What’s in your supply chain?
If you’re like many organizations today this is a question you’re asking. Whether your supply chain is physical, logistical or cyber, your organization has extended its enterprise by relying on partners to provide products and services critical to your success. Operations and services have been outsourced to companies that specialize in those services. Many of your information and data services now reside in the Cloud.
The management of third parties and the security of supply chains has become a boardroom issue. This is the realization that physical, operational, cyber, financial, and reputational risks are now distributed well beyond the traditional boundaries of your organization. Organizations are only as protected and trusted as their weakest partner in their supply chain - the proverbial “weakest link.” Do you know what yours is?
The partners providing the parts, outsourced services and cloud services to your business have adopted similar strategies in extending their enterprises. Each of your suppliers have their own extended enterprise of outsourced and cloud services. It’s not just third-party risks, but now fourth- and sometimes fifth-party risks.
Vendor and partner risk management has moved to the top of the corporate agenda - this is especially true for publicly traded companies. A newly-adopted international accounting standard, SSAE 18, places a major focus on assessing in detail how organizations are managing risk, especially third-party risk. The year 2018 will see major rollouts of vendor assessment programs and an increase of self-assessment questionnaires and on-site audits. How well, and how rapidly, will your organization be able to answer these questions?
A Third-Party Management Program (TPMP) will enable your organization to identify risks and manage them in an effective and sustained manner. For most organizations third party risk management takes place in “bursts”, usually focused around a new partner or service of significance to the organization just before contracting. TPMP takes a life cycle approach to ensure that risks are crystallized and managed throughout the life of the relationship. It treats all your third-party relationships as a portfolio. A key aspect of managing this portfolio is transferring responsibilities and risks to partners and ensuring that partners are consistently meeting these obligations. Especially for the management of their third parties.
Critical to an efficient and effective TPMP is an up-to-date inventory of partner services and an assessment of corresponding risks. Steps to complete this process:
- Inventory all service agreements
- Identify corresponding risk for each service agreement
- Identity compensating controls
- Rate criticality to your organization
- Rate residual risk to your organization
- Identify action items to manage immediate and on-going risks
To facilitate this process and engage your supply chain, we leverage the Powernoodle Approach to uncover hidden information and significantly accelerate the key activities activities and their outcomes.
In today’s connected and interconnected organizations Third Party Risk Management has become critical to your organization’s success, and very survival. The sooner this process is started in 2018, the sooner you will know what is in you supply chain so you manage risks in a manner expected by your customers, stakeholders, fiduciaries and investors.
1 Ponemon Institute Research Report. Independently conducted by Ponemon Institute LLC. (May 2016). Tone at the Top and Third Party Risk.