Third party management

Introduction

In favor of focusing and specializing on core competencies, most businesses nowadays are increasingly and heavily relying on third parties to support their businesses by outsourcing great amount of their activities such as IT support, software development, data hosting, physical security, cleaning services, heating and air conditioning, and thus subcontracting with external suppliers and service providers which are estimably responsible for driving around two-thirds of total revenue and often offer better services at low-costs. This tendency is generating numerous critical business partnerships and requires adequate control and oversight.

Third party management is the process of monitoring and managing business collaboration with external parties such as vendors, manufacturers, suppliers, partners, distributors, resellers, cleaning and security services, etc. the process is established by managing information, measuring performance, assessing risks, binding to contractual agreements and compiling to regulations.

Third party related risks

Studies revealed that the majority of recent security breaches occur as a result of third parties. Indeed, when organizations rely on third parties, their exposure to risk enlarges. If for instance a trusted vendor has deployed but poorly maintained an anti-malware software, it might end up in a massive cyber-attacks as his network gets compromised. A non-critical but trusted service provider such as an air conditioning contractor who is insecurely connected to the organization’s internal network for data synchronization or billing purposes should be then considered a high risk source. If an organization outsources the software development to a third party, he by then raises a significant risk if he closes down while the organization do not have the appropriate talent, documentation, tools or the source code itself to carry on the development and support activities.

The role or size of the third party is not as important as the nature of the relationship, the criticality of its activities, the level of access to sensitive data or property, and the organization’s liability for inappropriate behavior of its third parties. A cleaning company with access to a director's office represents a different but still significant risk relative to a supplier who provides a critical component to the production line.

When transferring operations and assets to third parties whom should be better in performance using adequate expertise and resources, businesses still assume the responsibility if any risks were to occur, combined from the likelihood of harmful events occurring and the consequence of harm, as risks remain relevant despite the fact that these operations and assets are out of the organization’s direct oversight which makes a higher burden for them to manage.

Third party risk management

Studies revealed that organizations tend to forget contracts once they’re signed, only 20% of organizations are actually including their third parties in their assessment scope.

Managing third parties is often challenging, complex and hard thus poorly addressed in most organizations, some related challenges are listed below

• Responsibility for risk - it’s frequently unclean within organizations who is, and how they’re managing the individual or the overall third party relationships;
• Reactive handling of risk - unless a critical issues surface and associated risks arise, organizations tend to ignore addressing third party risks;
• Ignorance of risk factors - organization tend to prioritize third parties based on quality, cost and delivery time, assessing and managing related potential impacts and risks are often forgotten or ignored;
• Integrity risk - if’s often hard to assure the transparency and honesty of third parties, any provided data are questionable in term of accuracy and completeness;
• Contractual terms - contract terms are often underestimated, important factors such as right to audit, pricing changes due to taxes or discounts, timing, consequences of short and long term contracts are often ignored. Organizations lean toward standard and outdated outsourcing contract templates which do not cover recent business landscape changes and emerging technologies.

In assessing third parties, risk practitioners should consider wide range of potential risks, these risks can be grouped into the following categories

• Financial risks - such as changes in currency rate, loss of product value, losses in market share;
• Information risks - such as data breaches, data disclosure, data unavailability, data loss, data destruction, unauthorized access;
• Integrity risks - such as fraud, conflicts of interest, damage of reputation;
• Compliance risks – such as non-compliance to regulations, operating without licenses;
• Operational risks - such as systems failures, supply chain disruptions, employees’ skills, employee’s turnover;
• Strategic risks - such as poor business decisions, inadequate resource allocation, industry recession;
• Technology risks - such as changing business landscape; outdated hardware, software malfunction, malware infection, denial of service, email phishing, human errors.

To overcome such threats and risks, risk practitioner should make sure to cover aspects such as

• Outsourcing process - inventory, prioritization and selection of third parties, oversight activities, performance measurement, communication channels;
• Business management - leadership, liability, trust, transparency, processes efficiency;
• Information security - complying to security requirements, implementation of security controls, planning business continuity and disaster recovery, protection of intellectual property, adherence to a non-disclosure agreement (NDA);
• Risk inventory - knowledge of exposed threats, inherent vulnerabilities, potential adverse impacts, and supposed risk scenarios
• Contractual agreement - conforming to service-level agreement (SLA), enforcement of contract terms, constant contracts revision;
• Regulatory compliance - conformance to relevant regulations, adoption of best practices; 
• Assessment and auditing - right to audit, periodic risk assessments, internal auditing;
• Ongoing monitoring - internal controls monitoring, independent and on-site reviews, reporting non-compliance.

Conclusion

In today’s world, doing business means relying on some third parties which exposes the business to significant risks. Hence, businesses should have a clear understanding of the inherent risks in their relationship with third parties. As risks continue to rise due to emerging technologies and market trends; organizations should not only establish comprehensive contractual agreements with third parties which is a step in the right direction but improve and strengthen their relationship and emphasize proactive third party risk management and make it one of main organization's goals and objectives.

Organizations goals and objectives

Introduction

Organizations exist to create value for their stakeholders by retaining a balance between achievements of profits by pursuing opportunities, optimizing the use of resources and reducing related and potential risks. In order to so, organizations need first to set clear set of objectives a goals that articulate their mission, value and reason for existence, and then strive to achieve them. While the organizations' goals represent the desired destination, the chosen objectives characterize the road map to get there.

Below some of the organizations’ typical and common goals and objectives

• Increasing sales and market share;
• Improving customer service and retention;
• Strengthening partnerships; 
• Hiring talented people and training current staff; 
• Minimizing logistic costs; and 
• Expanding the organizations' presence...etc.

Such goals and objectives should inevitably lead the organization to the right direction and track through achieving profitability, maintaining employees and customer’s satisfaction and thus ensuring continual growth.

Business-IT alignment

Business-IT alignment is the sustainable ability of organizations to effectively overtime integrate and use information technology to achieve their objectives and create value. In reality, a misalignment is noticed as most organizations fail to close the gap between IT and the rest of the business, this situation often enlarges due to distinction of objectives, drives, cultures, attitudes as well as ignorance. Such scenario leads often into expensive and inadequate IT deployments without real return of investment (ROI).

The alignment usually aims to improve the business value of IT investments and maintain organizations' success by

• Building a trust relationship and facilitating communication between decision-makers and IT managers; 
• Flexibility in implementing business plans and Enterprise Architecture;
• Presenting the Enterprise Architecture’s capability and limitations; 
• Efficiency in managing organizations budget and resources; and
• Ensuring optimal return of investment (ROI) of IT funds.

Ensuring better business-IT alignment can be implemented by translating organization’s goals and objectives into adaptable, specific and mapped IT-related goals, processes and practices. This is can done by adopting standard Enterprise Architecture and IT governance frameworks as TOGAF, COBIT and ITIL.

Business-IT risk alignment

Organizations tend to have limited resources and poor considerations in implementing effective enterprise-wide risk management, it’s often to see the organization’s risk profile outdated and not aligned with their goals and objectives, and not focused on top management issues.

In responding to internal and external events, factors and changing business landscape, organization’s objectives and strategic priorities constantly changes over time to keep pace with the environment in which it operates. Unless frequently revised and updated; risk management efforts become responsive and compliance-oriented rather than supportive, and risk appetite and tolerance thresholds became unrealistic and then cannot reflect current organization’s objectives.

Organizations traditionally organize separate meetings for strategic decision-making, planning and risk related initiatives, and thus limit the interaction between these activities which generate ineffective and redundant efforts and result in additional risks. However, the alignment aims reduce such activities and eliminates the gaps in between by integrating risk management with business strategy.

Risk management activities are often limited within IT department by assessing threats and vulnerabilities related to the department’s assets only which narrows risk mitigation and exposes the rest of business to wide range of risks and uncertainties. However, risk practitioners should consider the overall business scope and extends the risk assessment to all the entities, processes and projects supported by IT division as well as external suppliers. Risk practitioner should also study previous incidents and proactively act to prevent similar incidents from occurring in future by implementing appropriate mitigation controls, and so not underestimating any potential risk.

Another key factor in establishing an effective risk alignment is setting up communication channels with top management to facilitate assessing business goals, strategies, priorities and decisions toward embracing emerging technologies, assuring regulatory compliance and covering the overall enterprise end-to-end. Moreover, Risk practitioners should be involved in assessing potential risks related to strategic and confidential plans which produce major impacts such as acquisitions, mergers, changing markets and staff reduction in order to put in place adequate and effective mitigation plans.

One of the best approaches in aligning risks with business objectives is implementing information security frameworks, risk management methodologies and standards such as

• ISO/IEC 27001 - Information security management systems;
• NIST SP 800-39 - Managing Information Security Risk;
• ISO/IEC 27005 - Information Security Risk Management;
• COSO Enterprise Risk Management - Integrated Framework;
• ISO 31000 - Risk Management - Principles and Guidelines; and
• NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments.

Such practices advocate for holistic approach in managing information security and associated risks and provide an assurance in achieving business objectives and thus ensuring risk alignment with business goals.

Conclusions

Risk management focuses on constant understanding, alignment and securing the organization’s strategies and objectives by promoting the adequate security controls. Moreover, associated risks can be sometimes overlooked in favor of pursuing opportunities that meet organization’s goals.

Risk practitioners should continually and intelligently advertise and over time cultivate risk culture into people’s mindset, and integrate risk management activities and practices into the overall business strategies and processes.

By admitting that risks impacting the organization can be originated either from the technology in use, the people operating this technology, or from the applied processes; failing to integrate these main sources of risk into the risk profile inevitably puts the organization in great danger.

Enterprise Architecture

Introduction

Enterprise Architecture (EA) is the process of developing enterprise IT architecture’s description and implementation. The description focuses on a holistic and integrated view of the why, where, and who uses IT systems, how and what they are used for within an organization. The implementation develops the strategy and enables the decisions for designing, developing, and deploying IT systems to support the business operations as well as to assess, select, and integrate the technology into the organization’s infrastructure.

EA main components

Enterprise Architecture is the unifying logic for an organization core business processes and IT capabilities captured in a set of main correlated architectural modules such as

• Business Architecture which covers the organization’s structure, objectives, processes, roles and projects;
• Application Architecture which includes applications and interactions in between; 
• Data Architecture which handles data, data flows and data access;
• Technical Architecture which consist of hardware, software, systems, networks and IT platforms.

An IT system is composed by software and hardware, while the software includes programs, libraries and data which are translated into operating systems, drivers, APIs, applications and databases...etc., the hardware is the physical parts that forms a computer (e.g. motherboard, CPU, monitor, hard disk, memory...etc.).

An operating system (OS) such as OS X, Linux, Windows, Android and iOS is a component of system software that manages computer hardware and software resources and provides common services for computer programs which usually require an operating system to execute and operate on top of it.

A network such as the Internet allows computers (as network nodes) to exchange data via network devices (e.g. interfaces, switches, routers, firewalls), over communication links and mediums (i.e. cable or wireless), laid out following specific topologies (e.g. line, ring, star, mesh), which is geographically scaled (e.g. using LAN, MAN or WAN), carried out using certain protocols (i.e. TCP/IP) and caries various applications (e.g. web, email, audio and video).

An IT platform is a collection of physical or virtual resources (e.g. servers, storage, networks) that supports an overall IT environment established to capture, generate, process, transmit, present and store information. The IT platform can be formed within a single mainframe, or composed by several resources unified altogether as a single entity (e.g. middleware) in a centralized location (e.g. datacenter), or formed by decentralized components remotely interconnected (e.g. cloud computing or platform as a service).

IT platform hosts wide range of business applications such as

• Enterprise Resource Planning (ERP), 
• Customer Relationship Management (CRM); 
• Human Resource Management (HRM); and 
• Project management. 

These applications can be internally accessible within the organization premises, or externally reachable using VPN connections from users using various endpoint devices such as PCs, laptops, tablets or smartphones.

Energy related supplies and utilities such as power supply, power generators, UPS (Uninterruptible Power Supply), HVAC (Heating, Ventilating, and Air Conditioning) and air purifying are critical auxiliary assets that support the overall IT infrastructure.

Challenges in maintaining EA

Enterprise Architecture is a quarter-century concept created to align with business objectives to tackle the increasing complexity of IT systems on top of following traditional issues:

• Lack of support and commitment from stakeholders
• Absence of communication channels, reporting and awareness;
• Shortage of skilled and experienced talented;
• Incompatibility of outdated standards;
• Inapplicability of available frameworks; 
• Nonexistence of measurement and performance metrics…etc.

Even though, the same old issues still persist today and enlarged by the accelerating pace of emerging technologies, alignment between business and IT, besides the required talent, cost and time to put in place such concept represent the organization’s top issues in establishing a mature Enterprise Architecture.

Enterprise Architecture is often wrongfully translated to the practice of documenting the organization’s IT infrastructure and spending all the efforts applying a framework instead of solving real problems, and carrying out business changes by constantly transforming organization’s structure and behavior within a complex environment.

An Enterprise Architecture can be exposed to wide range of risks such as for instance

• Obsolete hardware or software;
• Equipment or application failure or malfunction;
• Non-redundancy of services or links;
• Unpatched vulnerabilities;
• Misconfigured devices or settings;
• Unlogged and untraced events;
• Default security passwords; 
• Poor network cabling;
• Wireless signal interference;
• Unprotected wireless access points;
• Power outages;
• Poor maintenance or maintenance fault; and 
• Unsecured facilities...etc.

Since the IT system of an Enterprise Architecture is an interrelated set of components connected to each other; an adverse risk related to an IT subsystem can disturb the overall IT system. Hence, the risk assessment of the entire system should be established by assessing the threats, vulnerabilities and impacts related to each subsystem and component.

EA frameworks

An Enterprise Architecture Framework describes how to build and use an Enterprise Architecture by providing a set of principles, practices and tools to manage the complexity and scalability of IT systems and producing valuable description documentation.

There are countless Enterprise Architecture frameworks, some of them focus on modeling existing organization infrastructure, others focus on solving business issues. While some of the frameworks are proprietary, others are open source, certain frameworks were developed by either specialized groups, government or defense organizations. Below some of leading methodologies

• The Zachman Framework for Enterprise Architectures 
• The Open Group Architectural Framework (TOGAF) 
• The Federal Enterprise Architecture (FEA) 
• The Department of Defense Architecture Framework (DoDAF)
• The Gartner Methodology (GEA).

As these frameworks very different in their nature and approach; the appropriate framework should be selected and used based on the organization’s criteria.

Conclusions

Enterprise Architecture is a conceptual blueprint for business processes and IT system that defines the structure and operation of an organization which intended to determine the most effective ways to achieve the current and future objectives.

The Enterprise Architecture can be seen as the well-defined set of practices for conducing organization’s mission in achieving its strategic objectives, improving decision making, adapting to market trends, creating value and realizing benefits while maintaining optimal levels of risks and use of resources.

In regard to risk management, Enterprise Architecture contributes to reduction of business risks from system failures, security breaches and reduces project delivery risks.

Technological advances

Introduction

Although technology is shifting the way organizations interacting, communicating and sharing information by enabling them to access, use and manage information anywhere at any time, emerging technologies such as smart devices, IoT, social media, cloud computing, big data and cyber security are driving change and innovation across all markets and industries.

In this rapid changing business landscape, organizations are engaging in a widespread adoption and integration of these technologies into their business as they offer the advantages of increasing productivity, operating more efficiently, enhancing communications, increasing mobility, better information handling and sharing, ensuring safer and healthier working environment…etc. thus generating economic benefits such as penetrating new markets and making more revenues in shorter period of times.

Since these technologies are breaking down the barriers of the traditional offices and defeating the old IT risk model, IT risk programs must expand and adapt to meet these challenges.

New technology risks

In recent years, organizations are often blindly embracing new technologies and creating new underlining risks by heavily investing massive resources in adopting new IT infrastructures with the associated cost in upgrading old systems following venders’ advertised or promised features of their products/services and the organizations’ own overstated assumptions regarding presumed performance and efficiency of these products/services without prior and detailed study and analysis.

Moreover, security related requirements are frequently overlooked in pursuit of willingness to deploy unconfirmed technologies which ultimately exposes the organizations to great and unknown risks while in reality bringing low added value that fails to meet their strategic objectives and stockholders’ expectations.

Organizations data is becoming available online, universally shared via social media, through variety of cloud platforms and devices such as smartphones, laptops and tablets. Thus enables data to be stored in low secured devices and exposed to a huge risk universe.

Organizations failed to oversight and support changing business landscape may endure severe market share losses. As emerging technologies are generating more market competitions with small entities whom are easily emerging and offering similar or better products/services in lower costs, organizations incapable of watching, adapting and constantly renewing their products/services to new market and technology trends find their business portfolio obsolete as their products/services are quickly becoming outdated.

Organizations are also challenged in either investing and offering training to current staff or hiring high payed talents as well as funding research and development initiatives to keep pace with these technologies.

Managing emerging risks 

Organizations should be primarily concerned by addressing current technology issues and cautioned about adopting emerging technologies. Unless they have a clearer understanding of the associated opportunities and risks, by then they can devote the attention and resources toward adopting these technologies.

Organizations need to build a foresight capacity that allow them to quickly respond to future challenges and uncertainties by adopting appropriate approaches such as Delphi Method, Horizon Scanning and Trend Impact Analysis that help them adopt emerging technologies, assess their trends in the long-term, comprehend related knowledge, develop corresponding risk indicators to watch the outcomes, and understand the potential benefits behind these technologies.

Organizations’ appetite in embracing changing and evolving technologies should be clearly defined by justifying the purposes to acquiring them, considering the expected added value, and understanding the potential risks they came up with. This in turn, enhance their ability to develop suitable controls such as plans, policies and procedures to manage the associated risks and train staff for adequate use of these technologies.

While organizations should limit the attitude and desire of acquiring new technologies just of the sake of getting them without actual need or clear return on investment. In the other hand, organizations should be keen to evaluate and review emerging technologies in order to implement suitable security controls as soon as they are appointed and validated via a proper change control process before putting them into production which reducing the misuse of unapproved but desired technologies.

Conclusion

The growing use of emerging technologies has introduced a higher threat of IT security breaches, misuse of customer data, and reputational damage. Understanding the threats that can emerge from these technologies is critical to avoid potentially catastrophic consequences.

As these technologies are disruption and threatening business models, organizations needs to keep pace with technology advances and scientific innovations, while they should always focus to stay ahead of the evolving industry, market and technology trends, their strategic vision should be aligned toward a thoughtfulness embracing of these trends, they should consider investing in related research and development efforts, they should also prevent in the same time the misuse of these new technologies by improving communication channels and cultivating awareness among staff.

Regulatory compliance

Introduction

Regulatory compliance is the process of ensuring that organizations are aware of, follow and conform with certain laws, regulations and rules (e.g. policies, standards, guidelines, code of conduct, requirements, specifications etc.), those rules can be internal and made by the organization itself, or enforced by external bodies or factors such as governments, legislators, regulators, market, industry, environment, etc.

Thus, organizations are required to identify and comprehend the applicable regulations to comply with, and the risks associated to these requirements which varies by nature (i.e. public, private, non-profit), size and type of industry it which it operate.

Compliance landscape

There are numerous regulations out there, some of them are generic and others apply to specific industries (i.e. banking, retail, manufacturing, healthcare). The intent of most of these regulations is protecting the confidentiality, integrity and availability of information that effects the organizations' stakeholders (e.g. regulators, owners, employees, suppliers, customers, partners, etc.) as well as protecting intellectual properties, fighting fraudulent activities such as corruption, bribery and money laundering. Below a list of some broadly applicable laws and regulations

• Payment Card Industry Data Security Standard (PCI DSS)
• Health Insurance Portability and Accountability Act (HIPAA)
• Federal Information Security Management Act (FISMA)
• Sarbanes-Oxley Act (SOX)
• European Union Data Protection Directive (EUDPD) 
• Gramm-Leach-Bliley Act (GLBA)
• Children's Internet Protection Act (CIPA).

Regulations are continually increasing in number, evolving and more rules are coming into practice due to wide range of factors such as the economic recession, financial and European debt crisis, cybersecurity threats, privacy and data security breaches, emerging technologies, globalization, climate change and human rights, etc.

Compliance challenges

Organizations are adopting new business models (e.g. IoT, BYOD, social media, big data and cloud computing, etc.), these models changed the business landscape and represented real challenges for organizations to acquire, embrace and comply in the same time with regulations which are increasingly out of date and have not kept pace with these recent technology trends.

In addition to the necessity of investing and allocating significant resources (e.g. talent, budget, training, tools) for compliance related activities; organizations face several challenges in understanding and conforming to regulations which are most likely generic, hard to interpret, and sometimes contradict with each other. This is without mentioning the challenges for international organizations in complying simultaneously to various regional and local regulations which differ from one country to another.

Regulatory compliance enforces organizations to apply a wide range of practices while addressing compliance issues such as introducing transparency, protecting sensitive data, retaining records, providing detailed reporting, employee training and awareness, assessing and treating risks, establishing, implementing and measuring controls, monitoring activities, enhancing communications and ensuring continual improvements.

Compliance risk management is part of the GRC umbrella (Governance, Risk management and Compliance) which overlaps in various business disciplines such as incident management, internal auditing, risk assessment, and compliance with regulations.

Compliance is also about providing and reporting back to regulators - in a timely manner -  that relevant requirements are effectively in place and operational, as failing to do so considered a non-compliance which exposes the organization to a compliance risk by triggering fines and losses.

Failing to comply or violating appropriate regulations leads often to penalties such as payments for damages, fines and voided contracts, which can result also in damaging the reputation, withdrawing the operating licenses, declining in market share and inability to pursue future business opportunities.

Nevertheless, exceptions can be made when organizations decide not to obey nor comply to certain requirements and agree to pay relevant fines, such decision can be taken to avoid implementing ineffective or costly controls which outrun organizations' capacity and hold them from creating value and achieving their strategic objectives, such decision generates a non-compliance and requires top management recognition and approval with appropriate justification and documentation.

Compliance benifits

On top of the implicit challenges in conforming to regulations; compliance brings several underlining opportunities to improve organizations, create value to stakeholders while assuring compliance and gain competitive advantages by adopting best practices, better restructuring, embracing ethics and culture, training employees, increasing performance, improving measurements, managing risks, enforcing controls, prioritizing tasks, enhancing quality, optimizing resources and omitting ineffective practices.

Below some known frameworks, standards and best practices that help organizations in complying with mandatory regulations

• Control Objectives for Information and related Technology (COBIT)
• Information security management system – ISMS (ISO/IEC 27000 series)
• National Institute of Standards and Technology Special publications (NIST SP 800 series)
• Committee of Sponsoring Organizations of the Treadway Commission (COSO)
• Information Technology Infrastructure Library (ITIL)
• The FFIEC Information Technology Examination Handbook series
• Basel III, etc.

Organizations are nowadays gradually embracing the use of holistic frameworks, methodologies and controls which ensures overall and simultaneous coverage of various regulatory requirements without the need to individually address each requirement all-alone. Thus reduces the efforts and optimizes the resources.

International organizations which are subject to multiple national regulations should develop holistic approaches in response to the commonly and mandatory regulations in addition to particular supplements (e.g. on country-to-country basis) suitable to address regional specifics and local issues.

Conclusion

Organizations should be aware and willing to comply to relevant regulations and adopt suitable practices in order to maintain associated risks, ensure sustainability, improve their lines of defense, gain value and competitive edge while addressing regulatory compliance.

While regulations continuously emerge and try to adapt and keep up with changing business landscape requirements, it is essential for organizations to embrace the culture of compliance. Internal auditors and risk managers should be familiar with the compliance universe and the culture of their organizations and assist them in providing assurance to mitigate compliance risks.