If you were diagnosed with a life-threatening disease, wouldn’t you seek a second opinion and expect additional tests to be performed?
For potentially risky third parties that you are either currently or considering doing business with, reexamining them can provide additional insight for actionable decision-making.
Third-party risk assessments provide a general understanding of a company’s potential security posture at a specific point in time. Typically, a qualitative or semi-quantitative risk matrix (i.e., Impact x Likelihood, with ordinal numbers representing high, medium, and low) will be utilized to rate risks based on predetermined factors. Based on the risk and/or tier level, an organization might reassess more frequently. Leveraging a quantifiable approach to risk (i.e., using statistics) requires decomposing (breaking down) the risk. This provides two valuable outputs: more data with better insight and a more detailed and meaningful rating.
Quantifying and Leveraging Risk Ratings
Every organization has its unique fingerprint and approach for assessing and managing third-party risk. Typically, a risk rating encompasses assessment results along with the third party’s access to data, access to systems or networks, and criticality of the service or product they provide. The result gained from quantifying risk is helpful, but sometimes the path getting there is the most significant benefit – regardless of the approach taken, third parties that are identified as high risk are categorized that way for a reason.
Below are three points to consider when quantifying third-party risk and how that information can be leveraged within your third-party risk management (TPRM) program.
1. Driving Value from Decomposing Risk
How does your organization currently handle high-risk vendors and what due diligence is performed? Within organizations, the different tiers of third-party risk ratings usually have different due diligence requirements, which could include re-sending a questionnaire, collecting additional artifacts, and perhaps performing an on-site audit. Approaching risk in a quantitative instead of a qualitative manner will require you to break down the risk into relevant and tangible scenarios. These scenarios will also require understanding the assets at risk, the threat landscape, and potential vulnerabilities. This method provides a repeatable approach to better understanding the threats and overall risk of the third party.
2. Utilizing Statistics for Measurement
Does your current method for calculating third-party risk provide you enough specific information to make well-informed decisions and plans? Sometimes organizations only touch the surface and do the minimum that is required to perform a calculation of risk in a qualitative manner. In that case, the output from a risk matrix is usually determined by multiplying ordinal numbers to arrive at a value categorized as high, medium, or low. In contrast, a true quantitative approach still utilizes subjective observations but also requires critical thinking and leveraging statistics to arrive at a range of values presented in a more actionable format. Instead of classifying a risk as low, medium, or high, you would describe the risk as “with a 90% confidence level, if event x happens this year, there will be an approximate loss of between $2M to $4M.”
3. Communicating to the Three Lines of Defense
Are you effectively communicating any high risks associated with your third parties across the three lines of defense in a manner that they can react to? As discussed earlier, quantitative risk analysis provides two valuable outputs: more data with better insight and a more detailed and meaningful risk rating. For example, if you are part of the second line of defense (risk management and compliance), you will be providing that data and insight to both the first line of defense (operational management) so they can manage the day-to-day risk and support the controls while also supporting the third line of defense (internal audit) so they can effectively provide independent assurance as needed. The more specific and meaningful quantitative rating based on monetary loss events provides context to all three lines of defense while simultaneously providing the ability to communicate upward to executives, speaking in a language they can understand.
The recommendation here is not to upend or drastically change your TPRM program, but to consider reexamining targeted third parties that pose a high risk to your organization in a quantitative manner. That reexamination is an opportunity for you to better understand threats, identify controls, and reduce vulnerabilities in your assets specific to those third parties.
- Review how high-risk third parties in your organization are currently evaluated from a threat perspective. Is the current approach too broad? Does it provide enough insight into the impact? Take note of the identified threats and controls listed for that third party vs. your desired output.
- Discuss the output from your risk assessments for a specific high-risk third party. Without reading notes or reports from the risk report, are you able to take the rating output and have the context needed to make a decision? Compare the output of the risk assessment with how you would need the rating to make a decision, and take note of the gap.
- For a high-risk third party, review the recommended controls for the specific risks and discuss them with your first and third lines of defense. Is there enough information for all lines of defense to adequately perform their jobs? Ask for their input on how they would like to receive that information and take note of any potential gaps.
Through these three simple exercises, you can have a better perspective on how you examine high-risk third parties and determine if your TPRM program is doing everything it can to support both the first and third lines of defense.
You might not be able to perform this approach for a large percentage of third parties within your organization, but when targeted to where the greatest risks lie, it provides an opportunity for significant improvement. Remember, it’s not always about the output from a quantitative risk assessment, it’s about the process: undertaking the steps that deliver that output will better inform and protect your organization.
About the Author
Matthew Karnas is the Cybersecurity & Risk Practice Lead at Sila. He has 18 years of experience providing professional services to Fortune 500 companies and government agencies across multiple verticals. He brings a unique mix of both technical and functional experience advising on information technology, cybersecurity, and risk management practices and approaches to drive client successes.