The Ninth Annual Shared Assessments Summit boasted record attendance with 262 registrants and 39 world class panelists and presenters who gathered to address this year’s theme, The Changing Dynamic of Third Party Risk Assessment.
The swift evolution of third party risk threats presents challenges that outsourcing organizations have to meet. This year’s Summit provided two action-packed days of presentations and panels that addressed these issues. We also conducted six pre-Summit workshops with more than 100 attendees: SIG 101 and SIG 201; AUP 101 and AUP 201; Business Resiliency: What Your Third Parties Should Be Doing; Moving to the Next Level: Enhancing the Performance of Established Risk Programs. In addition, we held an informative Luncheon Case Study session each day. And, 77 individuals participated in a Summit-week Certified Third Party Risk Professional (CTPRP) workshop and exam.
Panels and presentations topics included: Global Big Data: Privacy and Information Security Challenges; Building Risk-Resilience in Today’s Changing Threat Environment; The Tension Between Security and Privacy in a Healthy Democracy; Panel Discussion with Regulators; and Global Challenges for Third Party Risk Management, to name just a few. Here’s what we learned during our discussions:
The Need for Ongoing Education:
The serious nature of the fragility of world economies, attacks on wholesale networks, ransomware and other infrastructure attacks, and block chain impact disruptions all demand that professional training and certification take center stage to ensure a competent and available base of qualified experts to meet the growing third party risk management challenges that organizations are facing at all levels. Such education must be structured in a way that is responsive to the intergenerational nature of the workforce and its varying management demands.
Importance of Tone at the Top to Building the Right Risk Culture:
The newly released 2016 study report, Tone at the Top and Third Party Risk, was commissioned by The Santa Fe Group, the managing agent of the Shared Assessments Program, and conducted by the Ponemon Institute. The study report examined the state of third party risk management from the perspective of C-level and senior executives, managers and consultants with executive roles within risk management processes. The study showed, and discussion at the Summit confirmed, the strong relationship between a positive leadership and ethical culture (Tone at the Top) and an effective enterprise risk management culture and optimized program, inclusive of third party risk issues. To enable the organization’s long term well-being, the C-Suite and Board should assume prominent roles both in resolving open issues and in communicating the fundamental importance of improving risk performance to improve their risk management environment and meet increasing demands (both marketplace and regulatory) for effective risk management structures and processes.
Managing for Best Risk Hygiene, Not Just for Compliance:
Establishing a direct information security line to the board is a critical element of best risk hygiene that can help raise awareness throughout the organization for building a risk management program that reaches beyond a check-the-box compliance approach and hits the mark for an informed risk perspective. Such efforts must include cyber hygiene, as evidenced by the top threats being data breaches, compromised credentials and insecure APIs.
Concern over the Human Element in IT Security:
The human element reverberates throughout risk management. The human element can catastrophically disrupt business for organizations both regionally and globally in the form of terrorism, political upheaval and hacking activities. And simple human resource problems can lead to major complications. For instance, overworked employees or undertrained staff can result in increases in errors and disruptive actions by disgruntled workers. Undertrained staff can also increase risk for cyber threats.
Cloud Security and the Change from the Internet of Things to the Internet of Everything:
The expansion into a world of Internet of Everything requires today’s board members, who often do not have a strong enough background in technology risk issues, to develop an ecosystem approach that includes not only third party risk management, but also involves managing a workforce that can adapt quickly to the rapid adoption of disruptive technology and apply big data solutions to cybersecurity and risk management. With cybercrime being more organized than ever and the points of data collection proliferating, protecting data in this space becomes ever more difficult and complex. In addition, many organizations do not know who their Cloud providers are. Currently, 14 billion devices are now connected, with projections for 40 billion by 2018. Outside of banking, some companies are considering establishing a board committee on technology. The US leads other countries, and the message to boards worldwide is to get ahead of threats; understand your vendors’ roles; and increase the flow of relevant information to your organization’s board.
Leveraging Resilience to Ensure Positive Outcomes:
Empowering governance, ensuring a direct line of responsibility within organizations and their vendors, automation for analysis for cyber resiliency in the areas of prevention, detection and response, as well as strong oversight processes can all help strengthen an organization’s defenses. By assessing what is happening in your organization and identifying and achieving the right balance of agility and security/privacy, your organization can improve its resiliency against risks that include human acts, natural disasters, malfunctions, and loss of services or equipment. One of the payoffs from improved resiliency is enhanced consumer trust, which makes trust a value enhancer instead of a value detractor.
More Rigorous Regulatory Scrutiny over Third and Fourth Party Risk Management:
The increased outsourcing of critical services produces a conundrum surrounding the multiple layers of vendors for many organizations. Fintech is especially on the horizon of recent regulator scrutiny. While the US leads in many best practices, including those led by both regulatory and industry guidelines, it lags behind the rest of the world in terms of data protection practices. The Shared Assessments Program members (led by the Regulatory Compliance and Audit Awareness Group) contributed to a response to the OCC’s March 2016 white paper on Responsible Innovation in Banking that directly concerns Fintech issues. The Program’s Regulatory Compliance Awareness Committee will continue to be an active voice in the discussions surrounding regulation and best practices development in this area.
More from the Ninth Annual Shared Assessments Summit…
Special Thanks to our Knowledgeable Speakers
This year’s Summit brought together third party risk management thought leaders from across the nation. We extend our gratitude to all of these talented, dedicated speakers for their contributions to our workshops, panels and discussions:
We are Surrounded by Industry Champions – VIP Reception Award Winners
The Shared Assessments Program has grown to accommodate more than 200 members, 14 software licensors and over 350 tool purchasers – all collaborating to use Shared Assessments Program content to manage third party risk and service provider oversight.
In keeping with our efforts to recognize the industry champions who are joining together to minimize risk and make our world a safer place to do business, we celebrate several of our members who have accomplished so much in our shared quest to continue reducing risk and growing the Shared Assessments Program. Special congratulations to the following individuals on a job well done:
Our Sponsors are the Best
Thank you to all of the industry leading sponsors and exhibitors who made this year’s Shared Assessments Summit!
2017 Summit Opportunities
Interested in being a sponsor or exhibitor at next year’s 10th Anniversary Summit? Contact Christopher Campbell at christopher@santa-fe-group.com or 505-466-6434 to learn more.