Managing risk in a connected ecosystem

The digital revolution is driving major changes in virtually every organization's business and IT ecosystem. As more enterprises embrace digital transformation, they are now required to transform processes, systems and service integration across their network, i.e. suppliers, distributors, partners and other third parties. Organizations are more and more reliant on third-party suppliers to deliver business-critical products and services to their customers. Open APIs allow a tighter coupling between businesses and suppliers, offering the potential for more effective supply chain and logistics optimization. But tighter coupling brings the risk that third party failures can rapidly damage your reputation and have significant operational and cost implications.

With fast-changing and more complicated ecosystems, the risk is even more challenging to assess and mitigate. Technological advances are creating an entirely new risk ecosystem in which the risks are interconnected and continuously evolving. Enterprises face more threats to reputation and regulatory compliance. Supply chains, distribution channels and more flexible business platform models lead to unpredictable new risks that may lie with fourth, fifth or sixth parties. Unmanaged risks can now more easily spread across multiple functions in the ecosystem, compromising the business reputation along with customer trust. Managing risks in the changing era of the growing ecosystem is now critical to an organization's sustainability.

Today, the typical enterprise has huge volumes of confidential data and intellectual property moving through its IT ecosystem. Understanding the flow of data through a supply chain has been critical to gauging supply chain risk in the past, but today, those data flows are becoming increasingly complex and harder to track. The rapid advances in technology have also increased the type and number of threats and vulnerabilities to an organization’s data, leading to a rise in third-party incidents. All businesses operating in a complex IT ecosystem are likely to experience outages, breaches or another form of failure at some point.  Given the growing severity of the related punitive action by regulators and customers, being proactive with your risk approach can help you safely unlock the benefits of operating in this new IT ecosystem.

One relatively new consideration, accelerated by the COVID-19 pandemic, is the increased move to cloud services, which has increased the potential for both internal and external threats. For example, business email compromise attacks can now more easily propagate up and downstream to clients and suppliers. Also, the shift to cloud infrastructure has put businesses in an unusual position. Although they have minimal ability to gain assurance over major cloud providers’ extensive security architecture, they remain accountable for any data loss should the architecture be compromised. Cloud has no doubt modified the risk landscape in the supply chain and forces businesses to be creative over how they gain assurance or re-evaluate their risk appetite. Given the proliferation of cloud hyperscale providers, cloud security risk may be something that only a regulator can address at a systemic level.

Although challenging, identifying the ecosystem risks is necessary to understand the effects on your organization. The digital risk ecosystem is driving a new approach based on predicting and preventing risk rather than reacting to it as they arise.  The first step in the risk management process is understanding where your organization sits within the ecosystem. The organization should understand its internal and external environments and determine its mission-critical information assets, where they exist and how they flow across this system — allowing the organization to take a risk-based approach, focusing on protecting its critical information.

Managing third-party risk in today’s business environment is far from straightforward — often requiring large scale programs and much coordination right across the ecosystem. Many organizations don’t have enough capabilities in-house to manage the many third-party risks they face. Roles and responsibilities in relation to Third Party Risk Management should be clearly defined to ensure that risks posed by third-party products and services are appropriately managed. The procurement process is a key element to the overall management of third-party risk. A rigorous understanding of a supplier's services enables an organization to tailor risk management processes and predict potential risks — allowing key organizational stakeholders such as the Chief Information Security Officer to determine:

• How the third party will be accessing, storing or transmitting the organization's data
• Whether it has a controlled environment that meets the organization's expectations or needs to be enhanced
• If specific requirements should be negotiated into the contract.

The risks posed by changing technology, the interdependencies and interconnectivity of organizations and the vast amounts of data that they collect, and hold have been overwhelming for organizations operating in this complex ecosystem. 

From an enterprise perspective, the evolution of the connected ecosystem of suppliers, partners and other third parties will require new levels of awareness and responsibility, as well as support and governance from senior management to understand and accept the appropriate level of risks.  Third-party risk is starting to feature consistently on Board agendas.  Risk professionals need to understand foundational elements of this complex ecosystem — IoT, machine learning, big data analytics, cloud computing etc. — to develop realistic strategies to thrive in this new environment.

Organizations across all sectors are rightfully considering risks within its evolving ecosystem of suppliers, partners and looking closely at the techniques used to manage and elevate them to be a strategic priority. We see businesses taking a proactive approach to Third-Party Risk Management and exploring how they can refine and expand their existing processes through technology enablement and innovation. Along with digital transformation, organizations should manage the risks introduced into the environment and its impact on the current ecosystem, by working across the ecosystem community to drive value from its cross-functional synergies and eliminate threats from interdependent processes.