We’re running a blog post series on the “Seven Deadly Sins of Third-Party Cyber Risk Management;” here’s the second deadly sin, which is failing to make third-party risk management about business risk management.
Read about the first deadly sin, which is believing you can outsource risk, here.
Business runs on a complex platform of systems and services operated by internal personnel and third parties. Managing cyber risk across these platforms is about managing business risk. Only when the business wants good risk outcomes can good risk outcomes be realized. In third-party risk management, engagement with the business requires a top-level commitment by management to:
- Enforcing vendor performance to the enterprise’s information risk standards
- Knowing the business owner of each vendor relationship
- Reporting vendor risk performance periodically to each business owner
- And, holding each vendor accountable to meeting performance requirements
Achieving good third-party risk outcomes also requires that the business support an escalation path through which the business owner will escalate unmitigated issues within their vendor portfolio for remediation. We have seen organizations very successfully operate a formal vendor risk escalation program in which poorly performing vendors are placed on a ‘watch list’ and eventually placed on a ‘do not do business with’ list to motivate vendors to manage risk properly.
The two essential keys on which all third-party risk outcomes depend are strong business support and assignment of a business owner to each vendor relationship. From this foundation the vendor risk management program can flourish; without this foundation, efforts will likely be futile.
Want to read about the other deadly sins? Read the white paper – no registration required!
