecting the right software for clients, highlighting the pros and cons of a best of breed approach versus a multi-module suite. Craig mentions examples of TPRM workflow automation platforms, including ProcessUnity, MetricStream, ServiceNow, LogicGate, BitSight, and many others. These platforms facilitate questionnaires and other assessments issuance, response review, routing of issues to specific people or groups within an organization, risk scoring and reporting to stakeholders.
Cyber risk ratings, which have been around for over 10 years, are now a natural complement to workflow platforms. Ratings provide objective data that help triage the community of third parties by quantifying vulnerability to data breaches. They provide easy-to-digest results that don’t require an IT certification to understand, based on FICO-like scores or letter grades.
He explains that companies may want to share data across modules, although some organizations can be siloed and don’t realize opportunities to collaborate. For example, if a company has both privacy management and TPRM software, there is a natural logic to connect the data map required by privacy regulations to the third parties that might hold customer data. He also emphasizes the need for an advisor to understand the customers’ problems and inherited solutions, as well as the timeframe and budget constraints. Ripping and replacing existing solutions is rarely feasible and desirable.
AI has become an important tool for parsing through voluminous data to identify critical facts, although human involvement remains an essential element in the process.
Predicting Improvements in TPRM
Craig believes that over the next decade, the focus of third party risk management will involve high-level orchestration across CISOs, risk officers, and procurement people, perhaps led by what he calls a Chief Third Party Officer, or CTPO, leading to a more comprehensive view of not just risk, but also third party performance. He thinks third parties deserve the same level of scrutiny that a Chief HR Officer would apply to employees and job candidates.
Timestamps:
05:15 Third-party risk management and GRC
11:57 GRC roles and responsibilities in a Fortune 500 company
16:10 Third-party risk management processes and responsibilities
21:59 Third-party risk management software and techniques
27:26 Third-party risk management and platform automation
32:21 GRC and third-party risk management
Links:
Company Website: https://sourcecalle.com/
LinkedIn: https://www.linkedin.com/in/craigcalle/
Unleashed is produced by Umbrex, which has a mission of connecting independent management consultants with one another, creating opportunities for members to meet, build relationships, and share lessons learned. Learn more at www.umbrex.com.