A point-in-time approach to risk management is no longer effective

Among organizations that engage third parties to provide business services, 83% identified third-party risks after conducting due diligence and before recertification, according to Gartner.

Gartner’s survey of more than 250 legal and compliance leaders reveals that the standard point-in-time approach to risk management is no longer effective in today’s landscape of fast-paced, rapidly changing business relationships.

With an increasing number of third parties performing new-in-kind and noncore services for organizations, material risks cannot always be identified prior to the start of a business relationship. Modern risk management must account for ongoing changes in third-party relationships and mitigate risks in an iterative way — that is, on a continual basis, rather than at specified intervals.

“Legal and compliance leaders have relied on a point-in-time approach to third-party risk management, which emphasizes exhaustive upfront due diligence and recertification for risk mitigation,” said Chris Audet, research director for Gartner’s Legal & Compliance practice. “Our research shows an iterative approach to third-party risk management is the new imperative for meeting business demands for speed and stakeholder demands for risk mitigation.”

The legacy approach to third-party risk management

Due to the changing nature of third-party risk, it has become an increasingly important focus area among legal and compliance leaders in 2019. According to Gartner’s data, there are a number of factors that have contributed to this shift:

• Eighty percent of legal and compliance leaders state that third parties provide new-in-kind technology services for organizations, including startups and business model innovators, rather than incumbent service providers.
• Two-thirds of legal and compliance leaders find third parties are providing services outside of the company’s core business model.
• Third parties now have greater access to organizational data.
• There is increasing variability in the maturity of organizations’ third-party networks.
• Third parties are working with an increasing number of their own third parties (fourth and fifth parties).

With a point-in-time risk management approach, compliance leaders attempt to identify potential third-party risks upfront with extensive due diligence before contracting and again at recertification. However, this approach is largely ineffective: Not only does it contribute to longer onboarding and waiting periods, it also fails to capture any risks that may arise due to ongoing changes throughout the relationship. Among survey respondents who identified risks post-due diligence, 31% of those risks had a material impact on the business.

“Ninety-two percent of legal and compliance leaders told us that those material risks could not have been identified through due diligence,” said Mr. Audet. “The only way to surface those risks was through actual engagement with the third party and through ongoing risk identification over the course of the third-party relationship.”

An iterative approach improves risk management outcomes

Gartner data shows that an iterative approach to risk management allows legal and compliance leaders to improve risk and business outcomes in terms of speed to engage, and by remediating and identifying third-party risks before their impacts materialize.

Organizations that applied an iterative approach experienced almost four times the level of business partner satisfaction with the speed to engage, twice the ability to remediate risks prior to impact and 1.5 times greater ability to identify risks prior to impact.

“An iterative approach will enable legal and compliance leaders to manage their changing and expanding third-party networks, while also satisfying business demands for quicker onboarding,” said Mr. Audet.

Key risk management transitions for compliance leaders

For organizations that wish to shift from a point-in-time to an iterative risk management approach, there are three key steps that legal and compliance leaders should take:

1. Streamline due diligence requirements to focus on the most critical risks.

2. Establish internal triggers to monitor for change.

3. Create controls and incentives to monitor for change.

“To effectively mitigate third-party risks, compliance leaders must streamline their current due diligence processes to focus on critical risks,” Mr. Audet said. “This will eliminate burdensome duplicative process and focus attention on the risks that have the biggest impact on the organization. But, most importantly, they must build in triggers to monitor for changes that give rise to risk over the course of the relationship.”

Build a supply chain security program

“If you’re not protecting your own network against basic threat actors, doing your due diligence to properly patch, and holding your suppliers accountable for securing their own networks, you have no hope in protecting against nation-states or more capable threat actors. This is where third-party testing comes in handy to trust and verify your suppliers,” said John Sheehy, Director of Strategic Security Services at IOActive.

Sheehy offers a few key steps you can take today to build a supply chain security program:

1. Know your suppliers and look upstream as well as downstream. Start with your tier-one suppliers and then identify tier twos and others. Take a full inventory of who you do business with so you can identify any weak links.

2. Conduct a risk assessment. Once you’ve identified all your partners, you need to properly assess each one’s cybersecurity posture so you know the risks they may pose to your organization. You must consider where each device or component was built and who exactly built it. Is there a possible backdoor or counterfeit part? Or is it just the more likely software quality issues that can result in a breach?

3. Utilize third-party testing. Hire a third-party firm to test your system, and that of your suppliers, to provide actionable results on what you need to fix first.

4. Regularly scan and patch all vulnerable systems.

5. Use strong passwords. Teach your employees about the importance of using strong passwords and not recycling them across accounts.

6. Ensure your staff has set up multi-factor authentication everywhere possible.

7. Conduct regular security awareness training to teach employees how to identify phishing scams, update software and become more security-conscious.

8. Harden the security of the devices connected to your networks.