The latest enterprise risk management news from around the world

New guidance for continuous monitoring of third party IT security risks

The Shared Assessments Program has released its latest risk management guidance, ‘Innovations in Third Party Continuous Monitoring’, the latest addition to the organization’s Building Best Practices series. The series is provided as a free industry resource to security and IT professionals worldwide to drive risk management among digital ecosystem partners.

Third party IT security risks can cause millions of dollars in damages; recent analyst findings confirm that third party involvement was the top contributing factor that led to an increase in the cost of a data breach in 2017. Effective application of the ‘Observe-Orient-Decide-Act’ (OODA Loop) decision cycle principals described in the guidance enable organizations to improve situational awareness, increase risk management program ROI, and reduce compliance costs.

The OODA Loop helps organizational leaders:  

  • Assess their organization’s risk appetite and strategically plan accordingly;
  • Prioritize availability of highly experienced analysts who have the ability to recognize a threat and act accordingly; and
  • Ensure the availability of a set of predefined actions – also known as a ‘playbook’ – for specific types of threats to help guide less experienced analysts, and provide more experienced analysts with a policy framework for documenting actions.

It helps risk management practitioners immediately identify:

  • A third party’s ability to support the outsourcer’s requirements for regulatory compliance; and
  • Changes in the third party’s processes, personnel and/or technology that could potentially inhibit their execution of key risk management processes.

“While using third parties can benefit corporate strategy, third parties can also increase both the firm’s operational risk and the costs associated with effectively managing that risk,” said Caree Wagner, managing director, Corporate Operational Risk Management – Third Party Operational Risk at BNY Mellon; Continuous Monitoring Working Group Co-Chair and contributor to the third party risk management paper. ”The traditional, static risk assessment process is expensive to execute and may not identify emerging risks until it’s too late. This paper aims to outline how complementing traditional risk assessment processes with a continuous monitoring program can provide more real-time opportunities to identify and mitigate third party risk.” 

‘Innovations in Third Party Continuous Monitoring’ may be downloaded here (registration required).



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.