Ask the Expert: What are steps that the audit team can take to instill confidence in the executive team that the organization is resilient concerning it’s use of vendors and third-parties?

Third-Party Risk

Dawn Ward, Senior Solution Consultant at Iceberg Networks and Chris Murphey, VP Advisory Services at Iceberg Networks, discuss how the audit team can instill confidence to the executive team that the organization is resilient concerning it’s use of vendors and third-parties. The following is an edited transcript of the conversation.

Chris Murphey: Some of the steps they can take is really a really well-defined OKR, KPI, KRI and KCI management program. That’s a lot of acronyms, but what it really comes down to is how you measure your success, and how you measure it in performance, in risk, and control. Then how do you mount that to the bigger organizational business problems. That confidence is really brought up a level when you can articulate with data and facts, how you’re managing things in your organization, how you’re managing the unknowns, how you’re ideating, testing and pressure testing the way that your processing governance structure works. That confidence is really articulated in the way you bring the message forward and the data that you have to support it, so it’s real and tangible.

Dawn Ward: I agree with that and I also think organizations have to look at once you know what those data points are, what you want to capture, what you want to track or what you want to report to, how do you get that out to the people who are actually getting that data and getting it in real time back in so you can evaluate it. Having a system where you can track those KPI’s, KRI’s, KCI’s, you can have the people who are on the ground doing the work to bring the values in to say “I’ve seen that this has changed.”

Having something where you set a risk band or some tolerance level where once it goes outside of that, you have automated reporting to the people who need to know that you are outside of your comfort zone for those areas. It pushes you toward the ability to automate those things, capture the data as it’s happening, in real-time from the people who are doing it and getting it to the people who need to know so they can then see the story and tell the story to the right people and be reactive. As we all know, having a lot of data doesn’t do a lot for you if you don’t get it in the hands of the people who need to have it and can react to it.

Chris Murphey: Dawn, I love that advice, it makes me think of how the process to do all that shouldn’t be built from the top down only. That full loop that you explained of feedback and iteration, it should be there when you’re designing it up front, so we know it’s confidently built, and it’s bought into by everyone up and down the organization and they understand their piece inside the puzzle.

Related Discussion: Auditing Fourth-Party Risk and Beyond (30 minutes)

Start your GRC journey.
We’ll be your trusted partner.

Start your journey