View from top key in addressing third-party risks, study findsReprints
A growing number of risk management professionals see an increase in third-party risk, an issue that can be countered with a positive tone at the top, according to a study by the Traverse City, Michigan-based Ponemon Institute L.L.C.
The study, “Tone at the Top and Third Party Risk,” released May 2 and sponsored by Santa Fe, New Mexico-based risk management industry-standard body Share Assessments Program, surveyed 617 respondents from mid-February to early March who play a role in their organization's risk management process and are familiar with governance practices involving third-party risks.
The report warns that the consequences of failing to manage third-party risk can be costly. In the past 12 months, organizations represented in the survey spent an average of $10 million to respond to a security incident arising from negligent or malicious third parties.
Seventy-five percent of respondents said third-party risk is serious, 41% said third-party risk in their organization is increasing, sometimes significantly, and 29% said it was unchanged.
Most respondents said a positive tone at the top reduces the risks of working with third parties that are not trustworthy and incorporates such values as integrity, ethics and trustworthiness in relationships with third parties. Forty-three percent said a positive tone at the top increases employee and third-party awareness of the importance of security, data protection and business resiliency.
“The tone at the top is set by all levels of management and has a trickle-down effect on all employees of the organization,” the report said. “If management is committed to a culture and environment that embraces honesty, integrity and ethics, employees are more likely to uphold those same values. As a result, such risks as insider negligence and third-party risk are minimized.”
Forty-one percent of respondents said the CEO should set the tone at the top, followed by 19% who said it should be the compliance officer. Only 6% said the entire C-suite is most responsible for setting the positive tone.
Only 37% of respondents said the C-level executives in their organization see themselves as accountable for third-party risk management. Possibly arising from this lack of engagement, the report said, 50% of respondents said the risk management process is not aligned with business goals most likely determined by senior management.
Only 40% of respondents said their directors have some involvement in overseeing risk management.
Fifty-six percent of respondents said the risk assessment does not include intellectual property and other high-value data in the hands of third parties. Thirty-one percent of respondents said they have metrics to measure the effectiveness of risk management activities. So, few organizations in this research are considered to have a highly effective risk management process.
Only 18% of respondents said they assess the cyber security risks of most third parties, with half saying they do not conduct such assessments.
The report contains a series of steps organizations can take to reduce third-party risk. These include having the CEO and directors become more proactive in the third-party risk program.
In light of the increasing risk of cyber attacks, organizations partnering with third parties that have access to sensitive and confidential information must ensure they have appropriate technology to reduce the threat.
Organizations should also assign accountability to ensure that the objectives of the risk management program are accomplished, the report said.