While at first glance the topic of due diligence may appear to be a stodgy one, the reality of a rapidly changing risk landscape and the evolution of due diligence techniques suggests that the opposite is true. The latest section of the Shared Assessments Third Party Risk Management (TPRM) Framework has just been released, providing a deep dive into a wide range of due diligence processes across the TPRM lifecycle.
Even within broad risk categories, specific areas requiring due diligence can change quickly. Emerging risks globally for example require consistent monitoring and can vary significantly over time, both in terms of likelihood and impact. The chart below shows how these broad categories of risk have changed substantially over a short period of time. Of note, in 2009 environmental issues did not appear in the top five risks either in terms of impact or likelihood of occurrence. Yet, by 2019, 60% of the top five issues – in terms of both likelihood and impact – were environmental in nature (extreme weather events, failure of climate change mitigation, natural disasters).
The Changing Nature of Global Risks
TPRM due diligence processes allow Outsourcers to more fully understand the type and severity of residual risks an outsourcing decision might introduce. While most Outsourcers have an appropriate focus on monitoring security hygiene of vendors once onboarded, fewer practice an appropriate level of due diligence during the vendor selection process as a regular part of Request for Proposals (RFPs) short-list candidate evaluations, especially for vendors that support “critical” or “important” services.
The Due Diligence Module of the Shared Assessments TPRM Framework discusses why RFPs should be designed to identify potential deltas between an Outsourcer’s TPRM (and other) requirements and the Third Party’s capacity to meet those requirements. Especially for critical relationships, RFPs are best constructed when they contain key clauses from an organization’s Master Services Agreement (MSA). Not only can incorporating MSA clauses containing key risk requirements help cull RFP responses faster, a well-constructed set of clauses establishes base line security expectations for Third Parties very early in the outsourcing process. With today’s continuous monitoring techniques, Outsourcers can and should get a feel for vendor security hygiene while RFPs are still being evaluated. And for critical outsourcing parties, Outsourcers should consider onsite assessments before signing any contract.
Outsourcers should conduct wide-spread due diligence in a number of areas. Accordingly, this module explores Third Party due diligence nuances with focuses in:
- Cyber: Despite the increase in investment in cyber security efforts, the ability to prevent, detect, contain and respond to cybers attacks is not improving fast enough.
- Internet of Things (IoT): This pervasive technology demands a well-documented, inventoried understanding of all devices, applications, controls and the networks IoT touches. The sheer number of devices in most organizations has been a barrier to inventorying all IoT devices, the starting point for any effective due diligence process. IoT security is an issue for both Outsourcers and their vendors.
- Cloud: The advantages of cloud operations can be compromised when users do not understand their security hygiene obligations in cloud services environments. Financial Services regulators are concerned and have suggested there will be significantly more scrutiny of financial institutions’ cloud hygiene practices.
- Emerging Technologies: Risks associated with emerging technologies such as Artificial Intelligence (AI), Blockchain and others are relevant risks requiring consideration by Outsourcers.
- Geopolitical: Geopolitical risks have changed significantly from year-to-year and in some circumstances may seriously compromise operations. Many organizations do not have appropriate resources or expertise to properly monitor geopolitical risks related to vendor operations.
- Climate Change: Regulators are now actively considering factors related to the emergence of increasingly severe environmental events that may impact organizational resilience.
Shared Assessments members can review the latest Framework module here.
Gary Roboff is a Senior Advisor to the Santa Fe Group where he focuses on payments, risk management, mobile financial services, and information management. Gary has almost four decades of experience in financial services planning and management, including 25 years at JP Morgan Chase where he retired as Senior Vice President of Electronic Commerce. Gary has worked extensively in electronic payments, payments fraud, third party risk management, privacy and information utilization, as well as business frameworks and standards for electronic commerce applications.