Mason Karrer

Third Party Risk State of Mind

Blog Post created by Mason Karrer Employee on Dec 8, 2014

Years ago Billy Joel was "In a New York State of Mind" when he returned home to the Empire State. Over the last few weeks my fellow colleagues have been illustrating various scenarios on how third party risk management can play a vital role in a company’s operations in a series of discussions on the current state of mind as it relates to trends in third party and supply chain risk management. This comes on the heels of Gartner’s latest IT Vendor Risk Management Magic Quadrant placing RSA Archer well ahead of the pack in continued market leadership. This is something we’re very proud of as it represents not only a lot of diligent work but also the tremendous gift we enjoy by virtue of having so many amazing, creative, loyal customers who continuously collaborate with us to improve our products. Billy Joel might call that "A Matter of Trust".

 

Let’s discuss how some of those non-IT external relationships can also factor into the overall operational risk picture. Consider insurance for instance where carrier liquidity and disqualified losses can dramatically impact the quality of coverage; say in the wake of previously identified security weaknesses. “You May Be Right” that coverage should apply but the insurer may disagree in which case you may have just become “Easy Money”, unless of course you can produce compelling evidence to the contrary. Even then it can still be a protracted battle of wills to finalize any settlement which could likely fall short of actual realized losses for a major privacy or credit card breach. A disciplined approach to exploring these types of scenarios up front is necessary to ensure the organization has a healthy understanding of its entire portfolio of third party risks and isn’t blindly accepting more inherent risk than it realizes.

 

Other types of representative services like legal counsel or marketing and public relations can also benefit from a stronger dose of operational risk scrutiny. For example companies often retain specialty firms full of hired guns to help manage tough situations like breaches or other crises. In politics the term "risk management" usually relates more to spin control than security controls. It’s also common for companies to engage outside assistance when launching new products or other initiatives, or maybe just to help rejuvenate a tired brand with a fresh image makeover. The exposure risk is usually low for most of these pursuits given the level of iteration and approval required before any work sees the light of day provided no inadvertent leaks or other dumbdumbery occurs. Other times though they can bite in a hurry if the wrong firm was chosen or the project mishandled. When there’s only one chance to get it right what happens when things go wrong?

 

Two scenarios come to mind where this can quickly get interesting from a third party risk perspective. The first is crisis response. A company experiences an impactful event (breach, fraud, corporate scandal, whatever). Incident response best practices include initiating a predetermined chain of communication with clear guidance on interacting with the public (press inquiries, public statements, etc.) Controlling the flow of information is crucial to ensure the right things are communicated clearly as well as guarding against misinformation or leaks further hampering response and remediation efforts. From a certain viewpoint having the right PR firm on retainer in those types of situations could almost be regarded as its own form of insurance; intended to reduce the risk of further reputational damage by transferring certain communications and message crafting responsibilities to a more qualified outside expert.

 

What happens if that service fails to deliver? Whether in response to a crisis or something else entirely how are the terms of service and dispute resolution mechanisms managed? When a company has servers at a hosting facility that gets knocked offline by a clumsy technician or power outage it’s easier to identify a fault chain. Something like five 9s of uptime can be measured empirically so enforcement through a service level agreement is pretty straightforward. But if a company retains a professional spinster to help control a sensitive public message and it backfires, is similar recourse is available? What kinds of SLAs are best defined? Can fault be established? How should the company best manage those types of inherent third party risk adjacencies?

 

Here’s a second hypothetical, this time from the product side. Let’s pretend you’re a software product vendor participating in one of these analyst bakeoffs like the Gartner MQ. Just for fun let’s even say you’re actually one of our competitors in the GRC space. The whole process is competitive by nature and while different analysts have different styles, across the board there’s usually a large questionnaire you have to answer and other product information you must provide, typically on a very tight timeframe. So let’s further pretend you decided to try and stack the deck by engaging an outside industry “consultant” to help you prepare your responses (surprisingly some vendors really do this.) It’s all in secret of course as you would never want anybody to know you actually needed help representing your own product! Heck, the disclosure of that alone would be embarrassing, maybe even triggering a crisis response event by itself!

 

Fast forward to the release of the report and let’s say unfortunately for you, rather than rocking the house your product actually falls well short of the mark in the rankings. Your hired gun strategy didn’t pan out but at least nobody knows about it, right? So what would happen instead it wasn’t kept secret? Let’s say the industry pundit you hired had her finger in all sorts of different pies trying to promote herself as a vendor consultant, buyer consultant, and maybe even as an alternative “impartial” product ranker. Let’s further suppose (unbeknownst to you when you engaged her) that she was also providing the same spit polish services to several of your competitors at the same time, essentially nullifying any supposed advantage you paid a premium for; which is why she’s in crisis mode trying to save face the only way she can - by going on the offensive! In her mind there’s no way SEVERAL vendors could hire her in all her glory only to have NONE of them to do any better unless the SYSTEM is rigged. Cue Jon Lovitz…”It’s the system’s fault! That’s the ticket!” It couldn’t possibly be that her services added no value, right? Of course not!

 

Now let’s say before you can remind her of the NDA you have place she takes things to the next level, fuming across the digital airwaves in her newsletter and social media shamelessly protecting her brand. Like a scene from a movie, Billy Joel’s “Big Shot” rings out in Muzak over your office speakers as you realize it wasn’t even some internal slip of the tongue that betrayed you but rather the actual consultant you hired! Out there on display for all to see ranting away and throwing you under the bus in the process! You quickly learn you’re no more a valued customer than she is a trusted adviser. Nope you’re just an expendable pawn in a desperate saga to preserve her brand against those evil establishment analysts. At least she didn’t refer to you directly by name but it’s easy enough to read between the lines and figure out who’s who. Talk about a hot mess!

 

So what would you do? What’s your next move? A poor showing in the rankings was bad enough but now you stand to suffer further reputational loss from this disaster. Is this an incident you need to escalate? What kind of public relations damage control might be needed? Considering your confidentiality was sacrificed for the self-preservation purposes of the one person who should have known better, maybe she’s opened herself up to litigation? But how much will THAT cost to pursue and how will it help? What about investor and board confidence in your product leadership and direction? What kind of third party risk management process improvements should you implement going forward?

 

Lots of tough questions to answer which now have you wishing you’d just slogged through the whole ranking process yourself and let the chips fall where they may, making your own luck like we do here. Hey we might not be the smoothest talking bunch and we've taken our fair share of dings too but at least we’re authentic. What you see is what you get and I can tell you from firsthand experience we wouldn't dream of entrusting to some outsider anything as important as representing our products in a professional analysis like the Gartner MQ…ever…because it’s always about more than just products. It’s about the people and the company standing behind those products and the customers rallying around them globally. Come what may we sail under own power, our customers alongside us at the helm, and our integrity intact. No outside caricatures with mixed agendas or venture capitalists to worry about. Just us with all the passion and commitment we can muster. Considering the spot we've earned atop the leaderboard, who are we to argue with the results? Like Billy Joel said…#JustBeYourself

Outcomes