Organisations need formal vendor risk management programmes, study

News by Robert Abel

Third-party risks pose a "serious threat" to organisations but upper management may be able to curb the threat, according to a recent study.

A recent study conducted by the Ponemon Institute and Shared Assessments found that 70 percent of respondents felt that third-party risks in their organisation are significantly increasing and many of them blamed disruptive technologies like cloud services and the Internet of Things (IoT). 

The Tone at the Top and Third Party Risk report queried 617 individuals who have a role in the risk management process in their organisations and are familiar with the governance practices related to third-party risks.

New technologies and cyber-threats are expected to play a role in evaluating third-party risk profiles.

Cyber-attacks and the IoT are expected to have the most significant impact on an organisation's third-party risk profile as 78 percent of the respondents said cyber-attacks will have a significant impact on the risk profile and 76 percent of respondents said the IoT will have a significant impact, the study said.

The study also found that a changing threat landscape has already cost organisations millions of dollars as a result of third-party mishaps.

“In the past 12 months, organisations represented in this research spent an average of $10 million [£6.9 million] to resolve the consequences of negligent or malicious third parties,” researchers said in the report.

Adding to the challenge, accountability for managing third-party risk is often dispersed throughout an organisation rather than centralised with a single person or department. Twenty-three percent of respondents said responsibility lies with the compliance department and 17 percent said the information security department is responsible.

Only nine percent of respondents said a risk management department has ownership of the risk.

“It has become imperative for organisations to create formal programmes for vendor risk management in order to avoid being compromised,” Charlie Miller, a senior vice president at the Santa Fe Group, the parent company of Shared Assessments, told via emailed comments.

“This study clearly demonstrates that not only is there a major risk issue stemming from vendor and partner relationships, but the highest level of organisations, the Board and C-Suite, need to better communicate their values across the enterprise, setting a positive tone and creating formal programmes to mitigate this risk, ultimately helping companies to improve their risk management practices,” Miller said.    

In order to create a stronger third-party risk management programme, researchers said in the report that CEOs and boards should establish a “positive tone at the top”, meaning the management should be committed to providing a culture and environment that encourages honesty, integrity and ethics.

That could help organisations minimise these third-party risks since employees would be more likely to uphold the same values, researchers said.

Lieberman Software vice president Jonathan Sander told SC that a positive tone is a good place to start, but “without a formal, measured program to back it up, that trust is meaningless”. 

“This tone, which serves as code for a ‘trustworthy attitude,' is starkly contrasted by the 78 percent that think cyber-attacks are the biggest source of risk in these relationships, the fact that the second largest group of respondents felt IT security owns that risk, and the fact that only 21 percent felt their approach to third-party risk was highly effective,” Sander said.

“In other words, they are forming these third party relationships based on trust and never verifying that trust with real data,” he explained. 


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews