Setting the Right Tone for Risk Management
-
Setting the Right Tone for Risk Management
The tone management and executives set regarding security risks trickles down to all employees and can affect a company's third-party risk. -
Benefits of Positive Tone at the Top
Reduces the risk of working with untrustworthy third parties (71%). Incorporates integrity, ethics and trustworthiness in relationships with third parties (66%). Increases employee and third-party awareness of the importance of security, data protection and business resiliency (43%) -
Third-Party Risk Management Is Serious
75% of respondents say third-party risk is serious and of these, 70% say it is increasing or significantly increasing. -
Disruptive Technologies Are Increasing Third-Party Risk
The Internet of things and migration to the cloud are expected to increase third-party risk by 60% and 68% of respondents, respectively. -
Cyber Attacks and IoT's Impact on Risk
78% of respondents say cyber-attacks will have a significant impact on their risk profile. 76% say the Internet of things will have a significant impact. Cloud computing, mobile, and big data analytics will have a significant impact according to 71%, 67% and 51% of respondents, respectively. -
Third-Party Risk Not a Primary Risk Management Objective
Although they recognize the seriousness of third-party risk, respondents say the top two risk management objectives are to minimize downtime (56%) and minimize business disruptions (37%). -
Not Managing Third-Party Risk Can Be Expensive
During the past 12 months, respondents spent an average of $10 million to respond to security incidents because of negligent or malicious third parties. -
Few Formal Third-Party Risk Management Programs
The incentive to create a comprehensive program for mismanagement is low. Only 29% of respondents say they have a formal program. -
Consequence of No Third-Party Risk Management Program
Asked to rate the effectiveness of their organization's ability to mitigate or curtail third-party risk, 21% of respondents said they considered theirs highly effective (7+ on a scale of 1 to 10). -
Accountability for Third-Party Risk Management
23% of respondents say the compliance department is responsible for managing third-party risk. 17% say it is the information security department's job. -
C-Level Executives Not Engaged
Only 37% of respondents say C-level executives in their organization believe they are ultimately accountable for the effectiveness of third-party management. 50% of respondents do not believe risk management is aligned with business goals, which senior management determines. -
Boards of Directors Not Engaged
Boards of directors are not significantly involved, according to 17 respondents, or have some involvement in overseeing risk management activities, according to 23% of respondents.
Without one person in an organization responsible for managing third-party risk, companies face a serious barrier to achieving effective third-party risk management, according to a new study. The study, "Tone at the Top and Third-Party Risk," was conducted by the Ponemon Institute and sponsored by Shared Assessments, a member-driven, industry-standard body specializing in third-party risk assurance. "Tone at the Top" describes an organization's environment, as established by its board of directors, audit committee and senior management. It is set by all levels of management and trickles down to all employees. "If management is committed to a culture and environment that embraces honesty, integrity and ethics, employees are more likely to uphold those same values," according to the report. "As a result, such risks as insider negligence and third-party risk are minimized." The study sample was 617 IT and IT security practitioners in the United States. Here are key findings regarding the state of third-party risk management. The report also offers 10 steps you can take to create a stronger third-party risk management program.