THIRD PARTIES & ORGANIZATIONAL RISK

Richard Long, Senior Advisory ConsultantMHA Consulting / April 14, 2021

THIRD PARTIES & ORGANIZATIONAL RISK

Company Background

A simple mission: Ensure

the continuous operations

of our clients’ critical

processes.

A 20-year proven track

record of applying industry

standards and best

practices across a diverse

pedigree of clients.

We seek to partner with

clients who have a

commitment to BCM versus

a check the box mentality.

SaaS Tools: BIA On-

Demand, BCM One,

Compliance Confidence,

Residual Risk.

20Years in

operation.

20Average years

industry experience.

CAPABLEComprehensive suite of services.

GLOBALDiverse, global

client base.

SAASCompliance and

risk tools.

K E Y F A C T S

Richard LongPractice Leader & Senior Advisory ConsultantPhoenix, Arizona www.mha-it.comwww.bcmmetrics.com

SENIOR LEADERSHIP

© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 2

http://www.mha-it.com/

http://www.bcmmetrics.com/

Unique or Competitive Advantage

Healthcare Financial InstitutionsServices Education

Consumer Products Insurance Travel & Entertainment Government/Utility


Robust Suite of Services

EXERCISES CONTINUOUS IMPROVEMENT

ASSESS CURRENT ENVIRONMENT

CONTINUITY STRATEGIES &

SOLUTIONS

RESPONSE & RECOVERY PLANS

• Mock Disaster Exercises

• Plan Functional Walkthroughs

• Alternate Worksite Exercises

• Component, Full and Business Process Failovers

• Coordinated Third Party Exercises

• Business Continuity Strategies & Solutions

• IT Services Continuity Strategies & Solutions

• Supply Chain Continuity Strategies & Solutions

• Crisis Management

• Business Recovery

• IT Disaster Recovery

• Supply Chain Recovery

• Current State

• Policy & Standards

• Business Impact Analysis

• Threat & Risk Assessment

• On-going Training & Awareness Programs

• Post-Exercise Improvement Programs

• Refresh Current State Assessment

• Update BIAs & Threat Assessment

• Third Party Assessments

• Monitor & Measure Resilience Improvement


Third Party Risk

• What/Who is a Third Party?

• What risks do they pose?

• Risk Assessment

• Remediating Risks


Resiliency

Components

Disaster Recovery

End User Technology supports business functions

Infrastructure & Application Support

Single Points of Failure

People

Pandemic


Supply Chain

Third Parties

Life Safety

Incident Stabilization

Property Preservation

Restoration of the Business


Risk Priorities – Another Way to Look at Risk


What/Who are Third Parties?

Definition• A separate individual or organization other than the two

principals involved. A third party is typically a company that provides an auxiliary product or service not supplied by seller to the customer (the two principals).

Examples• Technology provider (Dell, IBM, HPE)• Technology service provider (AWS, Microsoft)• Raw material/component third party• Service third party (janitorial service, security service,

payroll processing)• Consultant (KPMG, PWC, MHA)• Fourth party (third party provider of your third party)

• Raw material supplier to a component supplier• Cloud provider for a SaaS solution

3 r d

P a r t i e s

• Do you know who your organization’s third parties are?

• Do you know your critical fourth parties?

• Perform an inventory of all third parties in your organization and note their reliance.

• Map to business areas/function• Identify which third parties have impact across multiple areas/functions• Prioritize gathering information on their business continuity planning state• Identify single failure third parties (specialized knowledge, products, or skills)

• Work arounds for service or product• Identification of alternate third parties of who can support SPOFs

• plan for use or agreements• Inventory of additional services outside of current use

IDENTIFY YOUR THIRD PARTIES


Third Parties and Risks

• Single point of failure

• Specialize products (die casts, customized product, contract manufacturer)• Legacy service or product (only company/person managing the product or service)

• Cyber attacks/data breach due to access to your network or technology

• Consultants/staff augmentation – same access as employees• Automated notification of issue or technology that “phones home”• Integration to SaaS or third-party software• Trusted services providers accessing technology without monitoring

• Proprietary information leaked or stolen

• Outside counsel – legal or regulatory information• Outside consultants – strategic information• Cyber/data breach from above

WHAT ARE THE POTENTIAL RISKS?



Business Continuity

• Reputational Damage• Third party reputation impacts your brand/reputation

• Third party service/product is key to your delivery and therefore:• Loss or revenue, increase cost, fines/penalties• Customer service• Brand/reputation due to inability to provide service

• Supply Chain• Worldwide supply chain today; raw material and components delay

• Suez Canal• COVID-19

• Critical Information• Third party information broker• Financial processing

WHAT ARE THE POTENTIAL RISKS?



DEMAND SUPPLY PROCESS NETWORK ENVIRONMENT

DEMAND RISK

• Loss of major accounts• Volatility of demand• Concentration of

customer base• Short life cycles• Innovative competitors

SUPPLY RISK

• Dependency on key suppliers

• Consolidation in supply markets

• Quality and management issues arising from off-shore sourcing

• Potential disruption at 2nd tier level

• Length and variability of replenishment lead times

PROCESS RISK

• Manufacturing yield variability

• Lengthy set-up times and inflexible processes

• Equipment reliability• Limited capacity/

bottlenecks• Outsourcing key

business processes

NETWORK/CONTROL RISK

• Asymmetric power relationships

• Poor visibility along the pipeline

• Inappropriate rules that distort demand

• Lack of collaborative planning and forecasts

• Bullwhip effects due to multiple echelons

ENVIRONMENT RISK

• Natural disasters• Terrorism and war• Regulatory changes• Tax, duties and quotas• Strikes

Supply Chain Risks


• Widespread adoption of “lean” practices.• The move to off-shore manufacturing and sourcing.• Outsourcing and reduction in the supplier base.• Global consolidation of suppliers.• Centralized production and distribution.• The biggest risk to business continuity may lie outside

the company in the wider supply chain.• The complexity and inter-connectedness of modern

supply chains increases their vulnerability to disruption.• Environmental risks are outside our control, but systemic

risk is created through our own decisions.

WHY SUPPLY CHAIN ASSESSMENT

Supply Chain Threat & Risk Assessment


Third Party Threat & Risk Assessment

• Supply chain dependencies, exposure and redundancies (US and abroad) • Increasingly impactful man-made, technology and natural disasters • Globalization – requires focus on global disaster events • Reputational liability linked with third parties, partners and customers • High reliance on critical information systems/services, some of which are

externally supported/in the cloud/hosted by and linked• Concentration of critical functions in fewer facilities increases location

risk (e.g., outsourced shared services third parties) • Changes associated with mergers, acquisitions and divestitures can

impact third party resiliency • Third party resiliency focuses on both the resiliency of an organization’s

third parties as well as its own resiliency to meet its requirements as a third party

• Meeting FFIEC Appendix J -Third Party Management standards

WHY THIRD-PARTY RISK ASSESSMENT


• Have I identified my critical third parties/business partners?

• Does my internal supply chain management group understand the criticality of specific third parties to the organization?

• Has a system of prioritizing (critical, important, etc.) been established?

• Will a critical third party’s crisis become an issue for my organization?

• Have I informed my critical third parties of their prioritization status and what will be expected of them during emergencies?

• Will my organization’s additional needs during a crisis be supported by its third parties? How flexible are my critical third parties to changing situations and accompanying response & recovery strategies and tactics?

• Can the third party prove that it can survive a crisis and be flexible to help my organization through their crisis?

BASIC COMPONENTS


Third Parties Threat & Risk Assessment

Third Parties Threat & Risk AssessmentDETAILED COMPONENTS


• RISK ACCEPTANCE: Risk acceptance does not reduce any effects however it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.

• RISK AVOIDANCE: Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. Risk avoidance is usually the most expensive of all risk mitigation options.

• RISK LIMITATION: Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.

• RISK TRANSFERENCE: Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on their core competencies.

BASIC COMPONENTS


Third Party Risk Mitigation

• Internal training on skills or services provided by a third party

• Identified and coordinated alternate vendors for specialized skills or products

• Potentially include the alternate as part of normal operations

• Third-party (vendor) management and governance

• Contractual requirements and remediations

• Critical third parties understand their prioritization status and can demonstrate what will be expected of them during emergencies

• Demonstrated ability it can survive a crisis and be flexible to help my organization through their crisis

• Participation in Crisis Management or Recovery Exercises

EXAMPLES



PURCHASING AGREEMENTS DOCUMENT REQUIREMENTS• Purchasing agreements contain specific wording defining BCM requirements, service level expectations

and penalties for interruptions/incidents, including:• Contract “out” for exceeding defined interruption levels• Fee reimbursements for delivery failures• Graduated reduction in fees based on diminished services

SUPPLIERS LEGALLY BOUND TO ENSURE CONTINUITY • Critical suppliers have agreed to BCM and service level requirements.• Signed purchasing agreements are on file.

SUPPLIER PROGRAM EVALUATED USING BEST PRACTICES• A standardized questionnaire and approach, consistent with industry best practices and standards, is

used to evaluate the threats, vulnerabilities and the maturity of the continuity capability of each critical supplier and its supply chain.

THIRD PARTY MANAGEMENT



CRITICAL SUPPLIERS AUDITED • Qualified personnel conduct regular site visits at critical suppliers to:

• Identify any threats/risks, vulnerabilities and single points of failure associated with operations• Assess the supplier’s ability to continue to deliver services, materials and/or goods to the

organization as promised in the event of an unplanned disruption.

SUPPLIER PRIORITIES IDENTIFIED• Critical supplier assessment includes identifying the priority of the organization in respect to restoration

of supplier services, materials and/or goods. • Gaps between the priorities of the critical supplier and expectations of the organization are identified

and documented for management review and action.

COMMUNICATION CHANNELS IDENTIFIED• Communication channels are identified, established and exercised. • Prioritization during an event is agreed upon where multiple customers exist with supply chain vendor.

SUPPLY CHAIN IS PART OF BCM PROGRAM• The BC Manager incorporates the teams, plans and processes to detect, respond, recover and resume

operations from a disruption to the supply chain.

THIRD PARTY MANAGEMENT



• Residual Risk is defined as the remaining risk after controls have been implemented and monitored and the effect of their findings considered.

• Residual Risk considers the inherent risk (risk before controls) that exists prior to assessing the mitigating controls.

• Identifies the Risk Tolerance or level of willingness to accept risk. Low Risk Tolerance = tighter, more stringent controls, more expense and vice versa.

• Process assesses and evaluates the state of mitigating controls that are designed to mitigate effects of the inherent risk.

• Determines if remaining Residual Risk is within or outside of the agreed upon Risk Tolerance based on the state of the mitigating controls.

WHAT OCCURS AFTER AN ASSESSMENT AND MITIGATION?


Residual Risk


Where To Focus

• Inventory Third Parties

• Categorize Third Parties and Identify SPOFs

• Perform a Risk Assessment

• Prioritize Remediation Actions based on Risk, Impact and Probability

• Assess Residual Risk

S U M M A R Y

Richard [email protected](602) 370-1864

Thank You!

Questions?

0

8020

40 60

100

0

8020

40 60

100

Program Administration

BusinessRecovery

0

8020

40 60

100

0

8020

40 60

100

Crisis Management

IT Disaster Recovery

0

8020

40 60

100

0

8020

40 60

100

Fire & LifeSafety

Supply ChainRisk Management

24© 2021 MHA CONSULTING. ALL RIGHTS RESERVED.

ISO 22301 - International Standards Organization

FFIEC IT Examination Handbook: Business Continuity Management 2019 - Federal Financial Institution Examination Council

NFPA 1600 - U.S. National Fire Protection Association

BCI Good Practices - Business Continuity Institute

OSHA 1910.38 - Occupational Safety & Health Administration Standards

NIST 800 - National Institute of Standards and Technology (NIST)

Federal Information Security Modernization Act (FISMA)

SEC Supply Chain Risk Leadership Council

COMPLIANCE CONFIDENCE (C2)

Standards Alignment

Assesses Alignment with 8 Standards

Evaluates 7 Areas of your BCM Program

Provides “FICO” Like Scoring Management

Reporting/Roadmaps Highlights Strengths &

Opportunities Continued Alignment with

Updated Standards

THIRD PARTIES & ORGANIZATIONAL RISK

Documents

Transcript of THIRD PARTIES & ORGANIZATIONAL RISK