Tom Pinou, Director- Data Center Operations
Managing your third-party vendors can be a daunting task, but a necessary part of business practice. To coin a phrase, “Not all vendors are created equal” is a definite understatement.
Over the years, the lack of appropriate security precautions and risk management processes have surfaced among not only small vendors, but the big players too. As you may recall, hackers penetrated the Target network using credentials belonging to an HVAC vendor. The hack resulted in the loss of data on 40 million credit and debit cards. Quite suddenly, the corporate world woke up and realized that their vendors could present a major exposure. This whitepaper is not intended to be too hard on the third parties, as a matter of fact, there are many strong vendors that follow current security best practices. It’s more to gain a better understanding of which partners may be your “strongest link” and which might be your “weakest link”.
In this whitepaper, we will briefly discuss three areas: an overall strategic view of managing your outsourcing partners, define various types of risks, as well as share some best practices on how to minimize your company’s risk.
According to Deloitte, organizations must make a strong first effort to manage risk from all directions. They recommend taking control of third-party risk by implementing a strong third-party “Assurance Program”. Once those assurances are documented they should be enhanced by developing a well-defined “Vendor Management Best Practices” procedure. Then, as your business grows and evolves, continue to refine in three critical areas; Policy, Processes and Procedures.
Outsourced Service Providers (OSPs) and third-parties have becoming more and more integrated with their clients’ day-to-day operations. As a result, they create more of an impact on their clients’ internal control framework, such as financial reporting as well as auditing and compliance requirements.
Focus on risk management through a contract review or a compliance services review, use that exercise to help your own organization improve internal business processes, maximize revenue, manage costs, address risks, strengthen relationships and boost performance.
According to research of 450 breaches investigated since 2013, an alarming 63% involved a third-party. Experian, in their 2015 Data Breach Industry forecast report made the case well by saying, “As more companies adopt interconnected systems and products, company breaches or cyber-attacks will likely increase via data accessed from third-party vendors.”
The strategic view of outsourcing is generally comprised of three distinct views – global view, risk view, and industry views.
In the Global view of outsourcing today, outsourcing extend far beyond Information Technology (IT) processing or the need to find the lowest-cost alternative to in-house operations. Companies are outsourcing at global levels.
In the Risk view of outsourcing It is important for your company to be aware of all the risks that may be typically associated with outsourcing, including, but not limited to reputational risk, control risk, compliance risk, privacy risk, financial and operational risk.
Outsourcing any component of your business enterprise to a service organization can introduce any or all these risks – either directly or indirectly. Direct risks are typically associated with the actual processing or hosting of data. Indirect risks which can be equally as critical, are normally associated with how the data is managed (or mismanaged) and the clients’ perception of the relationship between the provider and users of outsourced services. In the Industry view of outsourcing, these practices and controls are unique to each industry.
Compliance with industry, government, and other regulatory agencies has become more challenging as more companies manage increasingly complex reporting requirements
So, what do you do when your vendor is just not keeping up with your business?
Since third parties are often a company’s weakest link, it is important to address this risk appropriately. Here are some practical suggestions below:
The recommendation from experts in the field is a multi-directional approach to manage these complex relationships because of the global nature, risk nature, and industry regulations associated with outsourcing vendor relationships.
In summary, look carefully and closely since the cost of doing business, managing efficiencies and minimizing risk with the wrong partnership has a long-term impact on the growth on your business. Both providers of outsourced services and users of outsources services are seeking the same end goal – assurance that the risks associated with their business are being managed effectively.
Bottom line – You can outsource a process, but you cannot outsource the risk. Know your third-party.