It’s become clear, third-party risk is a huge deal. Companies are even outsourcing their critical functions especially to cloud-service providers (CSPs). In turn, regulators and policymakers are cracking down.
What can companies do to manage risk, stay productive, and ensure compliance? Read on to learn the digital strategies needed to manage third-party risk.
Regulatory pressure to mitigate third-party risk
The first thing companies must do is understand the scope of the problem. And it’s extensive.
As of 2022, 73 per cent of Deloitte global survey respondents stated they had moderate to high levels of dependence of CSPs. Already staggering in itself, the figure is set to jump all the way to 88 per cent in the years to come.
This level of dependence has compelled regulators and policymakers to intervene. Under the banner of operational resilience compliance, regulators, in particular, have put forth specific compliance requirements for firms who have “outsourced” material business activities to third parties.
The European Union has gone further than most, passing the Digital Operational Resilience Act (DORA), which mandates entities operating in its vast jurisdiction to establish third-party risk management (TPRM) measures to mitigate ICT (information and communications technology) risk.
Leading practices in third-party risk management
With this focus on digital operational resilience, DORA is the perfect place to start creating a framework for third-party risk management. The Act itself includes a subsection on third-party ICT risk. And those requirements might form the basis of a best-practice, third-party ICT risk management program.
The requirements include but are not limited to the following:
- Entities’ management of ICT third-party risk shall be implemented in light of the principle of proportionality, taking into account:
- The nature, scale, complexity, and importance of ICT-related dependencies
- The risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers
- Adopt and regularly review a strategy on ICT third-party risk, as part of the entity’s ICT risk management framework, taking into account the multi-vendor strategy. The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis.
- Entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards.
Digital technology to help manage the third-party risk management
Fortunately, firms don’t need to approach compliance with the same manual processes and methodologies as they might have once used for general risk management.
Indeed, advances in digital technology have led to integrated resilience management platforms purpose-built to streamline activities throughout the third-party lifecycle.
Using automated workflows to invite vendors and gather due diligence information using questionnaires and documents, these technologies serve to simplify the onboarding process for third parties. And once onboarded, service details, contracts, and risk assessments are set up in collaboration with vendors to ensure alignment between parties.
What other capabilities should you be looking for? Download our Guide to the Strategies and Digital Tools Needed to Manage Third-Party Risk to find out.