Tone at the Top and Third Party Risk was sponsored by Shared Assessments and conducted by Ponemon Institute to understand the relationship between tone at the top and the minimization of third party risks. We surveyed 617 individuals who have a role in the risk management process in their organizations and are familiar with the governance practices related to third party risks.
A key takeaway from the research is that accountability for managing third party risk is dispersed throughout the organization. Not having one person or function with ownership of the risk is a serious barrier to achieving an effective third party risk management program.
In the context of this study, tone at the top is a term used to describe an organization’s control environment, as established by its board of directors, audit committee and senior management. The tone at the top is set by all levels of management and has a trickle-down effect on all employees of the organization. If management is committed to a culture and environment that embraces honesty, integrity and ethics, employees are more likely to uphold those same values. As a result, such risks as insider negligence and third party risk are minimized.
Participants in this research agree with this assessment. We asked respondents to rate the importance of tone at the top based on a scale of 1 = not important to 10 = very important. The very important responses (7+) are shown in Figure 1. As shown, 83 percent of respondents believe a positive tone is very important to minimizing business risks within their organization and 78 percent of respondents say it is very important to reducing risks in third party (supply chain) relationships.
A positive tone at the top is thought to provide the following benefits, according to respondents:
- Reduces the risks of working with third parties that are not trustworthy (71 percent of respondents);
- Incorporates such values as integrity, ethics and trustworthiness in relationships with third parties (66 percent of respondents); and
- Increases employee and third party awareness of the importance of security, data protection and business resiliency (43 percent of respondents).
The following are key takeaways from the research:
- Third party risk is considered serious and is increasing. Seventy-five percent of respondents agree that third party risk is serious. Further, 70 percent of respondents say the third party risk in their organization is significantly increasing (21 percent of respondents), increasing (20 percent of respondents) or is staying the same (29 percent of respondents).
- Third party risk is increasing because of a changing threat landscape. Disruptive technologies such as the Internet of Things (IoT) and migration to the Cloud are expected to increase third party risk. Sixty percent of respondents believe IoT increases third party risk significantly (35 percent + 25 percent), and 68 percent of respondents believe migration to the Cloud will increase risk (36 percent + 32 percent).
- Cyber attacks and the IoT are expected to have the most significant impact on an organization’s third party risk profile. Seventy-eight percent of respondents say cyber attacks will have a significant impact on the risk profile and 76 percent of respondents say the IoT will have a significant impact. Cloud computing, mobility and mobile devices and big data analytics will have a significant impact, according to 71 percent, 67 percent and 51 percent of respondents, respectively.
- Despite the seriousness of third party risk, it is not a primary risk management objective. The top two risk management objectives are to minimize downtime (56 percent of respondents) and minimize business disruptions (37 percent of respondents). As discussed above, cyber attacks are expected to have a significant impact on the risk of third party relationships. However, only 27 percent of respondents say a top objective is to prevent cyber attacks. Further, only 8 percent of respondents say improvement of their organization’s relationship with business partners is a top risk management objective for their organizations.
- The consequences of not managing third party risk can be costly. In the past 12 months, organizations represented in this research spent an average of approximately $10 million to respond to a security incident as a result of negligent or malicious third parties.
- Third party risk management programs are mostly informal and not effective. As discussed previously, reducing third party risk is considered serious but very few respondents say improvement in third party relationships is a top risk management objective. Thus, the incentive among the various business functions to create a comprehensive program for risk management is low. Only 29 percent of respondents say their organizations have a formal program.
- The lack of formal programs affects the ability to mitigate third party risk. Respondents were asked to rate the effectiveness of their organizations in mitigating or curtailing third party risk from 1 = not effective to 10 = very effective. Only 21 percent of respondents say their organization’s effectiveness in mitigating or curtailing third party risk is considered highly effective (7+ on the scale of 1 to 10).
- No one function owns the third party risk management program in organizations represented in this study. Accountability for the third party risk management program is dispersed throughout the organization. Twenty-three percent of respondents say the compliance department is most responsible for managing third party risk and 17 percent of respondents say it is the information security function. Only 9 percent of respondents say risk management has ownership of the risk.
- Most C-level executives are not engaged in their organization’s third party risk management process. Only 37 percent of respondents agree that the C-level executives in their organization believe they are ultimately accountable for the effectiveness of third party risk management. As a possible consequence of this lack of engagement, 50 percent of respondents do not believe the risk management process is aligned with business goals, which are most likely determined by senior management.
- Boards of directors are not actively engaged in risk management activities. Similar to the perceived lack of accountability on the part of C-suite executives, only 40 percent of respondents say their boards of directors are significantly involved (17 percent) or have at least some involvement in overseeing risk management activities (23 percent).
- If boards of directors are engaged, it is mostly to conduct reviews. Fifty-two percent of respondents say the board mainly reviews management’s analysis of the effectiveness of a risk assessment and 42 percent of respondents say the board reviews and approves plans to address any risk management or control weakness. Only 25 percent of respondents say they are actively working with management to establish the vision, risk appetite and overall strategic direction for third party relationships.
To read the full research, visit SharedAssessments.org