We’re running a blog post series on the “Seven Deadly Sins of Third-Party Cyber Risk Management;” here’s the third deadly sin, which is not measuring and reporting risk and risk outcomes.
Did you miss the other installments? Get caught up here:
According to RiskRecon’s 2017 study of enterprise third-party risk management practices, 60% of programs reported program activities, while only 37% reported risk outcomes. Looking at the inverse of those metrics, 40% of third-party risk programs report no metrics and 63% do not report risk outcomes!
This is stunning – third-party risk programs exist to manage third-party risk and yet the large majority do not report their risk outcomes. That is like a for-profit business not reporting its financial results to investors. Without reporting risk outcomes, third-party risk management, at best, will be a regulatory required checkbox. At worst, third-party risk management will be defunded completely. And why not? The program never demonstrated value in reducing risk.
Reporting both program activity and metrics is essential to third-party risk management success. Program activity metrics serve to inform the business of the degree to which you are managing the third-party portfolio. Risk metrics inform the business of the degrees and types of inherent and residual risks in its third-party portfolio. Some metrics we’ve observed programs reporting include:
Perhaps most importantly, proper metrics encourage a culture of mindfulness in managing third-party risk, that impacts to third-parties may impact the business and that these risks must be managed. They also serve to drive action — escalation of issues, elimination of non-performing vendors, and, in some cases, formal acceptance of risk.
Want to read about the other deadly sins?