4 Questions that are Top of Mind for Chief Audit Officers in 2021
With the pandemic still a present factor in our personal and professional lives, it has shifted the way we work and the way businesses operate—and most of the changes we’ve made to adapt to the situation are likely here to stay. Having made such a sudden and large change to the way we do things, it has shone a light through holes in organizations’ risk prevention programs, including third-party risk management. A disruption to even one link in the supply chain can affect the entirety of a business. Failure to assess third-party risk leaves your organization vulnerable to a manifold of threats, like data breaches, which can negatively impact your organization’s reputation. Disruptions that we saw as a result of the pandemic acted as a test against organizations’ existing (or non-existent) programs, allowing them to see just how resilient they really are, and allowing them to identify and develop areas that need work. So, what questions will Chief Audit Officers be asking about the resilience of our program from here on out, and why?
1. How far down the chain do we need to audit Nth-party risk?
Chief Audit Officers understand that risks, even at the fourth-party level, have the potential to impact your business just as much as risks at the third-party level. Asking your third-party vendors to provide things like policies, reports, and annual reviews of their vendors is a great place to start.
In general, it is wise to audit at least as far back as your fourth-parties. Similar to third-parties, a fourth-party is once more removed from your organization and is third-party to one of your third-parties. Luckily, as of 2017, your third-party partners are required to identify any significant vendors that they use (your fourth-parties), which makes it easier for your organization to monitor them and comply with regulations.
2. How can we strengthen the resilience of our organization in relation to our vendors?
Major, unprecedented crises do happen. That should no longer be a surprise to businesses after what we have gone through this past year. The important thing now is to evaluate what we’ve learned, develop strategies for the future, and prepare ourselves for other potential disruptions.
Chief Audit Officers are among the most important players in developing strategies for organizations, as they provide a holistic view of the business and are trained in identifying risks to ensure that their organization is compliant and resilient; and part of that job is assessing and tracking vendors. Reducing manual touchpoints by implementing automatic workflows and processes is one of the best strategies today to quickly identify and remediate risks; and also allows for cybersecurity teams to focus on the bigger, more pressing issues.
3. Have we solved for concentration risk?
The pandemic’s impact on supply chains and third-party services has revealed the level of reliance many organizations have on suppliers who were situated in a concentrated area of the world. Where supply and demand of many products had always been fairly consistent, there had never been a need to consider diversifying suppliers in case of an emergency (for example, the closure of borders, shipping interruptions, the shut down of factories, or even the limited supply of materials needed to assemble products).
While more vendors are not always better (think more opportunity for risk, more vendors to run risk assessments against, etcetera), organizations should consider the impact of what could happen if a significant event happens, like a natural disaster, pandemic, power outage, or labour disruptions in a particular region that would have a monumental effect on the day-to-day operations of the organization.
4. What is the level of risk of my critical third-parties?
“… another year in which most firms will be dependent on a handful of vendors to provide video conferencing, remote access to servers, or cloud storage – third-party risk is set to remain top of mind for many managers through 2021.”
Michael Rasmussen, GRC Analyst (Source)
Critical third-party risk will remain a priority for businesses and organizations for the foreseeable future. As Rasmussen indicates, with so many businesses relying on others for remote access to tools and features during this time, it’s more important than ever to track and monitor the level of risk of the third-parties who are critical to the safety, resilience, and integrity of your organization.
As the pandemic has proven, third-party risk management is just as important as in-house risk management, as the results of a malicious attack on third-parties can tremendously affect the day-to-day operations of an organization.