What are and how to manage 3rd risks | a conversation with Jelle Groenendaal

The current digitalization of the energy sector is providing great advances in efficiency and brining in new capabilities to provide new services and business models. However, as we have mentioned in our article Energy and utilities (E&U): threatened by third risks, this digitalization has increased the dependency of the Energy and Utility sector on their technology providers. In this digital and global economy managing 3^rd party risks is becoming increasingly important.

• Could you provide us a bit of context on the topic at hand, what are 3rd party risks and why is it important to manage them? What are the drivers that make them critical to manage (regulation…)?

Third-party risks are those risks introduced by third party collaborations, such as vendors, suppliers or partners. In the past, organizations did everything in-house, maintaining control over the risks they faced. Nowadays, companies have outsourced many processes, including those critical to the continuity and security of the business. This poses a risk that needs to be managed. Take IT as an example. If your IT workplaces are provided by a third party, then your daily operations are almost entirely dependent on that third party. If that third party subsequently falls victim to a ransomware attack, it means that your operations could come to a halt. This represents a third-party risk that you must identify and manage.

There is growing regulatory and supervisory attention for third-party risk management. For instance, the recently adopted Network and Information Security Directive (NIS-2) includes several requirements regarding third-party risk management. This directive is also applicable to essential and important functions, which includes many businesses within the energy and utilities.

• In this line, could you explain what implications and business impact these risks can have?

Third-party incidents can have far-reaching consequences. We typically see financial, operational, reputational and regulatory implications. A data breach at one of your third parties could have significant regulatory and operational implications. A human rights violation in your supply chain could lead to adverse media attention and hence damage your reputation. Finally, there might also be competitive implications. If one of your upstream supply chain partners is unable to deliver, it could result in production delays and giving your competitors and advantage.

• Understanding what 3^rd party risk are, could you explain why are they complex to manage and what is the current way corporations are managing them?

The complexity of third-party risk management primarily stems from the sheer number of third parties that organizations deal with nowadays and the lack of insight into what the landscape actually looks like. In many organizations, we observe the absence of a centralized procurement system that captures the entire landscape. Often, there are various decentralized systems in place or people still work with spreadsheets.

• Similarly, could you provide more detail on what are the challenges associated to managing these risks and what are the current limitations?

Many organizations view screening of third parties as a one-time action. What happens then is that organizations, before they start doing business with a third party, set several requirements in areas like information security, privacy, and continuity. But during the contract period, there is no further monitoring to ensure that the third party continues to meet the set requirements.

Additionally, risks are dynamic and can change over time. This means that you must continuously monitor threats and risks so you can intervene promptly when necessary. For instance, during the Log4J vulnerability, we saw a lot of companies that instantly became vulnerable through supply chain attacks. Along similar lines, we occasionally see organisations paying invoices to suppliers who have long been bankrupt. This can be avoided if you have real-time monitoring in place.

Last but not least, we see that many organisations are using spreadsheets to manage third-party risk management. For instance, organizations send questionnaires in the form of spreadsheets to their suppliers with the request to fill them out. However, this is not a supplier-friendly and secure way. More importantly: you do not get the overview you would like and errors often creep into the data, making the whole venture unreliable. Moreover, it’s not easy to collaborate with people inside and outside your team in spreadsheets. This makes spreadsheets extremely unsuitable for managing third-party risks.

• Let’s move on to 3^rd Risk, how was the solution conceptualized and how does 3rdRisk resolve the previously mentioned challenges?

Conceptually, we built a multidisciplinary risk management SaaS platform.

First, multidisciplinary in the sense that we enable risk professionals from various risk disciplines – cybersecurity, sustainability, compliance, continuity, safety, you name it – to work together in one environment. All the workflows are designed in such a way that they allow professionals to work together and add content that is meaningful for their risk discipline.

Second, a platform because we connect with internal systems as well as external data providers and enrich it. For instance, our platform seamlessly connects with procurement systems, ensuring that relevant meta data is automatically feed into our platform. Once a third-party due diligence is completed, risk information is sent back to the procurement system, maintaining one single source of truth. Furthermore, and many business teams love this, our platform connects with Microsoft Teams, which ensures that stakeholders receive notifications in a dedicated Teams channel. All tasks and reminders can be channeled through Team. Additionally, our platform integrates with external data service providers such as BitSight, SecurityScorecard, Refinitiv, and Ecovadis. These providers provide risk indicators per third party regarding cybersecurity, compliance and sustainability, amongst others. Our platform notifies users when a rating changes, allowing them to act and timely resolve the issue.

• Considering the clients perspective, what are the benefits of the solution and how does it help impact the client’s operations and bottom line?

Traditionally, third-party risk management is a time consuming, labor intensive process characterized by a lot of low-level, repetitive, activities. Our platform automates those low-level activities and excels in engaging business stakeholders with performing risk management activities. It also streamlines the entire journey for suppliers. In numbers, our platform realizes 0.8 FTE savings compared to a spreadsheet approach when you want to screen and monitor 100 third parties. This makes our platform cost-effective quickly.

• Let’s deep dive into the solution, how does it work, what inputs does it contemplate and what are the outputs it provides that enables to obtain the mentioned benefits?

Third-party data can be automatically imported from a procurement system, uploaded in bulk or one-by-one. Real-time risk monitoring is performed by our external data providers, for instance regarding adverse news, cybersecurity or sustainability. Our third-party risk management module comes with an advanced self-assessment capability, which allows you to create or download assessment questionnaires and send them to your third parties. When submitted by the third party, our platform performs an AI-driven initial analysis of the results and suggests improvement domains. The Issue and Action plan module in our platform helps you to assign ownership to and keep track of all follow-up actions within the organisation. Finally, our platform has an extensive API allowing you to feed back data to other systems such as Power BI and Tableau.

• To understand in more detail the solution what would you say are the key differential factors of 3rd Risk’s solution?

As the market for third-party risk and GRC technology is dominated by USA players, we strive to be the European alternative. Our technology is built in the Netherlands, we only work with European sub processors and our data resides in Frankfurt. Next to this, our key differentiators are:  

Innovation: we invest a lot in innovation, such as the usage of artificial intelligence and gamification.

High engagement: we spend a lot of time in ensuring that our platform is user friendly, looks appealing and works with commonly used tools such as Microsoft Teams.

Integrations: we can facilitate all types of integrations due to our open API infrastructure.

Quick onboarding: our approach ensures that the majority of companies can start within a week and show results within a month.

Co-development: we work intensively with our customers and partners to improve our platform. For instance, with one of our customers and several partners, we developed an user friendly internal control module. With another customer we built an AI feature that can automatically analyses SOC-2 reports provided by suppliers, which saves them more than 4 hours per report.

• If we move on the implementation of the solution, what would you say are the key success factors to implementing the solution and maximizing the results? Similarly, how does your company measure success, and what metrics do you use to evaluate the impact of your implemented solution?

Quick onboarding is one of our trade marks. As our platform is built upon industry best practice blueprints, you don’t have to do much configuration yourself. Many of our customers are able to load their third parties, activate monitoring and send the first self-assessments in a couple of weeks.  

My advice to clients is always to start small: smart with one department and one risk domain. Once you have the first results and hence can show the first successes, you can extent the scope.

1. To illustrate all the above, could you walk us through a successful project your company has recently undertaken?

Schoeller Allibert, a large manufacturing company in Europe, has started using our platform recently. They are part of Brookfield, a major USA asset manager specialized in renewable energy amongst others.

For Schoeller Allibert it wasn’t a struggle to manage the risks posed by the major vendors like Microsoft, it was the smaller vendors that were 3rd and in many cases 4th party entities that remained a potential risk. The complexity of relationships with multiple vendors raised an important question: How could Schoeller Allibert establish genuine control over these associations, particularly when engaging with unfamiliar entities?

The challenge was the lack of capacity to implement a third-party risk management policy. While downloading a policy might be a straightforward task, its implementation is an entirely different and much more complex endeavour within a global company like Schoeller Allibert. For the number of vendors they had, it would have required the full-time commitment of multiple employees to manage effectively.

To address the challenge Schoeller Allibert has implemented our solution.

“The 3rdRisk platform automates third party risk management in such a way that it minimises our workload while maximising results. The tool is exceptionally user-friendly, easy to understand and its implementation is straightforward. It is designed to provide the best possible outcome with the least amount of effort.”

Ranadeep Sarkar, Information Security Officer

“The implementation felt like a true partnership. It seemed as if we extended our team to include you, and you took on the majority of the work, guiding us every step of the way. Your support was invaluable in helping us succeed”

Nick DeFreitas, Information Security Specialist.

• Finally, in NTT Data we’re proud to say that we’re partnering with 3rdRisk, can you speak about how our capabilities complement each other to provide value to our customers?

The collaboration combines NTT DATA’s leading expertise, global reach, and scalability with the cutting edge technology of 3rdRisk. Many of our customers are not just looking for technology, but are also seeking a party that can assist them in setting up governance, establishing processes or carrying out the analysis of submitted questionnaires. NTT DATA can provide this on a large scale and also brings the domain knowledge required to interpret the outcomes of self-assessments and other risk indicators. Lastly, NTT DATA provides content that customers can use, such as frameworks or questionnaires.