We’re running a blog post series on the “Seven Deadly Sins of Third-Party Cyber Risk Management;” here’s the third deadly sin, which is not measuring and reporting risk and risk outcomes.
Did you miss the other installments? Get caught up here:
- First Deadly Sin: Believing you can outsource risk
- Second Deadly Sin: Failing to make third-party risk management about business risk management
According to RiskRecon’s 2017 study of enterprise third-party risk management practices, 60% of programs reported program activities, while only 37% reported risk outcomes. Looking at the inverse of those metrics, 40% of third-party risk programs report no metrics and 63% do not report risk outcomes!
This is stunning – third-party risk programs exist to manage third-party risk and yet the large majority do not report their risk outcomes. That is like a for-profit business not reporting its financial results to investors. Without reporting risk outcomes, third-party risk management, at best, will be a regulatory required checkbox. At worst, third-party risk management will be defunded completely. And why not? The program never demonstrated value in reducing risk.
Reporting both program activity and metrics is essential to third-party risk management success. Program activity metrics serve to inform the business of the degree to which you are managing the third-party portfolio. Risk metrics inform the business of the degrees and types of inherent and residual risks in its third-party portfolio. Some metrics we’ve observed programs reporting include:
- The percent of vendors assessed for inherent risk
- Distribution of vendors by inherent risk tier
- The categories and magnitudes of inherent risk for dimensions such as sensitive data risk, transaction risk, reputational risk, and operational risk
- The percent of vendors for which control reviews have been conducted per program specifications. This serves to inform the business if the program is fulfilling its obligations as dictated by the risk policy
- Response times to requests to risk assess vendors
- The distribution of vendor residual risk, informing the business of the vendors that are exposing the organization to an unaccepted level of risk. Some organizations communicate this with ratings such as ‘Mature’, ‘Satisfactory’, ‘Developing’, and ‘Unsatisfactory’
- Number of third-party issues by severity and age
Perhaps most importantly, proper metrics encourage a culture of mindfulness in managing third-party risk, that impacts to third-parties may impact the business and that these risks must be managed. They also serve to drive action — escalation of issues, elimination of non-performing vendors, and, in some cases, formal acceptance of risk.
Want to read about the other deadly sins?