Annapurna was recently delighted to partner with RiskRecon, a MasterCard company, for an exclusive roundtable specialising in third-party risk & supply chain threats, to discuss ‘The Business Case for Situational Awareness in Your Supply Chain’.
The session looked at what we can do to increase the visibility of supply chain threats. How do we determine and identify risky vendors in our ecosystem? Where do we start when building an action-oriented third-party risk program?
The conversation was led by Steve Brown (Vice President, Cyber Security & Resilience at Mastercard) & Jason Huggett from RiskRecon, brought the following takeaways:
Questionnaires need to be reformed
Whilst questionnaires are necessary for being able to assess how much risk is being taken on by bringing on a third-party supplier, there are some that can be up to 800 questions long, making it hard to understand the key risks associated with the supplier. Along with this, questionnaires rely on the honesty of the third party. Whilst they may not mean to be deceitful, they may not understand the risks they are open to.
The level of risk and what part of the business is important is a key understanding that needs to be gained from questionnaires. Is there high risk but not on critical business applications, or is there low risk but a higher impact? Companies should attempt to map out their top risks, to prevent the disconnect between understanding the risks a third party is facing and where the company is looking.
Questionnaires should not only be used in the onboarding process but throughout the period in which the two companies are working together. Continuously monitoring and understanding the level of risk will enable action to be taken if the level changes and keep an up-to-date understanding of the company.
Building relationships is critical to more visibility
Whilst questionnaires are useful, they have to be used as a tool alongside building a relationship with the third party. Building a relationship will enable more visibility throughout the supply chain and greater trust in the given data.
A relationship can be built before the onboarding process or even before a contract is signed, if a third party does not meet the security requirements, both companies should work together in order to fix these. Once the key issues are fixed, then a contract will be signed.
The level of security that the third party has will depend on the company’s size. Smaller companies may provide more specialized software that is missed by bigger businesses due to their lack of security.
Collaborating with smaller companies to develop their security, will allow those niche products to be used by a wider audience and through this interaction with more institutions, their level of security can mature.
Whilst maintaining a good relationship with the third party, businesses may feel more in control, making them less likely to switch suppliers. There has to be a constant assessment of risk and an acknowledgement that even if there is a good relationship, there can be opportunity costs of not switching.
Visibility and compliance decrease the further down the supply chain
The visibility of the supply chain decreases the further down you go. Understanding the internal environment of third parties, and where they are operating, is also important. The geographical location can mean a company operates in a higher risk zone, that may for example not pay a minimum wage and therefore increase the likelihood of corruption.
Being further away will mean there is less visibility on subsidiaries of those suppliers and the customers, therefore contingency plans should be made, for example, if a company is facing sanctions or facing an environmental issue.
Questionnaires can be excessively long and rely on the honesty of the third party, building relationships is vital to more visibility and visibility and compliance decreases as you go down the supply chain.
RiskRecon, a Mastercard Company, enables you to easily achieve better risk outcomes for your enterprise and your supply chain. RiskRecon’s cybersecurity ratings and assessments make it easy for you to understand and act on your risks, delivering accurate, risk-prioritized action plans custom tuned to match your risk priorities.
As a leading provider of cybersecurity ratings, RiskRecon continuously monitors the cybersecurity risk of over 15 million companies across even the most highly regulated industries from finance and insurance to aerospace and healthcare. RiskRecon provides deep, risk-contextualized, data-driven insights into the security risk performance across a customer’s entire ecosystem and helps pinpoint specific gaps in any organization’s security programs and performance. With a 99.1% accuracy rating of its data, as certified by a third-party, customers can confidently rely on RiskRecon’s data-driven insights.
Customers that leverage RiskRecon’s platform can transform traditional, manual methods of managing cyber risk into automated and streamlined processes – enabling them to build a highly efficient, scalable third-party risk management program. According to findings of the 2021 Total Economic Impact study conducted by Forrester Research, organizations using RiskRecon realize an average ROI of 147% over a three-year period.