How to efficiently manage third-party risks throughout the management life cycle

4 minute read 27 Aug 2019
By Richard Watson

EY Global and Asia-Pacific Cybersecurity Consulting Leader

Public speaker. Trusted advisor on cyber risk and digital trust. Golfer, traveler and dad.

4 minute read 27 Aug 2019
Related topics Consulting Technology Risk

As more organizations rely on third-party providers, managing the cyber risk of these relationships is becoming more complex. 

Managed services may offer the potential to take a more innovative approach.

Almost every organization is investing in a strong cyber strategy to guard against attacks from criminal syndicates and disgruntled, or careless, employees. But as more businesses rely on third parties, the risk of cyber breaches from these providers is growing. Thirty percent of organizations have been impacted by a breach caused by a third party.

 As regulatory pressure increases, third-party risk management (TPRM) is no longer solely a financial services challenge but a board-level priority across most regulated sectors. Organizations are exploring better ways to address the growing burden of third-party cyber risk through new operating models, more automation, shifting from manual to technology-enabled processes and using analytics to generate additional business insight.

More companies are discovering the potential of managed services to increase the visibility of third-party risk, improve compliance to changing regulations, drive the better performance of a third-party risk program, deliver greater value for money and free up resources for those activities that add real value to the business.

Four drivers of the shift to managed services

The growing shift toward managed services in cybersecurity is due to four main drivers:

Increasing cost of managing cyber risk.

The increased reliance on third parties across the business means the number of third parties within an organization’s ecosystem is growing at a rapid rate. Attacks and breaches are accelerating, impacting both large and small organizations across the private and public sector. As attacks increase, more emphasis is placed on ensuring third parties are compliant with information security controls and the burden on cyber and risk teams further grows. These factors are accelerating the cost of running an effective TPRM program.

Cost

US$6t

estimated global cost of cybersecurity breaches by 2021

Regulations are evolving fast and becoming more complex.

Regulators are ramping up pressure on companies to manage and maintain the oversight of third parties. Failure to do so not only incurs significant fines but also leaves businesses open to serious reputational damage. But responding to rapid regulatory changes with speed and agility is difficult when most third-party risk programs are run manually and based on outdated procedures.

Technology is accelerating faster than companies can keep up.

The pace of technological change makes it difficult to update, maintain and integrate systems effectively. There are many technology providers that operate in this space – from Governance, Risk Management and Compliance (GRC) platforms to niche purpose-built providers, with more emerging all the time. Each will have varying capabilities in automation, integration, reporting and risk management, which makes it difficult for organizations to select the right platform for their business. And implementing and maintaining these platforms in-house is challenging when third-party risk teams are already constrained.

Talent is scarce and hard to maintain.

Organizations are struggling to find and keep staff with the skills to effectively manage third-party cyber risks, especially given the tedious, spreadsheet-based nature of much of the work. In-house resources are far better off being deployed to more high-value activities. With few people available to take on increasing demands, organizations are often forced down the path of costly capacity augmentation.

Managed services can enhance the end-to-end program while reducing total cost of ownership

Because of these four factors, managed services gains significant traction in this space. More companies are deciding it makes commercial and operational sense to join forces with a provider with strong expertise in risk management, the global regulatory environment and cybersecurity.

When organizations adopt a managed services model in TPRM, they maintain overall governance of the service while outsourcing its end-to-end execution to a third-party provider with the right specialist talent, more efficient and effective processes, and leading-edge technology.

Deployed in the right way, managed services elevates TPRM beyond merely staying on the right side of regulators – it can add real value to the business through the better management of risk, now and in the future. Key benefits include:

  • Reduced costs of operating the TPRM function. For example, EY’s turnkey solution saves clients 20–50% of TPRM operating costs.
  • Improved transparency and insight into third-party performance.
  • Speed to scale with managed services offering the ability to get a TPRM program up and running within weeks.
  • Optimized talent that is free to focus on activities that add value, rather than repetitive mundane tasks.
  • Greater confidence around compliance with regulatory and supervisory requirements.
  • More informed decision-making, based on real-time TPRM reporting with enhanced detail around supplier performance.

Choosing the right provider

The key to a successful managed services relationship is choosing the right provider. Many companies claim to offer end-to-end services but lack the requisite technology platform – and skills– to provide an integrated TPR solution. When manually provided services and spreadsheets are cobbled together, the ability to find deep insight into third parties’ performance, and spot potential risks, are compromised.

EY’s TPRM solution is underpinned by a tier 1 Cloud SaaS technology platform that allows for a truly end-to-end managed services offering that includes workflow automation, continuous monitoring, API integration, real-time reporting and dashboard functionality. This allows us to more quickly and accurately assess third-party risk profiles, raise findings and track remediation at a time when the ability to move fast to resolve breaches is critical.

Focus on innovation that matters

Since the cost of partnering with the wrong third party has never been higher, outsourcing third-party cyber risk management may be a smarter way forward. Managed services gives organizations the confidence that comes from greater insight into the performance of providers, as well as improved efficiency and reduced costs in an environment where budgets are under pressure. For those in industries where trust is a critical issue, such as financial services, robust cyber risk management will strengthen an organization’s ability to engender trust with regulators, customers and other stakeholders.

And at a time when finding that next wave of innovation is key to gaining a competitive edge, managed services can free up resources to focus on those activities that add real value to the business, including modernizing IT, adopting new technologies and responding to a fast-changing environment. 

Managed services in third-party risk

Our scalable turnkey managed service solution allows you to more efficiently manage third-party risks throughout the third-party management life cycle. Combining deep expertise and technical knowledge, we’ll help you:

  • Take control of and optimize your vendor third-party cyber risk program, enabling you to oversee the program without the need to invest in new technology, build new applications or acquire new resources and skills
  • Apply expertise and insights into markets, regulations and technology from local and global thought leaders, and other clients, both now and into the future
  • Automate business processes with built-in workflows
  • Provide greater business insight with real-time reporting and interactive dashboards
  • Integrate with business systems to enable more effective end-to-end risk management processes
  • Transform from point in time assessment model to a valuable continuous risk management approach, thereby reducing risk and increasing ROI

Summary

And at a time when finding that next wave of innovation is key to gaining a competitive edge, managed services can free up resources to focus on those activities that add real value to the business, including modernizing IT, adopting new technologies and responding to a fast-changing environment.

About this article

By Richard Watson

EY Global and Asia-Pacific Cybersecurity Consulting Leader

Public speaker. Trusted advisor on cyber risk and digital trust. Golfer, traveler and dad.

Related topics Consulting Technology Risk