Managing Third-Party Risk Assurance

Today’s digital economy is hyperconnected. Like most others, your company will rely on third-party vendors, service providers, contractors, and suppliers to keep the wheels turning. While these partnerships are critical to business, they require access to data assets, significantly increasing risk.

Third-party risks can adversely impact organisations in several ways, including data breaches, supply chain breakdowns, and operational disruptions. They can all damage both your reputation and the bottom line. These problems are surprisingly common: according to recent research, 98% of organisations are affiliated with a third party that has experienced a breach. In addition, analyst firm Gartner found that 53% of respondents to a survey on supplier risk reported their supply chains were facing disruptions 50% of the time or more.

Often, organisations working with third parties must give up some control over their data, including sensitive customer information. However, your organisation is ultimately responsible for handling this data and complying with data privacy regulations such as the General Data Protection Regulation (GDPR) in Europe. Organisations should thoroughly review their vendors’ data handling processes and policies to ensure compliance.

Identifying and reducing risk

In this increasingly complex landscape, third-party risk management is critical to understand your relationships with third parties and what safeguards can help reduce risk.

For example, you need to understand your responsibilities if you have outsourced your IT infrastructure to a third party, either on-premises or a cloud provider.

A third-party risk management strategy will help you identify and develop the appropriate capabilities to address these growing challenges. This includes internal objectives and resource requirements, regulatory needs, best practices, and customer expectations for managing such risk.

Creating a third-party risk management framework includes one-time set-up activities and ongoing application. Telstra experts can help you define a framework of triage processes, third-party questionnaires, and associative policies that match the level of risk management required for your business. This includes right-sizing the framework to balance the security budget against risk while still supporting your business to achieve its outcomes. It is, for example, crucial to process third-party risk assessments correctly and efficiently so they do not hold up business deliverables.

Telstra’s significant differentiator is that we are not simply focused on the technology solutions. Our experts can also help you address the governance, risk, and compliance activities necessary to improve your security posture.

Implementing a proactive risk management culture

It is vital to foster a risk management culture within your organisation to encourage IT staff to become more involved with your risk management process and the topic in general.

Implementing a proactive risk culture enables you to think ahead and anticipate potential risks and actions, analysing their severity, and reduce or eliminate them. As an organisation, you can define the framework and implement these processes. However, if resources and expertise are in short supply, we can provide the means and expertise to support you. This forms part of a robust modular approach we call the 4Ds – Discover, Define, Deliver, and Drive. Specifically designed to achieve business outcomes that are appropriate, powerful, predictable, and repeatable, leveraging technology and automation where required.

This approach includes a third-party risk assurance framework and associated documentation. If needed, we can create a bespoke control framework linked to your existing security management system and support you with compliance with security standards, such as ISO27001.

As part of an assessment support package, Telstra’s security experts can supplement your existing in-house team, operating your processes and managing assessments on your behalf. This can be for vendor selection for projects or wider organisational use. Suppose you want to go to tender for new suppliers, in that case, we can also assist in Request for Proposal activities to ensure adequate security assessments before utilizing resources, including developing risk-based remediation plans to minimize security risks for your business.

We can also provide a third-party assurance as a service for organisations that do not have the capabilities or desire to run a third-party risk assurance framework for themselves. This service is tailored to each individual organisation’s risk appetite.

Managing third-party risk is an ongoing process.

Organisations today operate in a very uncertain world. Developing a third-party risk management strategy and establishing effective controls are imperative to mitigating threats and sustaining business operations in the face of evolving risk.

It is important to remember that a third-party risk management strategy is not a tick-box exercise; it needs to be continuously revisited and aligned with your overarching business plan. This on-going focus provides accurate insight into your risk exposure in real-time. Ignore your risk levels, and you are opening the door to sensitive data breaches, loss of intellectual property, and other major incidents that could potentially wipe out business.

Contact us for further details on Telstra’s Third Party Risk Assurance offerings.