Streamlining Third-Party Risk Management
April 5, 2021 • Caitlin Mattingly
Joining us this week is Madiha Fatima, a director and head of third-party risk management at Angelo Gordon.
Our conversation centers on creating and maintaining an effective third-party risk management program. We discuss creating an effective due diligence process, integrating automation and process efficiencies, as well as some of the emerging risks she and her team are tracking. We address the human side of risk management, and Madiha shares her advice for keeping your risk management program thorough, while not finding yourself overwhelmed.
This podcast was produced in partnership with the CyberWire.
Hello, everyone, and welcome to Episode 203 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire. Joining us this week is Madiha Fatima, a director and head of third-party risk management at Angelo Gordon.
Our conversation centers on creating and maintaining an effective third-party risk management program. We discuss creating an effective due diligence process, integrating automation and process efficiencies, as well as some of the emerging risks she and her team are tracking. We address the human side of risk management, and Madiha Fatima shares her advice for keeping your risk management program thorough while not finding yourself overwhelmed.
Stay with us.
I have been in risk management for quite some time, but of course, like every person in risk, I never knew I will end in third-party risk management which is such a niche in the risk management world.
I started just as a finances student wanting to really go to the buy side and be in the investment side of the world. However, third-party risk management came as an opportunity. It sounded something very challenging and something I did not know much about, so I took that chance years ago, and it ended up being something I really love doing.
So my first job in third party risk management was to create a third-party risk management program, create a risk model and really look at third-party risk management from an emerging risk perspective and regulatory environment perspective and really thinking about the cyber risk with different vendors and thinking about how the financial world at that time… this was around, I believe, six years ago, many big financial industries, people were moving to cloud.
They were very unknown risks that were coming in the world and really look from a perspective of what are the things we are missing, what are the things we should be very diligent about, and how we can really have an effective and robust third-party risk management program in a way where the regulatory environment is always changing as well, so having a risk management program that is flexible at the same time robust.
So that was my first journey in third-party risk management. And that made me end up falling in love, I would say, with it. And since then, I’ve been doing this.
Well, for someone who is on the inside like you are, are there common misunderstandings that people have when it comes to third-party risk management?
Absolutely. I think a lot of people and even internal people, some businesses, things like that… and I hear that a lot when I’m speaking at conferences and things like that too, how to really show what third-party risk management does because I think a lot of people think of it as, “Hey, these are questionnaires and just it’s paperwork that you have to fill out and a lot of red tape you have to cross” which is somewhat of too, right? We do have questionnaires as part of third-party risk management, but that’s just a piece of it, right? That is something that, honestly, does not make third-party risk management.
What really makes a robust and effective third-party risk management program is really the diligence around knowing your vendor, right? The same way you want to know your clients, you want to know your vendors because in the end, you are sharing your data. You’re sharing your information. You have a reputational risk and a financial risk attached whenever you outsource a service, right?
And a lot of time, people think of it as, “This is just a policy or a procedure we have to follow and fill out a bunch of paperwork or send a lot of questionnaires to our vendors.” It is not. It is really understanding the control environment of your vendor because the kind of risk you’re taking on is not a risk you just take on as a business. It’s a risk the whole firm takes on when you indulge with a vendor, right? And it’s a risk you are actually exposing your clients to as well, when you really outsource the service.
I mean, that’s an interesting point because I mean, I suppose on the one hand, those regulatory components of checking those boxes is important, but once you’ve done that, that shouldn’t just be the end of it.
Exactly, absolutely, right? So yes, you have to meet all the regulatory requirements of having the information on the controls, really understanding the control environment of your vendor. At the same time, the relationship you develop with your vendor really helps with the performance as well.
One of the big parts of the business [inaudible 00:05:02] and especially something that we should be using as being third-party risk managers, right, to senior management is knowing and developing that relationship with your vendor in the end helps you with the performance management of that vendor.
I have seen things like temporary risk management when we look at SLAs, when we look at the performance of the vendor. If there’s issues with that, we can actually use that for our advantage from a financial perspective as well which is something we often miss because we only look at third-party risk as a component of just doing some questionnaires, right? It’s a lot more than that when we look at the overall.
Is part of this to make sure that you don’t end up sort of coming at this from a, I don’t know, an adversarial relationship angle with your providers?
Yes, it is a part of that. But I think the part of third-party risk management component is really saving yourself from risk exposure, in a way, that will be very dismissive of your reputation and that will expose your clients and yourself, your firm to reputational risk, business continuity risk, right? When you look at the vendors, there are some very critical vendors that you depend on to provide the services that you give your clients on a day to day basis, right?
When you have such kind of dependency on a vendor, it is very important for you to have such a robust due diligence process and internal controls, where if that vendor is about to go down, you have the right infrastructure and controls in place where you have either minimal impact or your clients have minimal to low impact when something like that happens, right?
The true test of third-party risk management program, honestly, happens when there is a data breach, when there is an issue. That’s what really tests the water of your third-party risk management program’s effectiveness and robustness because that is what really shows you the kind of due diligence and the kind of knowing your vendor you performed, how it helps you to be safe from that, how it helps you to not expose your clients and yourself and your firm to exponential risk or high risk.
Well, can you walk us through that process? I mean, what do you recommend for an organization to create that effective due diligence process?
So the biggest part of creating an effective due diligence process and how I look at it, and this is something I really focus on, is not only confirming controls, but verifying controls, right? That is the most important piece.
You can do as many questionnaires as you want, but it’s a good faith answer, right? You’re asking somebody at the vendor, right? Now that person can be in any organization that’s answering the questions on the overall controls of the organization saying, “Yes, they have this. They have a password protection policy. They make sure their access controls are in place. They terminate their employees with access controls in place. They have the policies to do resiliency testing, all that.” But how do you know to what point that meets your standards, right, or to what point that meet the minimum standards the regulators have in place?
So that’s where the verification of those controls come into play, right? And you only can do that verification when you really see the substance.
So that is why I’m a big proponent for on-site assessments, right? Things that you can go and see exactly their testing reports. You’ll see their policies are updated on a yearly basis. You really see in their system that yes, the access is only granted to admin level and not just everybody in the organization or in that particular department, to see your data is actually end-to-end encrypted and there are firewalls in place that are to your standards, right?
So those things really matter. So the verification is the biggest piece when you’re trying to create a robust due diligence process.
And when you’re engaging with a third party, I mean, I suppose that should be a sign as well. If they’re saying to you, “Yes, please come look at what we have here. We’re happy to show you that we’re doing things the way that you would expect,” I mean, that’s a good sign in itself?
Exactly. When they’re open to do that, that means they want to have, first of all, a long-term and good relationship, right? And that’s the basis of good service. How do we treat our clients, right? We want to focus on the relationship with our clients, making sure we can provide the best services to them.
We are applying to them, right, so if you have a third party that, right away, does not want to be open to you or show you any controls, what kind of service they are providing their clients? Right there, that should be one of the red flags, right?
Another proponent when you’re doing third-party risk management, which I think a lot of firms miss, is contract piece, right? Really getting the clauses in there in the beginning, the right to audit, looking at your vendor, really getting them because that is the time they need that dollars. They’re signing. They’re getting that agreement in place where you become their client for long-term, for a year, for five years, whatever the time period is. Perhaps where you have all the leverage, right?
So that’s where third-party risk management and the business needs to work together with the contract procurement side to really get in there in the beginning and get to your advantage, your causes, and the right due diligence in place and really develop that relationship from the beginning.
How do you spread that message among your own team? I mean, I can imagine that there are people who are… they’re excited to want to get going, and all of these steps are friction. We want to start doing business. We’ve got money to make.
True. And this is something I hear a lot, right, that we don’t want roadblocks, so we just want to, tomorrow, get the vendor in place, right? But what they don’t understand is spending the three days to get the right contract in place and getting the yeses on those clauses is way more beneficial than getting the contract signed in one day and then having three weeks of back and forth with the vendor because now they don’t want to comply with any kind of due diligence, right?
And other things that help, right, which I think it’s more on the third-party risk management team side is when you get these vendors from the beginning, right? Make them your preferred vendor. That gives them an advantage, right, because the vendor is now thinking, “If we become their preferred vendor, if we comply to their risk management due diligence, we can actually get more business,” right? And there’s always more than one engagement you will have with your big vendors, right?
So when you show them that there is an advantage for them to comply with your requirements and to make this process smoother and more streamlined, they’re on board as well. The business sees it as an advantage because then you can tell them, “Hey, you know what? This might be the first engagement, but when you do the second one, it’s smooth sailing and a very quick process because we already have the information, the context of the vendor, and we know the vendor already,” right? So it becomes a win-win on both sides. It’s just the way you really make your business aware of it, right? In the end, it really comes to having that relationship with your business as well.
Some of the problems I see on the third-party risk management side is mostly third-party risk management as a second-line function, right, of a firm. And instead of acting as risk partners to the first-line, to the business, we ended up being like more of a third-line or auditors of them, somebody who would slap on their wrist when they do something wrong instead of being there, solving the problem with them, right?
Because we are the risk experts, so it’s not the business. So we really have to be there as more of a partnership and relationship, even with the business, when we’re doing this and when we’re making them aware of this to really get that streamlined, to really get that process in a smooth fashion, right?
Of course, we will always effectively challenge them. That’s part of our role, but it doesn’t have to be as an auditory challenge, right? It can be a challenge in a way that, “Hey, this could have been done in this way. Let’s solve this together. Let’s do it the right way together.”
How do you determine what the appropriate amount of sort of digging down in levels? Is in other words, you’re providing me with some services, but someone’s providing you with services. How reasonable is it for me to keep going down that chain to make sure that everybody all down the line is doing things the way that I need them to be done?
So determining the thresholds of your assessments and determining till when you’re going to dig deep is really dependent on your risk model, right? And the way I see it is if it’s a vendor you depend on to provide your services to your clients, you’re going to dig to the point where you know exactly how long it’s going to take them to be back up and running if they have a destruction, right? You’re going to dig to the point where you know it takes them two hours, where you have done an internal test and verified their testing to make sure if something like that happens, you know what you will do. You know what the next steps will be.
But that extreme end and to that point, it gets lower and lower as you go to other vendors. And that is why having a very robust, and I would say, majority [inaudible 00:14:53] program is important, right? Because when it comes to the governance in the third-party risk management world and monitoring, it also has to be sliced per the vendor, per the risk they’re exposing your firm to, right? So when you’re looking at the performance monitoring, when you’re looking at knowing the controls of the vendor, right, how often you do it, how much you do it really is dependent as per your risk model.
One thing I always say, your assessment is always a point in time, right? When you’re reviewing the controls, you’re reviewing their [inaudible 00:15:30], you’re reviewing their policies and procedures, they’re usually a year old. They could be coming up for renewal in three months, and you’re done with your assessment, and you don’t know, three months later, what changes were made. That’s why ongoing monitoring becomes very important for these very critical and important third parties and having a robust, ongoing monitoring process.
At the same time, that kind of criticality might not be there for vendors that are providing you such as services that are day to day, that are providing you services that really exposes you to moderate or low risk. So it really depends on your appetite for risk as a firm.
What sort of things are you tracking in terms of some of the emerging things in third-party risk management? What are some of the things that are evolving?
So the way I see it, of course, the biggest thing is this pandemic, right? We never thought we will come to the point where everybody is working from home, including your vendors, right? The kind of controls and the firewalls you have in a firm is very different than a Wi-Fi connection at somebody’s house or somebody’s sitting in a cafe or in their building’s lounge and working, right? Now you have your consultants working from home, working from lounges, working from a public place where more than one person is there, right?
So having a third-party risk management program that is dynamic is very important, especially for you to be flexible in these kinds of emerging risk scenarios, right? How do you now make sure that… one thing is very important when the pandemic happened is really what are their pandemic plan response? Are you monitoring your vendors now to see how they responded to this pandemic, how they’re changing their business continuity policies, how are they taking care of their access now.
Since people are now working from home, what are their network control policies? How are they monitoring their employees working from home, things like that, and your internal policies too. Your consultants will always be third party, even if they’re working internally, right? So now they’re working from home. Can they just print things? Can they just access everything on your hub, or you have access controls in place where they can only access things that are required for them to do the service they need to provide you?
Things like that is something that [inaudible 00:17:57] has now incorporated in their program, right, and having a program that is flexible enough to always dynamically change and improve and enhance when the things like that is changing, when the environment is changing is very important.
And another thing I see from the regulators now is they’re looking at the diversity policies of the vendors, right? They’re focusing on the DEI services of the vendor. Is your program looking at that? Do the values of the vendor that you’re bringing on match your firm’s value, right? Do they have a dynamic third-party risk management program where they’re actually the fourth parties to you or the third parties that they’re using, the subcontractors that they’re using actually have the same kind of control policies in place that you have?
Things like that is something, now, I would say a mature third-party risk management program would start looking at.
I think a lot of people tend to find this sort of thing a bit overwhelming. There’s just so much to do and so much to keep track of, and not everyone has someone with your energy and enthusiasm to help them along the way.
What do you recommend? I mean, what’s the best way for people to get started in such a way that they don’t find themselves overwhelmed?
So third-party risk management will always have more and more things to do [inaudible 00:19:23], and as your program matures, there’s always a new thing you can add to make it better, always, like any program or organization within a firm, right? But for firms that are starting with an idea of having a third-party risk management program, a lot of the firms are now moving to a centralized third-party risk management program which is very important if you want to have a similar standard across the firm and things like that.
One thing I would recommend is really starting with the basic, right? So when I develop, and I’m doing that right now, in my new role as well, developing third-party risk management program, you look at the core components. Your core components are having a third-party risk management framework, so having a risk model, having a system that can really rate and slice your inventory to show you an overall overview to really, at least, show you what kind of vendors you’re using and how you’re exposing the firm to the risk?
Then developing a very… starting with a very basic due diligence process. When I say very basic, that means minimum controls, right? What are your minimum standards without which you will say, “No, we cannot use this one,” right? That would be your compliance sections, the regulatory requirements. That would be the data protection, GDPR regulations. That would be your most important minimum controls in place. Without that, you will honestly say no to the vendor.
So developing that due diligence process and then having a very core monitoring system. So what core monitoring system would be, using some vendors out there, right? So doing negative news monitoring. You can do threat intelligence softwares, right? You can use vendors to do performance monitoring for you, really look at them from the outside, right?
So getting those core components in your monitoring, right? If you don’t have internal resources to help you, you can definitely use outside vendors and third parties to do that for you, but having a very basic core monitoring process in place.
Once you have that, once you have developed that, the most important thing becomes making that relationship with the business and providing them with the awareness, right, because that is what will make your third-party risk management program successful. That is the only thing that matters, especially when you’re really bringing a third-party risk management program up and running, right? So creating that relationship, providing the business with the awareness, and making them understand what really third-party risk management is and why it’s important and why it’s beneficial for them is your starting point.
Once you have that nailed down, that’s when you start making your program more robust and more effective and adding the governance pieces, making it more mature or more sophisticated, I would say, but really starting with the basics.
Our thanks to Madiha Fatima from Angelo Gordon for joining us.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online.
The Recorded Future podcast production team includes coordinating producer, Caitlin Mattingly. The show is produced by the CyberWire with Executive Editor, Peter Kilpe, and I’m Dave Bittner. Thanks for listening.