It all started 2 decades ago, when many companies decided that enterprise risk was something worth being concerned about. They realized that all different types of risks across the enterprise needed to be managed consistently, properly, and thoroughly.
While a great idea in theory, in practice proved to be extremely problematic, expensive, time-consuming, and near unattainable in full. And the return on investment? We are still waiting.
The Breakdown of Enterprise Risk
According to CGMA, “Enterprise risk management (ERM) is the process of identifying and methodically addressing the potential events that represent risks to the achievement of strategic objectives, or to opportunities to gain competitive advantage.
The fundamental elements of ERM are the assessment of significant risks and the implementation of suitable risk responses. Risk responses include: acceptance or tolerance of a risk; avoidance or termination of a risk; risk transfer or sharing via insurance, a joint venture or other arrangement; and reduction or mitigation of risk via internal control procedures or other risk prevention activities.”
Over the years, Enterprise Risk Management was broken up into many different areas, with Information Risk being the area that cybersecurity fell into. Information Risk was further broken up into privacy, continuity, resilience risk, compliance risk, audit risk, legal risk, and of course: third-party risk.
Historically, third-party risk was about ensuring legal approval of the contract, checking for financial stability, and signing everything into action.
Obviously over the last decade, we’ve realized that things have to change and mature to reflect the state of cyber today. There was a large IT, technology, and cyber risk element that needed to be addressed. And that’s how we landed where we are today.
So is third-party risk management a process or a tool?
The answer is yes. Third-party risk management is a process that ideally involves different stakeholders such as procurers of the service, an IT operations team to implement within IT, and a security team to monitor the posture of those partners.
Once stakeholders are in place, the overarching responsibility and accountability has to be assigned, as well as consultants and informants for decision making.
While robust processes are well and good, they are best enabled using tools. One of the main tools is a third-party risk management platform as a subset of GRC and IRM. The tools essentially help facilitate and streamline the creation of efficiencies within the process.
How does Black Kite fit into the process?
At Black Kite, we are a part of the process for the technology side. A lot of times we hear that our customers have a good process, but are missing the right information or data to plug in. That is where security rating services like Black Kite come in.
We provide information and defensible data so that our customers, or whoever is on the technology side of third-party risk management, can bring that information to management or stakeholders. The risks can then be properly articulated and explained from multiple perspectives (technical, compliance, financial) in a way that lands.
The Goal of Black Kite
- Gather the data.
- Assess the data.
- Enable the ability to triage and prioritize the largest vulnerabilities/exposure risks.
- Start and develop a process.
- Use tools to implement the process.
- Successfully manage risks across the enterprise.