THIRD PARTIES & ORGANIZATIONAL RISK
Transcript of THIRD PARTIES & ORGANIZATIONAL RISK
Richard Long, Senior Advisory ConsultantMHA Consulting / April 14, 2021
THIRD PARTIES & ORGANIZATIONAL RISK
Company Background
A simple mission: Ensure
the continuous operations
of our clients’ critical
processes.
A 20-year proven track
record of applying industry
standards and best
practices across a diverse
pedigree of clients.
We seek to partner with
clients who have a
commitment to BCM versus
a check the box mentality.
SaaS Tools: BIA On-
Demand, BCM One,
Compliance Confidence,
Residual Risk.
20Years in
operation.
20Average years
industry experience.
CAPABLEComprehensive suite of services.
GLOBALDiverse, global
client base.
SAASCompliance and
risk tools.
K E Y F A C T S
Richard LongPractice Leader & Senior Advisory ConsultantPhoenix, Arizona www.mha-it.comwww.bcmmetrics.com
SENIOR LEADERSHIP
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 2
Unique or Competitive Advantage
Healthcare Financial InstitutionsServices Education
Consumer Products Insurance Travel & Entertainment Government/Utility
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 3
Robust Suite of Services
EXERCISES CONTINUOUS IMPROVEMENT
ASSESS CURRENT ENVIRONMENT
CONTINUITY STRATEGIES &
SOLUTIONS
RESPONSE & RECOVERY PLANS
• Mock Disaster Exercises
• Plan Functional Walkthroughs
• Alternate Worksite Exercises
• Component, Full and Business Process Failovers
• Coordinated Third Party Exercises
• Business Continuity Strategies & Solutions
• IT Services Continuity Strategies & Solutions
• Supply Chain Continuity Strategies & Solutions
• Crisis Management
• Business Recovery
• IT Disaster Recovery
• Supply Chain Recovery
• Current State
• Policy & Standards
• Business Impact Analysis
• Threat & Risk Assessment
• On-going Training & Awareness Programs
• Post-Exercise Improvement Programs
• Refresh Current State Assessment
• Update BIAs & Threat Assessment
• Third Party Assessments
• Monitor & Measure Resilience Improvement
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 4
Third Party Risk
• What/Who is a Third Party?
• What risks do they pose?
• Risk Assessment
• Remediating Risks
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 5
Resiliency
Components
Disaster Recovery
End User Technology supports business functions
Infrastructure & Application Support
Single Points of Failure
People
Pandemic
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 6
Supply Chain
Third Parties
Life Safety
Incident Stabilization
Property Preservation
Restoration of the Business
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 7
Risk Priorities – Another Way to Look at Risk
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 8
What/Who are Third Parties?
Definition• A separate individual or organization other than the two
principals involved. A third party is typically a company that provides an auxiliary product or service not supplied by seller to the customer (the two principals).
Examples• Technology provider (Dell, IBM, HPE)• Technology service provider (AWS, Microsoft)• Raw material/component third party• Service third party (janitorial service, security service,
payroll processing)• Consultant (KPMG, PWC, MHA)• Fourth party (third party provider of your third party)
• Raw material supplier to a component supplier• Cloud provider for a SaaS solution
3 r d
P a r t i e s
• Do you know who your organization’s third parties are?
• Do you know your critical fourth parties?
• Perform an inventory of all third parties in your organization and note their reliance.
• Map to business areas/function• Identify which third parties have impact across multiple areas/functions• Prioritize gathering information on their business continuity planning state• Identify single failure third parties (specialized knowledge, products, or skills)
• Work arounds for service or product• Identification of alternate third parties of who can support SPOFs
• plan for use or agreements• Inventory of additional services outside of current use
IDENTIFY YOUR THIRD PARTIES
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 9
Third Parties and Risks
• Single point of failure
• Specialize products (die casts, customized product, contract manufacturer)• Legacy service or product (only company/person managing the product or service)
• Cyber attacks/data breach due to access to your network or technology
• Consultants/staff augmentation – same access as employees• Automated notification of issue or technology that “phones home”• Integration to SaaS or third-party software• Trusted services providers accessing technology without monitoring
• Proprietary information leaked or stolen
• Outside counsel – legal or regulatory information• Outside consultants – strategic information• Cyber/data breach from above
WHAT ARE THE POTENTIAL RISKS?
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 10
Third Parties and Risks
Business Continuity
• Reputational Damage• Third party reputation impacts your brand/reputation
• Third party service/product is key to your delivery and therefore:• Loss or revenue, increase cost, fines/penalties• Customer service• Brand/reputation due to inability to provide service
• Supply Chain• Worldwide supply chain today; raw material and components delay
• Suez Canal• COVID-19
• Critical Information• Third party information broker• Financial processing
WHAT ARE THE POTENTIAL RISKS?
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 11
Third Parties and Risks
DEMAND SUPPLY PROCESS NETWORK ENVIRONMENT
DEMAND RISK
• Loss of major accounts• Volatility of demand• Concentration of
customer base• Short life cycles• Innovative competitors
SUPPLY RISK
• Dependency on key suppliers
• Consolidation in supply markets
• Quality and management issues arising from off-shore sourcing
• Potential disruption at 2nd tier level
• Length and variability of replenishment lead times
PROCESS RISK
• Manufacturing yield variability
• Lengthy set-up times and inflexible processes
• Equipment reliability• Limited capacity/
bottlenecks• Outsourcing key
business processes
NETWORK/CONTROL RISK
• Asymmetric power relationships
• Poor visibility along the pipeline
• Inappropriate rules that distort demand
• Lack of collaborative planning and forecasts
• Bullwhip effects due to multiple echelons
ENVIRONMENT RISK
• Natural disasters• Terrorism and war• Regulatory changes• Tax, duties and quotas• Strikes
Supply Chain Risks
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 12
• Widespread adoption of “lean” practices.• The move to off-shore manufacturing and sourcing.• Outsourcing and reduction in the supplier base.• Global consolidation of suppliers.• Centralized production and distribution.• The biggest risk to business continuity may lie outside
the company in the wider supply chain.• The complexity and inter-connectedness of modern
supply chains increases their vulnerability to disruption.• Environmental risks are outside our control, but systemic
risk is created through our own decisions.
WHY SUPPLY CHAIN ASSESSMENT
Supply Chain Threat & Risk Assessment
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 13
Third Party Threat & Risk Assessment
• Supply chain dependencies, exposure and redundancies (US and abroad) • Increasingly impactful man-made, technology and natural disasters • Globalization – requires focus on global disaster events • Reputational liability linked with third parties, partners and customers • High reliance on critical information systems/services, some of which are
externally supported/in the cloud/hosted by and linked• Concentration of critical functions in fewer facilities increases location
risk (e.g., outsourced shared services third parties) • Changes associated with mergers, acquisitions and divestitures can
impact third party resiliency • Third party resiliency focuses on both the resiliency of an organization’s
third parties as well as its own resiliency to meet its requirements as a third party
• Meeting FFIEC Appendix J -Third Party Management standards
WHY THIRD-PARTY RISK ASSESSMENT
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 14
• Have I identified my critical third parties/business partners?
• Does my internal supply chain management group understand the criticality of specific third parties to the organization?
• Has a system of prioritizing (critical, important, etc.) been established?
• Will a critical third party’s crisis become an issue for my organization?
• Have I informed my critical third parties of their prioritization status and what will be expected of them during emergencies?
• Will my organization’s additional needs during a crisis be supported by its third parties? How flexible are my critical third parties to changing situations and accompanying response & recovery strategies and tactics?
• Can the third party prove that it can survive a crisis and be flexible to help my organization through their crisis?
BASIC COMPONENTS
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 15
Third Parties Threat & Risk Assessment
Third Parties Threat & Risk AssessmentDETAILED COMPONENTS
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 16
• RISK ACCEPTANCE: Risk acceptance does not reduce any effects however it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.
• RISK AVOIDANCE: Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. Risk avoidance is usually the most expensive of all risk mitigation options.
• RISK LIMITATION: Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.
• RISK TRANSFERENCE: Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on their core competencies.
BASIC COMPONENTS
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 17
Third Party Risk Mitigation
• Internal training on skills or services provided by a third party
• Identified and coordinated alternate vendors for specialized skills or products
• Potentially include the alternate as part of normal operations
• Third-party (vendor) management and governance
• Contractual requirements and remediations
• Critical third parties understand their prioritization status and can demonstrate what will be expected of them during emergencies
• Demonstrated ability it can survive a crisis and be flexible to help my organization through their crisis
• Participation in Crisis Management or Recovery Exercises
EXAMPLES
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 18
Third Party Risk Mitigation
PURCHASING AGREEMENTS DOCUMENT REQUIREMENTS• Purchasing agreements contain specific wording defining BCM requirements, service level expectations
and penalties for interruptions/incidents, including:• Contract “out” for exceeding defined interruption levels• Fee reimbursements for delivery failures• Graduated reduction in fees based on diminished services
SUPPLIERS LEGALLY BOUND TO ENSURE CONTINUITY • Critical suppliers have agreed to BCM and service level requirements.• Signed purchasing agreements are on file.
SUPPLIER PROGRAM EVALUATED USING BEST PRACTICES• A standardized questionnaire and approach, consistent with industry best practices and standards, is
used to evaluate the threats, vulnerabilities and the maturity of the continuity capability of each critical supplier and its supply chain.
THIRD PARTY MANAGEMENT
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 19
Third Party Risk Mitigation
CRITICAL SUPPLIERS AUDITED • Qualified personnel conduct regular site visits at critical suppliers to:
• Identify any threats/risks, vulnerabilities and single points of failure associated with operations• Assess the supplier’s ability to continue to deliver services, materials and/or goods to the
organization as promised in the event of an unplanned disruption.
SUPPLIER PRIORITIES IDENTIFIED• Critical supplier assessment includes identifying the priority of the organization in respect to restoration
of supplier services, materials and/or goods. • Gaps between the priorities of the critical supplier and expectations of the organization are identified
and documented for management review and action.
COMMUNICATION CHANNELS IDENTIFIED• Communication channels are identified, established and exercised. • Prioritization during an event is agreed upon where multiple customers exist with supply chain vendor.
SUPPLY CHAIN IS PART OF BCM PROGRAM• The BC Manager incorporates the teams, plans and processes to detect, respond, recover and resume
operations from a disruption to the supply chain.
THIRD PARTY MANAGEMENT
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 20
Third Party Risk Mitigation
• Residual Risk is defined as the remaining risk after controls have been implemented and monitored and the effect of their findings considered.
• Residual Risk considers the inherent risk (risk before controls) that exists prior to assessing the mitigating controls.
• Identifies the Risk Tolerance or level of willingness to accept risk. Low Risk Tolerance = tighter, more stringent controls, more expense and vice versa.
• Process assesses and evaluates the state of mitigating controls that are designed to mitigate effects of the inherent risk.
• Determines if remaining Residual Risk is within or outside of the agreed upon Risk Tolerance based on the state of the mitigating controls.
WHAT OCCURS AFTER AN ASSESSMENT AND MITIGATION?
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 21
Residual Risk
© 2021 MHA CONSULTING. ALL RIGHTS RESERVED. 22
Where To Focus
• Inventory Third Parties
• Categorize Third Parties and Identify SPOFs
• Perform a Risk Assessment
• Prioritize Remediation Actions based on Risk, Impact and Probability
• Assess Residual Risk
S U M M A R Y
0
8020
40 60
100
0
8020
40 60
100
Program Administration
BusinessRecovery
0
8020
40 60
100
0
8020
40 60
100
Crisis Management
IT Disaster Recovery
0
8020
40 60
100
0
8020
40 60
100
Fire & LifeSafety
Supply ChainRisk Management
24© 2021 MHA CONSULTING. ALL RIGHTS RESERVED.
ISO 22301 - International Standards Organization
FFIEC IT Examination Handbook: Business Continuity Management 2019 - Federal Financial Institution Examination Council
NFPA 1600 - U.S. National Fire Protection Association
BCI Good Practices - Business Continuity Institute
OSHA 1910.38 - Occupational Safety & Health Administration Standards
NIST 800 - National Institute of Standards and Technology (NIST)
Federal Information Security Modernization Act (FISMA)
SEC Supply Chain Risk Leadership Council
COMPLIANCE CONFIDENCE (C2)
Standards Alignment
Assesses Alignment with 8 Standards
Evaluates 7 Areas of your BCM Program
Provides “FICO” Like Scoring Management
Reporting/Roadmaps Highlights Strengths &
Opportunities Continued Alignment with
Updated Standards