manage third-party risk with visibility, insight and …

MANAGE THIRD-PARTY RISK WITH VISIBILITY,

INSIGHT AND ACTION

SPEAKER

PATRICK POTTER, RISK STRATEGIST, RSA

2

Housekeeping

• Download slides at https://go.oceg.org/manage-third-party-risk-with-visibility-insight-and-action

• Answer all 3 polls

• Certificates of completion (only for OCEG All Access Pass holders)

• Evaluation survey at the close of the webinar

• Find the recording on the OCEG site at https://go.oceg.org/webinars

https://go.oceg.org/manage-third-party-risk-with-visibility-insight-and-action

Learning Objectives

3

• Learn about emerging digital risks from using third-party business partners and technologies

• Understand the importance and methods to better evaluate and understand the criticality of your third parties

• Learn how you can take a unified, phased approach to managing these third-party risks

a. Yes, I have an All Access Pass and I would like to receive a

Certificate of Completion for this event

b. Yes, I have an All Access Pass but I do not need a Certificate of

Completion

c. No, I do not have an All Access Pass but I would like to get one and

receive CPE credit for this and future webcasts I attend

d. No, I do not have an All Access Pass and I don’t want to buy one at

this time (so I won’t get CPE credit for this event)

Poll 1

Do you have an OCEG All Access Pass (a paid membership) and would you like

to receive CPE credit for this event?

4

5

Dell Customer Communication - Confidential

MANAGE THIRD-PARTY RISK WITH VISIBILITY, INSIGHT AND ACTIONPatrick Potter, RSA

6


C O N F I D E N T I A L

INTRODUCTION

PATRICK POTTER,

Digital Risk Solutions

RSA (Archer) / Dell Technologies

7



DIGITAL BUSINESS IS A TOP PRIORITY

26%Digital Business /

Digital Transformation 10%Innovation, R&D, New

Products / Services

58%Growth/Market Share

10%Profit Improvement /

Profitability / Asset

Monetization

2017 Gartner CEO Survey

8



THE DIGITAL TRANSFORMATION IS UPON US…

2017 Gartner CEO Survey

Technology, General

Digital, social, web, online

Digital transformation

Improvement general

Info, analytics and big data

Cloud

Automation

Cybersecurity

IoT

Mobile and m-commerce

eCommerce

Workforce productivity

Digital marketing

Multichannel

21%

14%

11%

10%

8%

7%

7%

6%

5%

4%

4%

1%1% 1%

9



OBJECTIVES OF THE DIGITAL TRANSFORMATION

Components DesignResearch &

DevelopmentManufacture

Marketing &

SalesSupport

INBOUND

LOGISTICSOPERATIONS

OUTBOUND

LOGISTICS

CUSTOMERS

SUPPLIERS

Pro

duct

Reve

nu

e

HUMAN RESOURCE MANAGEMENT

TECHNOLOGY MANAGEMENT

FIRM INFRASTRUCTURE (accounting, legal, finance, control, PR, QA, general management…)

*Visual adapted from Porter’s Value Chain

Optimize

Inventory & YieldM

A

R

G

I

N

Enhance Customer

experience

Reduce Sales,

General and

Administrative

costs

Reduce

COGS

Optimize

physical

assets

Increase

Revenue

Improve

Employee

Productivity

Optimize

financial

assets & cash

10


10

D I G I TA L I T W O R K F O R C E S E C U R I T Y

TRANSFORMATION

11



Business Risk

IT & Security Risk

Regulatory Risk

3rd Party

Risk

Business

Resiliency

Business Growth

Digital Transformation

Market Expansion

New

Partners

M & A

ONE GOAL: BUSINESS GROWTH

12


RISK.NET

Survey of Chief risk officers, heads of operational risk

and senior practitioners at financial services firms,

including banks, insurers, asset managers and

infrastructure providers.

1. IT disruption

2. Data compromise

3. Regulatory Risk

4. Theft and Fraud

5. Outsourcing

6. Mis-selling

7. Talent risk

8. Organizational change

9. Unauthorized trading

10. Model Risk

Protiviti

Survey of Board members and C-suite executives

from all regions of the world conducted by NC State and

Protiviti.

1. Existing Operations not meeting

expectations against “born digital”

firms

2. Succession challenges/talent

3. Regulatory changes and scrutiny

4. Cyber threats

5. Resistance to change

6. Speed of disruptive

technology/innovation

7. Privacy/information security

8. Inability to utilize data analytics

9. Risk culture

10. Sustaining customer loyalty

Institute of Internal Auditors

Survey of Chief Audit Executives conducted by

seven European institutes of internal auditors in

France, Germany, Italy, the Netherlands, Spain,

Sweden and the UK and Ireland.

1. Cybersecurity

2. Compliance

3. Data security & protection

4. HR & people risk

5. Regulatory change

6. Digitalization

7. Innovation

8. Culture

9. Outsourcing & Third Party

10. Political uncertainty

Protiviti: https://www.protiviti.com/US-en/insights/protiviti-top-risks-survey

IIA: https://www.iia.org.uk/media/1689824/risk-in-focus-2019.pdf

Risk.net: https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018

13


DIGITAL RISK

UNWANTED AND OFTEN

UNEXPECTED OUTCOMES

THAT STEM FROM DIGITAL

TRANSFORMATION,

DIGITAL BUSINESS PROCESSES

AND THE ADOPTION OF

RELATED TECHNOLOGIES.

• Cyber/Security – risk of cyber

attacks

• Process Automation – risks

related to changes in processes

from automation

• Resiliency – risk to availability of

business operations

• Third Party Risk – inherited risk

related to external parties

• Cloud – risks due to the change in

architecture, implementation,

deployment, and/or management of

new digital business operations (IT

systems)

• Workforce/Talent – risks related

to the dynamic nature of today’s

workforce

• Data privacy – risks related to

Personal Information

• Compliance – risks related to

existing and emerging compliance

requirements driven by new tech

STRATEGIC

14


DIGITAL TRANSFORMATION INTRODUCES THIRD-PARTY RISK

59%of data breaches in 2018

were caused by a third party

11%Of companies are confident

they would learn if their

sensitive data was lost or

stolen by a Nth party

E X P A N D I N G

E X P O N E N T I A L L Y

M O R E D I G I T A L

U N K N O W N R I S K SM O R E C O M P L E X

I N C O M P L E T E V I E W

O F R I S K

U N C E R T A I N

B U S I N E S S I M P A C T S

84%of organizations host critical or

sensitive assets with 3rd

parties

E C O S Y S T E M R I S K M A N A G E M E N T

15


GAPS IN THIRD-PARTY GOVERNANCE

a. We don’t know what we don’t know

b. We are overly reliant on third parties

c. We do not have a good process to determine our third

party risk

d. We are afraid we could get breached through a third

party

e. I don’t know

Poll 2

In today’s threat landscape, what is your single greatest concern about

third-party risk?

16

17


17

I R MI T S E C U R I T Y

? ??

C E O /

B O A R D

M A L I C E M A N D AT E SM O D E R N I Z AT I O N

18


Technology

Marketing

R&D

Support

Logistics

Facilities

Benefits

Logistics Technology

Legal

Sourcing

R&D

Legal

Support

Technology

Facilities

Nth-Party Ecosystem

LACK of

VISIBILITY

keep an

inventory

34%identify subs

(4th, 5th, Nth)

2%

LACK of

ACTIONof assessments result in

disqualification or remediation

8%

19


GAPS IN THIRD-PARTY GOVERNANCE

1 Third-party risk functions are siloed across

the organization

2Organizations do not identify, assess, and

manage third parties or their activities

consistently or collectively

3 Third-party programs are not scalable to handle

the growth of their third party ecosystems

CYBER

SECURITY

FRAUD

Third-Party Risk

Is INCREASING

4 Business criticality and dependencies of third

parties are unknown

5 System access, cyber and fraud monitoring, and

ongoing governance are not well-managed

20



DIFFERENCES BETWEEN SECURITY AND RISK MANAGEMENT APPROACHES

SECURITY RISK MANAGEMENT

LANGUAGE NIST CSF, ISO 27001 ISO 31000, COSO ERM

KEY INPUTS Threats & Vulnerabilities Likelihood & Impact

MODE Tools & Tech Conversations & Committees

MEASUREMENT# of attacks averted; # of

vulnerabilities found; # of …$$$ of loss exposure

MODE OF OPERATIONDefense in Depth >

Contain What Matters

3 Lines of Defense

(working together) IRM

ATTITUDE Don’t take any chances Manage uncertainty

CORE GOALS Keep the bad guys out Keep the business out of trouble

21



TODAY’S PROCESSES…

Outdated reporting

Manualprocesses

Lack of ownership

Information silos

Inconsistent controls

Limited risk visibility

22


ADDRESSING THIRD-PARTY RISK

DIGITAL RISK MANAGEMENT

a. Extremely capable

b. Somewhat capable

c. Minimally capable

d. Not capable

e. I don’t know

Poll 3

Given the new attention to third-party risks, how would you rate your

organization’s current ability to detect and mitigate them?

23

24


UNDERSTAND EVALUATE MANAGE MONITOREVALUATE MANAGE MONITORUNDERSTAND

Risks and issues

Online access

Cyber threats and

fraud

Performance and risks

Online access

Cyber threats and fraud

Criticality to your

business

The risks they pose

Your dependence

The highest risks

System/data access

needs

Your exposure

MANAGING THIRD PARTY R ISK SHOULD INCLUDE:

25


25

INTEGRATED RISK MANAGEMENT

STRATEGIC OBJECTIVES

OPERATIONAL RISK

SECURITY RESILIENCY COMPLIANCE3RD PARTYIT AUDITORM

26



WHY DOES THE COMBINATION OF SECURITY AND THIRD-PARTY RISK MATTER?

SECURITY RISK MANAGEMENT

LANGUAGE NIST CSF, ISO 27001Manage Digital Risk With a

Unified, Phased ApproachISO 31000, COSO ERM

KEY INPUTS Threats & VulnerabilitiesBusiness Context &

Potential exposuresLikelihood & Impact

MODE Tools & Tech Data-driven, Contextual Conversations & Committees

MEASUREMENT# of attacks averted; # of

vulnerabilities found; # of …Risk Quantification $$$ of loss exposure

MODE OF OPERATIONDefense in Depth >

Contain What MattersDigital Risk Management

3 Lines of Defense

(working together) IRM

ATTITUDE Don’t take any chances Know What Risks Matter Manage uncertainty

CORE GOALS Keep the bad guys outEnable the Business –

be a positive force for transformationKeep the business out of trouble

27


Gain objective insight into your third-party security performance and IT landscape

Perform third party portfolio wide diagnostics and prioritizations

Allocate risk resources to where they are needed most - high value, low performing vendors

Engage vendors with accurate, actionable security performance insights and corrective actions

Continuously monitor vendor security performance

Triage and remediate critical vulnerabilities

Optimize use of analysts time and outside auditor resources

THIRD PARTY SECURITY RISK MONITORING

28


28

V I S I B I L I T Y

Do we have a record of all our 3Ps?

Who has our critical data?

Are KPIs and KRIs giving us a complete

picture?

I N S I G H T S

Are we aware of and going after the right

risks?

Are we also looking down the road at

evolving risks?

AC T I O N

How are we adjusting our efforts?

Are we focusing on the highest criticality

3Ps?

Are we leveraging the IRM Model?

VV

Thi rd Par ty Risk I

V

A

29


THIRD PARTY RISK

30


• Evaluate abi l i ty to manage third party r isk

• Perform Gap Analysis

• Provide a clear Roadmap

31


31 RSA Digital Risk Report - Sept 2019

https://www.rsa.com/content/dam/en/white-paper/rsa-digital-risk-report-2019.pdf

32


FINAL THOUGHTS

Start at the top - Demand oversight by BoD. In organizations with

BoD oversight, 3PRM improves

Coordinate across risk and security, business and IT, 3LOD

Evaluate the maturity of your third-party governance

Automate to help manage the governance process and lifecycle

Patrick Potter

[email protected]

@pnpotter1017

manage third-party risk with visibility, insight and …

Documents