However, using such third parties in the organization introduces a range of increasing risks. For example, when the organization uses cloud computing service such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS), where customer or sensitive information are being stored and processed, it poses potential risks. This includes IT-related and regulatory risks due to ineffective controls. Additionally, the continuous growth of cyber-attacks intensifies the risk landscape, potentially placing customer or sensitive data in danger. Some of key root causes are insufficient staff awareness or understanding, unclear framework and policy for third party risk management, no supporting system or tools, and inadequate control processes from beginning to end. These include activities like third-party due diligence and selection, contract management, IT security and access controls, third party performance review, and terminating contracts with third parties.
How can an organization ensure that the risks associated with third parties are effectively managed to minimize both financial and non-financial impacts? These impacts can include system disruption or outages that may affect customers or staff performance, damage to the organization’s reputation, and non-compliance with relevant laws and regulation such as Personal Data Protection Act (PDPA), Cyber Security Act (CSA), or industry-specific regulations such as IT Risk including Third Party Risk by Bank of Thailand (BOT), and latest one by Securities and Exchange Commission (SEC) for IT Governance, Security, and Audit as it’s just released and in effect on 1 July 2023.
As a starting point, organizations may undertake a preliminary self-assessment of third party risk by considering the following questions:
Most organizations encounter with typical Third Party Risk Management (TPRM) challenges and risk landscape as follows:
The assessment of third party risk can be evaluated with “top-down” and “bottom-up” approaches by considering the organizations’ current state in term of people, process, system/tool, in order to apply TPRM framework and related control processes. The advisory team can assist and tailor TPRM advisory or implementation services (fit-for-purpose) to match with the organization’s needs. These services may include third party due diligence process, assessment of risk and existing controls, contract management, third party performance review, quality review on a continuous basis, etc. These actions aim to minimize the organization's exposure to increasing risks associated with third-party services, while instilling long-term confidence with investors, customers, employees, and stakeholders of the organization.
For more information on Third Party Risk Management, please visit this link.
Chinkavin Kittanatchai
CISA, CPA, CIA, CRISC, CGEIT, CISM
Partner | Risk Advisory
Deloitte Thailand