As, we move towards more and more regulated environment, compliances to these regulations comes as a overhead for the organization, as well as their 3rd and 4th parties as well. How should third party risk management practices evolve to be smoother and more efficient?
Sort By:
Oldest
CIO2 months ago
TBH I don't think 3rd or 4th party risk should be treated any differently to in house risk. The risk needs to be understood, documented and tracked/managed and then any associated risk appetite should reflect the ability to spend against that risk appetite and/or have governance of the risk. For example having a LOW risk appetite for Cyber events is fine but this means lots of money needs to be thrown at reducing your Cyber risk factors, and many companies can't afford this level of spend on Cyber so having a LOW risk appetite when you can't afford it is pointless. The same goes for 3rd or 4th party risk. If you do not have full control of the risk then you have to adjust your risk appetite and associated activities but if a 3rd or 4th party risk is to great for your organisation to tolerate then the risk exposure needs to change...suggesting the 3rd or 4th party needs to changeGroup Director of Information Security in Banking2 months ago
3rd and 4th parties risk management from cyber perspective, if done accordance to boiler plate templates of NIST/ISO etc., needs a mini-department in itself which is neither sustainable nor an ROI can be shown to business.An effective middle ground needs to be put in motion which is part of integrated digital risks management framework.
1. Classify business processes in order of criticality (through business impact analysis as part of BCM process)
2. Map critical processes to underlying applications.
3. Demarcate applications into IaaS / PaaS / SaaS.
4. Identify using cloud shared responsibility model, those business critical applications (and their underlying stack) whose daily operations and management is part of customer responsibility.
5. Demarcate these customer side responsibility holders between inhouse vs 3rd/4th parties.
6. Subject these third parties to risk management framework.
Steps 1-5 should be part of inventory/asset management process undertaken by IT and form part of IS governance.
Step 6 can lie with infosec / risk management teams thereby heavily reducing the efforts and mapping those efforts back to business process for showing ROI of time/money spent.