The better the question
Can you separate risk from reward when it comes to third parties?
Third parties are a necessary part of business, but it’s increasingly important that the risk they pose is managed effectively.
In our highly connected world, third-party relationships are more important than ever. However, these relationships can be risky – from digital breaches originating from outside an organization to the ongoing threat of supply chain disruption – third parties, managed poorly, can broaden exposure to a range of threats. EY’s recent 2019-2020 third-party risk management survey (pdf) found that:
- 47% of companies reported having a service outage caused by a third party at some point in the last two years
- 36% reported experiencing a data breach caused by a third party over the same time frame
Third-party relationships are also heavily regulated, with major pieces of legislation introduced in the past few years – including General Data Protection Regulation (GDPR), Payment Services Directive (PSD2), and Digital Operational Resilience Act (DORA) – all having considerable impact on how businesses handle outside entities.
This is creating entirely new areas of compliance risk. In order to leverage the strategic benefits of working with third parties, companies today need to find the best way to effectively manage these risks. Third-party risk management (TPRM) programs must be resilient and responsive, agile yet cost-effective.
This was just the case for one Italian bank. Following a number of cyber breach events stemming from third-party vulnerabilities, they realized the need for an overhauled approach to the TPRM and approached EY – a long-standing partner in other areas of their business – to collaborate on a solution.
Initially, this was undertaken defensively, in order for the bank to better understand and manage the risks present by a shifting regulatory landscape. However, by covering a wide range of risks – including cybersecurity, business continuity and cyber regulation – the project would also create an opportunity for the bank to extend the scope of their collaboration with third parties.
The better the answer
A centralized approach to TPRM
Building a new model allows the client to get a better hold on the nature and extent of their third-party risk.
Starting in 2018, EY and its client embarked on a far-reaching project to develop a transformed approach to TPRM. This began with identifying three core risks in the bank’s TRPM landscape: cybersecurity risk; business continuity risk; and privacy regulation risk.
EY then worked to transform the bank’s existing operating model by implementing a comprehensive, end-to-end TPRM solution, which included an operational framework, an operating model, a checklist of controls, and a supporting IT platform.
The implementation of EY’s TPRM service has unfolded along three main objectives:
1. Establish an operating model:
EY and the bank worked closely together to develop an operating model to securely govern third-party risk management. Based around EY standard methodologies, the work focused on:
- Designing pre-contract, monitoring and reporting processes
- Building a platform to support the process
- Defining control methodologies
- Providing external operational support
2. Activate the new process:
A new centralized process service was implemented by coordinating all internal functions – including security, IT and risk compliance – and launching a support platform.
3. Executing a managed service:
EY then developed a managed service to provide support for relevant in-scope domains, including cybersecurity, risk and compliance. Particular capabilities developed include:
- Specialist support in pre-contract phase and negotiation
- Due diligence activities
- Execution of assessments
- Continuous monitoring and remediation actions
Thanks to this transformed approach to TPRM, the bank, with EY’s assistance, is now able to comprehensively assess third-party risks, then monitor those risks throughout the partnership and take pro-active remediation steps when new vulnerabilities are identified. For instance, EY’s TPRM solution has enabled the bank to effectively identify contracts, classify them by type (such as IT or supply contracts), and then monitor them for risk and compliance features based on those classifications.
In order to deliver the service, EY was able to draw on our extensive technical and operational capabilities – particularly around IT on the one hand, and compliance and functional on the other – and we will be well placed to offer additional capabilities as the scope of the project extends.
While the project was largely based in Italy, where EY’s Bari office had a strong relationship with the bank, its success meant the solution was expanded to the bank’s European subsidiaries. EY teams from Romania, Croatia, Serbia, Bulgaria, Germany, Austria and Hungary worked hand in hand to help clear any specific roadblocks around language or specific local rules.
The better the world works
A transformed TPRM creates new opportunities to collaborate
With a centralized TPRM solution in place, the client was able to engage with third parties with a much greater degree of confidence.
Powered by technology and supported by agile and effective operating models, the bank has seen a range of clear outcomes from transforming their TPRM that will help them better navigate the risk landscape. These include:
- A digital platform that allows them to centralize information gathering and management, including rapidly producing control assessment reports with findings and remediation plans
- A defined end-to-end process, which introduces efficiency into the management of third-party risk, and gives the bank greater agility
- The ability to generate cost savings while remaining confident about compliance
In concrete terms, the TPRM solution has allowed the bank to identify and remediate a wide range of blind spots in their TPRM processes, from improper use of public cloud networks, to an absence of patch management procedures.
And a broader benefit has been that the bank, now equipped with a robust understanding of the nature of the risks they face with their third parties, can engage and collaborate within third-party ecosystems with confidence; ecosystems that will enable their businesses to realize real agility and see real growth in the years to come.
This service relationship continues, and the modular nature of EY’s TPRM solutions means that the scope of the service is set to grow in the coming year, helping the bank address more and more areas of its third-party risk.
For EY, this has also been a learning experience. Through our work with the bank, and with other TPRM clients, EY has been able to develop a deep understanding of the third-party risk landscape and create an inventory of case points around vulnerability gaps and other non-compliance activities. This in turn has allowed us to continue to offer first-in-class insight and solutions around this ever-growing category of risk.