Skip to main content

Common Failures of Third-Party Risk Assessments

June 12, 2014

Third-party risk analysis – whether used to evaluate partners, service providers or suppliers – is a necessity in today’s business landscape. Assessing the services provided by external agencies is often as critical to an organization’s success as their own internal practices. However, many companies follow inconsistent approaches that don’t give an accurate picture of the risks associated with “outsourcing” services. Fortunately, the failures commonly seen in third-party risk assessments are relatively easy to address if you apply effective and consistent practices.

A failure to understand the things that truly matter

As assessors, we frequently concentrate on information technology concerns such as trouble systems or known vulnerabilities. Our “IT security” or audit backgrounds make this approach comfortable, but we fail to understand why, or if, those things really matter. Financial and reputational loss results from the exposure of our most sensitive information resources, compliance obligations, critical business process flows, and exposure vectors. Anyone who has ever performed a business impact analysis knows that figuring out where each of those concerns live is far more difficult than just pointing to the production environment and getting to work. Third-party risk assessments should begin with a scoping process to understand the things that have the largest possible impact to the organization.

Applying a “one size fits all” approach

Third-party risk assessments should not treat each vendor relationship as if they are equal. As explained in a previous blog post, third parties can be mapped to one of three risk tiers, which determines the level of due diligence you perform. This helps an organization determine what sorts of assessments are needed, how often they should be performed, what scoring mechanisms should be put in place to measure the results, how critical the remediation activities are, and how the results can be included in the enterprise risk management approach. If all of the gold actually was in Fort Knox, it would be easy to guard. Our gold, however, is spread far and wide; and in a world of limited time and resources, we’ve got to focus our protection efforts accordingly.

Not developing and applying applicable standards when evaluating risks

This can result in ineffective judgment metrics. It is true that comparisons need to be performed using a consistent set of criteria, and organizations can leverage many widely-accepted standards such as those promoted by The Santa Fe Group SIG, HITRUST, or the ISO frameworks.  However, even after a company has accepted one of these common control sets, the evaluation criteria must be tailored to fit the nature of the third-party relationship. Organizations often fail to apply these personalized evaluations to each third party; and the result is evaluations that do not provide data that can be easily correlated or are skewed by assessing control failures that have no bearing upon the relationship. We need an apples-to-apples evaluation when such is possible, but we’ve simply got to accept that sometimes our third parties don’t even sell fruit!

Organizations are increasingly attempting to use the services of third-party organizations to augment or replace their own capabilities. This sharing of responsibilities brings exposures that must be understood, evaluated and mitigated. As risk management professionals, we must apply repeatable and defendable practices to evaluate those exposures and understand how they must be treated to provide adequate security to our company. Those steps must include an effective understanding of information assets, scoping of required activities and the execution of consistent, applicable reviews.

    Chris Gray

By: Chris Gray

Vice President, Enterprise Security and Risk

See More

Related Blogs

July 12, 2012

Worried about a potential HIPAA audit? You should be.

For years the health care industry has dealt with the daunting challenge of understanding and determining how to comply with privacy and security rule...

See Details

June 08, 2018

The Business Trusts the Third Party – Should You?

In this day and age we are faced with some hard facts within information security. One of those facts is that breaches are imminent and we must be pre...

See Details

November 09, 2017

Third-Party Breaches Will Continue Until Morale Improves

I have some bad news for you: breaches at third parties are not going to stop – not any time soon. Various studies show that somewhere between one-thi...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

January 14, 2013

Conducting a Risk Assessment

If companies could easily identify and understand all the types of risks to their business and could evaluate how to effectively mitigate those risks,...

See Details

September 12, 2017

Third-Party Risk Program Assessment

Learn how to build a solid foundation for your third-party risk program.

See Details

January 22, 2018

Unstructured Data Risk Assessment

Learn how Optiv can help you assess your risk of a breach related to unstructured data.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.