MANAGE THIRD-PARTY RISK WITH VISIBILITY,
INSIGHT AND ACTION
SPEAKER
PATRICK POTTER, RISK STRATEGIST, RSA
2
Housekeeping
• Download slides at https://go.oceg.org/manage-third-party-risk-with-visibility-insight-and-action
• Answer all 3 polls
• Certificates of completion (only for OCEG All Access Pass holders)
• Evaluation survey at the close of the webinar
• Find the recording on the OCEG site at https://go.oceg.org/webinars
Learning Objectives
3
• Learn about emerging digital risks from using third-party business partners and technologies
• Understand the importance and methods to better evaluate and understand the criticality of your third parties
• Learn how you can take a unified, phased approach to managing these third-party risks
a. Yes, I have an All Access Pass and I would like to receive a
Certificate of Completion for this event
b. Yes, I have an All Access Pass but I do not need a Certificate of
Completion
c. No, I do not have an All Access Pass but I would like to get one and
receive CPE credit for this and future webcasts I attend
d. No, I do not have an All Access Pass and I don’t want to buy one at
this time (so I won’t get CPE credit for this event)
Poll 1
Do you have an OCEG All Access Pass (a paid membership) and would you like
to receive CPE credit for this event?
4
5
Dell Customer Communication - Confidential
MANAGE THIRD-PARTY RISK WITH VISIBILITY, INSIGHT AND ACTIONPatrick Potter, RSA
6
Dell Customer Communication - Confidential
C O N F I D E N T I A L
INTRODUCTION
PATRICK POTTER,
Digital Risk Solutions
RSA (Archer) / Dell Technologies
7
Dell Customer Communication - Confidential
C O N F I D E N T I A L
DIGITAL BUSINESS IS A TOP PRIORITY
26%Digital Business /
Digital Transformation 10%Innovation, R&D, New
Products / Services
58%Growth/Market Share
10%Profit Improvement /
Profitability / Asset
Monetization
2017 Gartner CEO Survey
8
Dell Customer Communication - Confidential
C O N F I D E N T I A L
THE DIGITAL TRANSFORMATION IS UPON US…
2017 Gartner CEO Survey
Technology, General
Digital, social, web, online
Digital transformation
Improvement general
Info, analytics and big data
Cloud
Automation
Cybersecurity
IoT
Mobile and m-commerce
eCommerce
Workforce productivity
Digital marketing
Multichannel
21%
14%
11%
10%
8%
7%
7%
6%
5%
4%
4%
1%1% 1%
9
Dell Customer Communication - Confidential
C O N F I D E N T I A L
OBJECTIVES OF THE DIGITAL TRANSFORMATION
Components DesignResearch &
DevelopmentManufacture
Marketing &
SalesSupport
INBOUND
LOGISTICSOPERATIONS
OUTBOUND
LOGISTICS
CUSTOMERS
SUPPLIERS
Pro
duct
Reve
nu
e
HUMAN RESOURCE MANAGEMENT
TECHNOLOGY MANAGEMENT
FIRM INFRASTRUCTURE (accounting, legal, finance, control, PR, QA, general management…)
*Visual adapted from Porter’s Value Chain
Optimize
Inventory & YieldM
A
R
G
I
N
Enhance Customer
experience
Reduce Sales,
General and
Administrative
costs
Reduce
COGS
Optimize
physical
assets
Increase
Revenue
Improve
Employee
Productivity
Optimize
financial
assets & cash
10
Dell Customer Communication - Confidential
10
D I G I TA L I T W O R K F O R C E S E C U R I T Y
TRANSFORMATION
11
Dell Customer Communication - Confidential
C O N F I D E N T I A L
Business Risk
IT & Security Risk
Regulatory Risk
3rd Party
Risk
Business
Resiliency
Business Growth
Digital Transformation
Market Expansion
New
Partners
M & A
ONE GOAL: BUSINESS GROWTH
12
Dell Customer Communication - Confidential
RISK.NET
Survey of Chief risk officers, heads of operational risk
and senior practitioners at financial services firms,
including banks, insurers, asset managers and
infrastructure providers.
1. IT disruption
2. Data compromise
3. Regulatory Risk
4. Theft and Fraud
5. Outsourcing
6. Mis-selling
7. Talent risk
8. Organizational change
9. Unauthorized trading
10. Model Risk
Protiviti
Survey of Board members and C-suite executives
from all regions of the world conducted by NC State and
Protiviti.
1. Existing Operations not meeting
expectations against “born digital”
firms
2. Succession challenges/talent
3. Regulatory changes and scrutiny
4. Cyber threats
5. Resistance to change
6. Speed of disruptive
technology/innovation
7. Privacy/information security
8. Inability to utilize data analytics
9. Risk culture
10. Sustaining customer loyalty
Institute of Internal Auditors
Survey of Chief Audit Executives conducted by
seven European institutes of internal auditors in
France, Germany, Italy, the Netherlands, Spain,
Sweden and the UK and Ireland.
1. Cybersecurity
2. Compliance
3. Data security & protection
4. HR & people risk
5. Regulatory change
6. Digitalization
7. Innovation
8. Culture
9. Outsourcing & Third Party
10. Political uncertainty
Protiviti: https://www.protiviti.com/US-en/insights/protiviti-top-risks-survey
IIA: https://www.iia.org.uk/media/1689824/risk-in-focus-2019.pdf
Risk.net: https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018
13
Dell Customer Communication - Confidential
DIGITAL RISK
UNWANTED AND OFTEN
UNEXPECTED OUTCOMES
THAT STEM FROM DIGITAL
TRANSFORMATION,
DIGITAL BUSINESS PROCESSES
AND THE ADOPTION OF
RELATED TECHNOLOGIES.
• Cyber/Security – risk of cyber
attacks
• Process Automation – risks
related to changes in processes
from automation
• Resiliency – risk to availability of
business operations
• Third Party Risk – inherited risk
related to external parties
• Cloud – risks due to the change in
architecture, implementation,
deployment, and/or management of
new digital business operations (IT
systems)
• Workforce/Talent – risks related
to the dynamic nature of today’s
workforce
• Data privacy – risks related to
Personal Information
• Compliance – risks related to
existing and emerging compliance
requirements driven by new tech
STRATEGIC
14
Dell Customer Communication - Confidential
DIGITAL TRANSFORMATION INTRODUCES THIRD-PARTY RISK
59%of data breaches in 2018
were caused by a third party
11%Of companies are confident
they would learn if their
sensitive data was lost or
stolen by a Nth party
E X P A N D I N G
E X P O N E N T I A L L Y
M O R E D I G I T A L
U N K N O W N R I S K SM O R E C O M P L E X
I N C O M P L E T E V I E W
O F R I S K
U N C E R T A I N
B U S I N E S S I M P A C T S
84%of organizations host critical or
sensitive assets with 3rd
parties
E C O S Y S T E M R I S K M A N A G E M E N T
a. We don’t know what we don’t know
b. We are overly reliant on third parties
c. We do not have a good process to determine our third
party risk
d. We are afraid we could get breached through a third
party
e. I don’t know
Poll 2
In today’s threat landscape, what is your single greatest concern about
third-party risk?
16
17
Dell Customer Communication - Confidential
17
I R MI T S E C U R I T Y
? ??
C E O /
B O A R D
M A L I C E M A N D AT E SM O D E R N I Z AT I O N
18
Dell Customer Communication - Confidential
Technology
Marketing
R&D
Support
Logistics
Facilities
Benefits
Logistics Technology
Legal
Sourcing
R&D
Legal
Support
Technology
Facilities
Nth-Party Ecosystem
LACK of
VISIBILITY
keep an
inventory
34%identify subs
(4th, 5th, Nth)
2%
LACK of
ACTIONof assessments result in
disqualification or remediation
8%
19
Dell Customer Communication - Confidential
GAPS IN THIRD-PARTY GOVERNANCE
1 Third-party risk functions are siloed across
the organization
2Organizations do not identify, assess, and
manage third parties or their activities
consistently or collectively
3 Third-party programs are not scalable to handle
the growth of their third party ecosystems
CYBER
SECURITY
FRAUD
Third-Party Risk
Is INCREASING
4 Business criticality and dependencies of third
parties are unknown
5 System access, cyber and fraud monitoring, and
ongoing governance are not well-managed
20
Dell Customer Communication - Confidential
C O N F I D E N T I A L
DIFFERENCES BETWEEN SECURITY AND RISK MANAGEMENT APPROACHES
SECURITY RISK MANAGEMENT
LANGUAGE NIST CSF, ISO 27001 ISO 31000, COSO ERM
KEY INPUTS Threats & Vulnerabilities Likelihood & Impact
MODE Tools & Tech Conversations & Committees
MEASUREMENT# of attacks averted; # of
vulnerabilities found; # of …$$$ of loss exposure
MODE OF OPERATIONDefense in Depth >
Contain What Matters
3 Lines of Defense
(working together) IRM
ATTITUDE Don’t take any chances Manage uncertainty
CORE GOALS Keep the bad guys out Keep the business out of trouble
21
Dell Customer Communication - Confidential
C O N F I D E N T I A L
TODAY’S PROCESSES…
Outdated reporting
Manualprocesses
Lack of ownership
Information silos
Inconsistent controls
Limited risk visibility
a. Extremely capable
b. Somewhat capable
c. Minimally capable
d. Not capable
e. I don’t know
Poll 3
Given the new attention to third-party risks, how would you rate your
organization’s current ability to detect and mitigate them?
23
24
Dell Customer Communication - Confidential
UNDERSTAND EVALUATE MANAGE MONITOREVALUATE MANAGE MONITORUNDERSTAND
Risks and issues
Online access
Cyber threats and
fraud
Performance and risks
Online access
Cyber threats and fraud
Criticality to your
business
The risks they pose
Your dependence
The highest risks
System/data access
needs
Your exposure
MANAGING THIRD PARTY R ISK SHOULD INCLUDE:
25
Dell Customer Communication - Confidential
25
INTEGRATED RISK MANAGEMENT
STRATEGIC OBJECTIVES
OPERATIONAL RISK
SECURITY RESILIENCY COMPLIANCE3RD PARTYIT AUDITORM
26
Dell Customer Communication - Confidential
C O N F I D E N T I A L
WHY DOES THE COMBINATION OF SECURITY AND THIRD-PARTY RISK MATTER?
SECURITY RISK MANAGEMENT
LANGUAGE NIST CSF, ISO 27001Manage Digital Risk With a
Unified, Phased ApproachISO 31000, COSO ERM
KEY INPUTS Threats & VulnerabilitiesBusiness Context &
Potential exposuresLikelihood & Impact
MODE Tools & Tech Data-driven, Contextual Conversations & Committees
MEASUREMENT# of attacks averted; # of
vulnerabilities found; # of …Risk Quantification $$$ of loss exposure
MODE OF OPERATIONDefense in Depth >
Contain What MattersDigital Risk Management
3 Lines of Defense
(working together) IRM
ATTITUDE Don’t take any chances Know What Risks Matter Manage uncertainty
CORE GOALS Keep the bad guys outEnable the Business –
be a positive force for transformationKeep the business out of trouble
27
Dell Customer Communication - Confidential
Gain objective insight into your third-party security performance and IT landscape
Perform third party portfolio wide diagnostics and prioritizations
Allocate risk resources to where they are needed most - high value, low performing vendors
Engage vendors with accurate, actionable security performance insights and corrective actions
Continuously monitor vendor security performance
Triage and remediate critical vulnerabilities
Optimize use of analysts time and outside auditor resources
THIRD PARTY SECURITY RISK MONITORING
28
Dell Customer Communication - Confidential
28
V I S I B I L I T Y
Do we have a record of all our 3Ps?
Who has our critical data?
Are KPIs and KRIs giving us a complete
picture?
I N S I G H T S
Are we aware of and going after the right
risks?
Are we also looking down the road at
evolving risks?
AC T I O N
How are we adjusting our efforts?
Are we focusing on the highest criticality
3Ps?
Are we leveraging the IRM Model?
VV
Thi rd Par ty Risk I
V
A
30
Dell Customer Communication - Confidential
• Evaluate abi l i ty to manage third party r isk
• Perform Gap Analysis
• Provide a clear Roadmap
31
Dell Customer Communication - Confidential
31 RSA Digital Risk Report - Sept 2019
32
Dell Customer Communication - Confidential
FINAL THOUGHTS
Start at the top - Demand oversight by BoD. In organizations with
BoD oversight, 3PRM improves
Coordinate across risk and security, business and IT, 3LOD
Evaluate the maturity of your third-party governance
Automate to help manage the governance process and lifecycle