june 2017 41 Internal audItor
Only about 1 in 5 finance executives say they frequently evaluate the security efforts
of their suppliers and customers, according to a 2017 CFO Research study.
risks are identified and evaluate the
overall governance and risk management program each year to determine
whether the greatest effort is focused on
the highest risks.
Optimize Due Diligence
A company’s third-party risk programs
can raise hundreds of due diligence
questions. Targeted areas commonly
include information security, business continuity/disaster recovery, legal
and compliance, technology systems,
and financial, to name just a few. Due
diligence is often performed manually
across these areas, and the process can
be time consuming. Third-party risk
leaders first need to understand the outsourced service to determine risk exposure and appetite and then send the
right questionnaires to the third party,
hoping they’re completed and returned
on time. Leaders must then review the
responses, followed by issuance of risk
recommendations — all before the business can sign a contract.
Many organizations seeking a better approach are beginning to value
the concept of group intelligence and
consortiums as a means of sharing
third-party due diligence data. They’ve
discovered that third-party risk is not
an area one company should solve on
its own. When it comes to critical services, nearly every organization —
(including risk profiles).
» Defining inherent risk rating
by service type and managing to those exceptions as
» Communicating third-party
risk in business terms using
advanced data analytics.
» Developing key risk and key
performance indicators that
help identify areas where
third-party risk levels may
» Actively monitoring third-party
networks for signs of security
incidents and malicious activity
using threat intelligence feeds
such as BitSight, RiskRecon, or
» Managing reputation and compliance risks, such as negative
news and new regulations, with
continuous monitoring tools.
» Understanding and monitor-
ing geopolitical risk for outsourced services.
» Lowering program costs by
implementing integrated third-party risk technology solutions.
Internal audit should help ensure that
the business is managing these processes effectively. Moreover, it should
make sure the third-party risk management team’s program is updated as new
The RighT Balance
Striking an effective balance enables third-party programs to manage risk while supporting
Set Policies &