Prepare for Third-Party Risk Management Challenges

Jason Emmons, Partner, IT Compliance Services
Jennifer Grant, Senior Manager, IT Compliance Services
Evan Higashiyama, Manager

Risk and compliance professionals face an ever-changing landscape of challenges with the rise of software-as-a-service (SaaS) outsourcing. These risk-management professionals are expected to protect their stakeholders while their organizations outsource parts of the value chain in ways that may not represent their core competency.

Refining an organization’s approach to third-party risk management could reduce stress on the risk management department and protect your organization from future breaches.

Why Do Companies Outsource to SaaS Solutions?

Companies might choose to delegate operations or other job functions for many reasons, though it’s typically to overcome budget, skill, or resource limitations.

Third-party service providers help companies to scale operations, gain expertise, and even improve the end-user experience without having to invest in costly new technologies or hire new staff.

SaaS Outsourcing Security Risks

SaaS solutions can solve some common business problems, but third-party vendors may be prone to implementing one-size-fits-all approaches that can make them unable to adapt to quickly evolving needs.

Beyond simple operational inconveniences, there can be real risks that come with outsourcing IT solutions as well. The following graph illustrates the disparity between third-party risk and risk compliance.

Risk Management Versus Technological Advancement

Line graph showing the rate of change over the years for risk/compliance coverage vs third-party risk

Causes of Third-Party Risks

With rapid changes in technology, digitization, and global connectivity, risk management professionals must often scramble to keep up with the rate of change.

Business decisions can happen faster than risk management professionals can anticipate, such as opting for a SaaS solution with less stringent risk management practices—a pivot that can put the organization and its data at risk.

How well your organization manages third-party risk depends on your organization’s awareness level of third-party risks.

Where Does Third-Party Risk Occur?

The four main concerns involving third-party risk professionals are as follows:

  • Cybersecurity. A third-party solution’s cybersecurity protocols could potentially leave an organization vulnerable.
  • Compliance. Your third-party solutions must follow all regulatory requirements.
  • Reputation. Third-party solutions shouldn’t lose customer data, break any laws, or make statements that don’t align with the ethos of your organization.
  • Financial. Third-party solutions should come from reliable businesses.

Why Do Risk Professionals Struggle to Keep Up with Third-Party Risk Management Challenges?

There are three main reasons why risk professionals struggle to keep up with challenges.

  1. Task delegation. Organizations are increasingly deconstructing their value chain by delegating tasks to SaaS solutions.
  2. Keep up with growth. Risk management and compliance departments can’t grow their teams fast enough to mitigate or classify the associated risks with SaaS solutions, which is exasperated when SaaS solutions don’t provide System and Organizational Controls (SOC) reports.
  3. Solutions management. Inconsistent management of inherent risks associated with SaaS solutions across the organization can be problematic.

How to Address Third-Party Risk Management Challenges

Many leading organizations will develop an inherent risk model using the steps below for ranking both existing and potential vendors.

Third-Party Risk Management Model Steps

Three steps to address challenges in your organization related to third-party risk management are as follows:

  1. Grade the SaaS solutions before investing in them.
  2. Streamline internal third-party risk management frameworks.
  3. Create a third-party risk management process.

Cohesive communication across departments can be difficult to achieve. Risk management may not always be especially familiar with their third-party departments or how they specifically relate to the organization’s strategy.

Additionally, third-party vendor risk-management departments may not always be transparent with any risks associated with them.

Risk and compliance professionals can create internal processes to help the organization achieve bottom-line performance targets when managing third-party risks.

How Risk and Compliance Professionals Can Create a Third-Party Risk Management Process

Successfully combatting third-party risks begins with a centralized repository of vendors. Most procurement departments should already have these records on hand; everything stems from this vendor catalog.

Start your risk management process re-framework with the following steps across the next several months.

Get Started at Vendor Risk Management
  1. Create an inventory. Inventory your third-party SaaS vendors and categorize them by risk.
  2. Categorize. Create buckets for each vendor with the following outlines: Less than 5% can be high risk; 40-50% can be moderate risk; 45-55% can be low risk.
  3. Document. Document where SaaS solutions reside in the value chain.
  4. Analyze. Understand how SaaS solutions security risks align with your organization’s security risks.
Steps for the Next Three Months
  1. Upgrade your vendor risk-assessment framework to consider the risks accepted just from engaging with the vendor.
  2. Execute a risk assessment on your SaaS vendors to identify control gaps.
  3. Design and implement necessary controls.
  4. Monitor remediation.
Steps for the Next Six Months:
  1. Involve risk-management professionals with the decision-making process around outsourcing company processes.
  2. Verify that controls have been designed and implemented to address new risks, ideally before purchasing the solution.
  3. Hold business units accountable for risk assessment and remediation. Refresh inventory of third-party vendors and software applications on an annual basis
  4. Implement annual risk assessments.

Third-Party Risk Management Framework Pitfalls

When reformatting an organization’s approach to SaaS solution risks, avoid some common missteps.

Common Missteps

  • Relying on outdated, limited-scope risk assessment questionnaires
  • Relying on company-wide legacy policies and procedures to address new risks posed by third parties
  • Failing to implement control activities that directly address management accepted risks

We’re Here to Help

To learn more about how to prepare your risk and compliance team to navigate third-party risk management challenges, contact your Moss Adams professional. You can also learn more about IT Compliance.

Ask a Question

Assurance, tax, and consulting offered through Moss Adams LLP. ISO/IEC 27001 services offered through Cadence Assurance LLC, a Moss Adams company. Wealth management offered through Moss Adams Wealth Advisors LLC. Services from India provided by Moss Adams (India) LLP.

Related Topics

How to Build and Strengthen Risk Management Plans
The Many Benefits of Including IT Control Testing in Audits
3 IT Risk Factors That Can Impact Financial Reporting

Contact Us with Questions

Enter security code:
 Security code