Is your organization unknowingly exposed to the increasing risks from “third parties”?

FRIDAY, JULY 14, 2023

In today's business landscape, organizations have come to rely on third parties (e.g., vendors, suppliers, service providers, outsourcers, agents, distributors, etc.) in supporting various business operations more significantly, in order to achieve business and information technology objectives, including gaining a competitive advantage.

However, using such third parties in the organization introduces a range of increasing risks. For example, when the organization uses cloud computing service such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS), where customer or sensitive information are being stored and processed, it poses potential risks. This includes IT-related and regulatory risks due to ineffective controls. Additionally, the continuous growth of cyber-attacks intensifies the risk landscape, potentially placing customer or sensitive data in danger.  Some of key root causes are insufficient staff awareness or understanding, unclear framework and policy for third party risk management, no supporting system or tools, and inadequate control processes from beginning to end. These include activities like third-party due diligence and selection, contract management, IT security and access controls, third party performance review, and terminating contracts with third parties.

How can an organization ensure that the risks associated with third parties are effectively managed to minimize both financial and non-financial impacts? These impacts can include system disruption or outages that may affect customers or staff performance, damage to the organization’s reputation, and non-compliance with relevant laws and regulation such as Personal Data Protection Act (PDPA), Cyber Security Act (CSA), or industry-specific regulations such as IT Risk including Third Party Risk by Bank of Thailand (BOT), and latest one by Securities and Exchange Commission (SEC) for IT Governance, Security, and Audit as it’s just released and in effect on 1 July 2023.

As a starting point, organizations may undertake a preliminary self-assessment of third party risk by considering the following questions: 

  • Who are third parties in the organization?
  • How about relationships between the organization and third parties, and material to the organization?
  • What governance and control do we have over the third parties? (e.g., staff knowledge and understanding, framework & policy, system/tool, and control processes)

Most organizations encounter with typical Third Party Risk Management (TPRM) challenges and risk landscape as follows:

  • Limited staff knowledge and know-how, and also scope of risk domains.
  • Limited scope of third parties under active management (i.e., contingent workforce, subcontractors and intra-company entities not having any oversight).
  • TPRM is largely considered to be only responsibility of the first line of defence, e.g., basic due diligence during vendor onboarding, particularly for regulated industries.
  • Insufficient governance and oversight by second and third lines of defence, resulting in limited visibility regarding aggregated third-party risk, and the extent of its concentration, at the organizational level.
  • Insufficient, incomplete, inconsistent, and disparate data spread across multiple systems, as well as a large extent of manual processing. This may cause ineffectiveness and inefficiency in management.

Is your organization unknowingly exposed to the increasing risks from “third parties”?

The assessment of third party risk can be evaluated with “top-down” and “bottom-up” approaches by considering the organizations’ current state in term of people, process, system/tool, in order to apply TPRM framework and related control processes. The advisory team can assist and tailor TPRM advisory or implementation services (fit-for-purpose) to match with the organization’s needs. These services may include third party due diligence process, assessment of risk and existing controls, contract management, third party performance review, quality review on a continuous basis, etc. These actions aim to minimize the organization's exposure to increasing risks associated with third-party services, while instilling long-term confidence with investors, customers, employees, and stakeholders of the organization.

For more information on Third Party Risk Management, please visit this link.
 

Chinkavin Kittanatchai 
CISA, CPA, CIA, CRISC, CGEIT, CISM
Partner | Risk Advisory
Deloitte Thailand