As summer vacations and holidays start to draw down and the return to school nears, I like to reminisce about the breaks I’ve taken over the summer. One of my family’s favorite outings is to go to amusement parks as we are all “coaster crazies,” though admittedly, my ability to tolerate certain coasters and thrill rides has changed over the years.
What hasn’t changed is the accuracy of the analogy I like to use that compares roller coasters to third-party risk management (TPRM). We can think about an amusement park’s rider height and restriction requirements as a useful way to describe risk tolerances when onboarding new vendors or increasing scopes of work to existing ones.
Amusement Parks and Risk
Whether you’re staring at the major thrill rides or strolling through kiddie-land, you can’t help but notice that every ride has safety requirements posted as to the potential risk of injury to the rider. All three parties – the rider, the parent or guardian, as well as the ride operator – get to perform a quick assessment to determine if their own risk tolerance is acceptable for what the ride presents.
Notably, certain rides require higher due diligence around key factors based on the probability of risk to the rider. These factors can include things like height, weight, and existing health issues like neck or back conditions. With that understanding, one would expect higher riding standards for a mega-coaster as opposed to a low impact ride like a merry-go-round.
Ride operators are primarily responsible for the health and safety of the passengers for their ride. Key responsibilities include inspecting the ride, ensuring proper boarding and securing of passengers, providing instructions to riders, performing a quick safety brief, and making sure that passengers exit safely.
Failure to perform any of these responsibilities puts the rider, the parent or guardian, the ride operator, and ultimately the amusement park, into a high-risk situation that may draw dire consequences for all.
Now envision that you are the ride operator for a high-speed, top-thrill rollercoaster with twisting loops and steep drops. A child or a person with visible health conditions comes to you and says they want to ride. You should be able to size up the rider to see if they can meet the posted requirements and if not, then they cannot – and should not – go on the ride. It is the ride operator’s job to enforce such standards!
Can you imagine the ramifications if the ride operator allows the person onto the ride without meeting the posted safety requirements and they get injured?
Depending on the outcome, the media (both mainstream and social) will be all over the event. As the ride operator, you will most likely lose your job, and the amusement park will surely be engaged in a legal action – all of which can tarnish the reputation of the amusement park, which may then carry over into financial risk.
Size-Up Your Vendors Based on the Data Requirements
It’s a pretty straightforward analogy to compare the scenario above to our responsibility as business “operators” and leaders in risk, privacy and information security. You are in an operator’s role, but instead of vetting riders you are responsible for vetting vendors. We can apply the same logic of onboarding a rider to onboarding a third-party vendor.
When it comes to outsourcing a new engagement or increasing a scope of work to an existing vendor, third party risk professionals need to educate the business to “size up” the risk prior to choosing a vendor.
To do this, you must fully understand and identify the inherent risk or exposure risk. This means you must understand the risks associated with:
The type of data (such as customer or employee personal information, company sensitive data, etc.) being sent to the third party,
Where the data and processing are being performed, and other parties (generally referred to as “fourth” or “n’th” parties) that may be exposed to the data, and
The number of records being processed and any other relevant details that are attuned to the process covered by the statement of work or the contract.
Business lines and supporting personnel are beginning to recognize that they must now consider risk into the selection equation as they become (at least metaphorically) the “ride operators” for their organization.
It’s our responsibility to size up the vendors (“riders”) to ensure each vendor qualifies to be on the ride (i.e., the scope of work matches the posted risk parameters). If the vendor’s maturity in security and privacy doesn’t meet the basic height and weight requirements, or introduces some kind of risk (akin to defects in critical processing components), the “operator” should not trust that vendor with the proper handling of the business’ most precious resource – their data.
Four Basic Tips for Assessing Third-Party Vendor Risk
While a full discussion on third party risk is beyond the scope of this article, here are a few basic tips to help prevent headaches on the back end of the vendor relationship:
Make sure you understand the data, the process, and the location of where the data is being outsourced or processed.
Perform proper due diligence – this is essential and must be done. If you operate in a regulated environment, most agencies require this prior to executing the contract. Remember that due diligence is not an administrative activity, as it requires capable individuals with experience in security and privacy controls, risk management, business resilience, and auditing expertise in order to analyze and opine on a vendor’s security and privacy posture.
Establish effective communication pathways with all business units associated with the internal onboarding chain, as well as with vendors and in some cases, even regulators. It is most beneficial to have other standard-setting organizations (IT Security, Compliance, Legal, etc.) understand your assessment program, so everyone can access the playbook.
Set a policy that is endorsed by executive management so that you can operate effectively. The tone should be both top-down and bottom-up, driven ultimately by the board of directors, communicated down through executive management to business units, and with a feedback loop to learn from experience.
In third party risk management circles, the golden rule of outsourcing has always been, “Just because you have outsourced the process does not mean you have outsourced the risk.”
But if you struggle to remember this, then ask yourself, the business unit, or the project team responsible for onboarding, “Are they tall enough to ride the ride?” Asking that simple questions may save you, your customers, and organization from unnecessary injury.