When it comes to embracing new third-party risk initiatives, support needs to come from the top down. In a recent fireside chat, Aravo’s Chief Marketing Officer, Kimberley Allan, was joined by Nicholas Donofrio, IBM Fellow Emeritus and Board Member at Security Scorecard, Christos Kalantzis, Chief Technology Officer at Security Scorecard, and Eric Hensley, Chief Technology Officer at Aravo.
According to recent Aravo research, more than 40% of organizations do not think their boards have a good handle on the third-party risks their companies are exposed to. This lack of understanding can create critical vulnerabilities within third-party risk management (TPRM) programs, and lead to internal disconnect on where to prioritize time and resources. Because of this, there is an urgency to prioritize knowledge and management of third-party risks and create a culture that protects businesses and their employees.
Due to the nature of their roles within companies, and trending priorities in risk management, board members often focus on financial and data risks. According to Gartner’s 2020 Board of Directors survey, 69% of participants said that they drove digital resilience to combat this business challenge for 2020 and 2021. This is not to say that these risks are not prevalent and should not receive this attention- they certainly do. But what is sometimes not discussed is the impact a breach can have on brand, company morale, employee turnover, and productivity. A company’s momentum can be derailed by a breach incident and a greater understanding that cyber risks affect more than just finances is needed.
This type of reputational and productivity risk goes beyond consequences from cyber breaches, as well. According to research, 75% of businesses reported supply chain disruptions related to the COVID-19 pandemic. Supply chain disruptions can not only have devastating financial and operational impacts but also raise significant risks to a company’s reputation, especially if they are a result of a third party- which they usually are.
“We live in a golden age of technology, but this means that all of our suppliers have our data. Processes we used to use to manage risks in our supply chain and information security are no longer efficient because all of our own suppliers now have their own cyber risks as well. You can’t manage these risks manually, or assume they’re being done for you.
-Eric Hensley, Chief Technology Officer at Aravo Solutions
34% of businesses indicated that third-party risk management was not a key priority for their board with only a low level of oversight. This lack of knowledge on boards’ parts is a risk in and of itself. Not only can it be an indicator of a disconnect within the company, but it is increasingly having regulatory impacts. Recently, governance from authorities is demanding that boards are responsible for these incidents and can be liable if they do not have a handle on third-party risks. The SEC, for example, is starting to increase their expectations of board of directors’ knowledge of these risks and programs, such as ESG. Questions related to knowledge of the incident, understanding of the consequences, and where duty of care and loyalty was will all be asked of boards. This liability will not just affect the company, but board members themselves.
Third-party risks may not always be obvious to board members, as they can arise from third, fourth, and nth-party vendors. But boards inherit these risks, and ignorance of them will not make them go away. A critical point to remember, however, is that board members do not need to be risk experts. Becoming more active in asking questions, learning, and being open to suggestions and new initiatives is the first step towards gaining a greater understanding of TPRM, and building resilience.
Creating new third-party risk management initiatives is not a simple, quick process- but it can get kicked off with a few simple steps.
Boards can begin to broaden their knowledge of third-party risks by asking very simple questions, such as, “how will we avoid a cyber breach?”, or “what are we doing to avoid ESG risks?” Asking questions such as this plants a seed that will eventually grow into programs, motions, evaluations, and improvements. Having the courage to ask these questions shows that these risks are being championed and that boards open to being educated.
Most large companies have an existing set of people to manage risk domains such as cyber risk, supply chain risk, internal GRC, etc. These people have answers and are often dying to talk to a board member about potential vulnerabilities. When these risk experts cannot access board members, their efforts and processes can sometimes get buried under other priorities, opening companies up to third-party vulnerabilities. Building relationships with these experts, and asking them to present outcomes and trends during board meetings can make strides towards bridging knowledge and priority gaps.
“You don’t need to be an SME, but ask questions anyway. Follow up, be active, but also create an environment where you help your experts figure things out. Help them make contacts that help the company be successful. Use your network to build up your risk experts.”
-Christos Kalantzis, Chief Technology Officer at Security Scorecard
When board members ask questions about third-party risks, it gives these topics and employees a voice and acknowledgment that their work matters. Creating this positive culture not only boosts morale and productivity but encourages employees to speak up if a risk is on the horizon. Relatedly, the culture needs to encourage employees to be forthright and forthcoming. If employees are afraid to raise their hand or acknowledge existing vulnerabilities within processes, these issues can become buried. Being able to be forthright without fear of reprisal is critical to fostering this culture.
In the digital age, there is no such thing as a technology company – all companies who use technology are tech companies. And we are in the golden age of funding and tools to procure products that meet TPRM needs. Give your teams encouragement to look into tools that help monitor and manage these risks, and/or investigate if there are tools already in existence within the company that are not being utilized to their full potential. Keep in mind, however, that technology vendors present potential third-party risks themselves, and that all vendors should fit into your TPRM scope, be thoroughly vetted, and fall within your acceptable level of risk.
Boards that become more knowledgeable bout the risks inherent to their business are better prepared to meet new risks and implement new initiatives. There are steps you can take today to start gathering knowledge, but there are also some longer-term goals to keep in mind that can be helpful along this journey.
When starting to understand these risks, it is important for boards to focus on outcomes over processes. Keep things goal-based and work towards them. Thinking about risks in this way (and encouraging your risk experts to present them to you in this way) keeps these topics from becoming too granular. Talk about these outcomes over time, and have your teams report on trends they are seeing.
Asking questions from your team is the first step to broadening your third-party risk knowledge, but following up is the second step. Make sure that you are actively engaged in monitoring and understanding these risks with your teams and experts. Set a KPI and see how it improves over time with the processes your company puts in place. If there is no follow-up, these questions are empty, and these issues can go back to being shelved and ignored.
The issues companies are facing today are not the same risks seen 15 years ago. Likewise, boards of directors should evolve to meet these shifting needs. Creating a more diverse board by mixing up expertise, risk domains, and demographics helps these groups stay current. Likewise, including younger board members, community leaders, and those of diverse backgrounds helps boards catch up with outside realities. This brings diverse ways of thinking and allows these groups to focus on areas and initiatives that may have been overlooked previously.
“Never stop learning and don’t assume you know it all. As a director, don’t just be onboarded – continuously educate yourself. No one is expecting you to be the expert, but they do expect you to be knowledgeable. And this gives us more time, innovation, and productivity.”
-Nicholas Donofrio, IBM Fellow Emeritus and Board Member at Security Scorecard
To learn more about how boards can prioritize third-party risks, check out our on-demand webinar! The fireside chat features Aravo’s Chief Marketing Officer, Kimberley Allan, Nicholas Donofrio, IBM Fellow Emeritus, Board Member at Security Scorecard, Christos Kalantzis, Chief Technology Officer, at Security Scorecard, and Eric Hensley, Chief Technology Officer at Aravo.
Share with Your Friends:
