Third Party Oversight

Digital Convergence Demands a New Governance Approach. Are you Ready?

Written by John Bree

[inlinetweet]Digital convergence, new technologies and regulations are changing the way organizations need to approach governance and control to the new mindset of Supply & Source Chain Component Oversight.[/inlinetweet]

The digital convergence journey is leading organizations to enhanced data processing, storage, retrieval, and value.  At the same time, the regulatory sector is catching up and will likely begin using the same technology breakthroughs that we are implementing to test our compliance capabilities and diligence, and enhance our businesses.

The General Data Protection Regulation (GDPR), Consumer Credit Protection Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA) and The Common Rule, also known as the Federal Policy for the Protection of Human Subjects, are becoming cross-industry challenges – no one is immune!

As we move aggressively to follow the Innovation Mantra, we must be just as aggressive with our tools to measure and track risk identification, controls, compliance and governance in our managed services.

A new paradigm is needed.

In this new world, we must change our focus from Third Party Risk, Control and Governance to Supply & Source Chain Component Oversight.  This article is based on a basic difference in Supply and Source chains that I believe impacts how we approach Control, Governance and Risk determination.

For the purpose of the following discussion, Supply Chain is primarily an inbound process where product components are provided from external sources and must meet predefined criteria. Component adherence to agreed criteria can be validated prior to the component being integrated into the final product. Think of airplane parts, consumer goods raw materials, machinery, data processing systems and even applications…..we can test them before we activate them.

Conversely, Source Chains for the purpose of this article are defined as both owned and contracted entities that a company employs to process confidential data that has been entrusted to them by the data set owner.

In Risky Times, Put Oversight First 

With automation at the forefront of the majority of IT and Operational services, foundational control and monitoring are critical for an organization to pursue innovation.

It is also essential that Risk, Control, Monitoring and Oversight be considered at the very beginning of the Systems Development Life Cycle (SDLC). I would go so far as to recommend that the cost, both staff and financial be included in the original business case and cost justification calculations.

Many of us have experienced the unenvious position of trying to explain why the original ROI numbers and dates were not realized. It is often a case of additional expenses due to unplanned controls and roll out delays due to poor planning for country regulatory approval.

I personally recall situations where an IT Project Manager developed a global, multi-phase rollout schedule without input from the Privacy Department, only to realize too late that the countries in the first phase would require up to six months regulatory approval. The real sad part was that the countries in the second and third phases required minimal or no regulatory approval.

Another realization in today’s rapid design, testing and implementation timelines is the need to establish sophisticated Continuous Monitoring.  Whether it is a new application or system, or the enhancement of an existing platform, changes are occurring at a faster pace and, therefore, the tried and true episodic Risk Assessment of the past is no longer practical.

The Mandate for the Future  

Real-time, continuous, multi-category, risk intelligence for both suppliers and locations is the mandate for today and the future. This type of monitoring allows companies to maximize Risk Assessment cycles and cadence, by using changes in vendor behavior to identify specific areas for review and avoid the time and expense of all-encompassing assessments, which can often include 1,000 or more questions. These traditional assessments place a very expensive demand on both the service user and provider.

In addition to pretty much everything As A Service we also have to deal with a host of other challenges too.

Collaborate with Peers

After 40-plus years in the financial and advisory sectors, the one thing that has never changed is the need to be open to new ideas and never forget that success is not a spectator game.

While there is no single solution or approach that will meet all the myriad challenges across the vast spectrum of companies, products and processes, a proven first step is to share our issues and concerns with our peers in open forums provided by IAOP like OWS19.

For more on this topic, attend a panel discussion moderated by John Bree on Governance in the Digital World at this year’s Summit. The session will also feature expert views from Khiv Singh, Vice President Sales and Marketing of Sapience; Donald Mones, Director with MUFG Union Bank; and Punit Bhatia, Privacy & Protection Officer, ING.

Visit the OWS 19 website for regular program updates.

SVB Collapse - Comprehensive TPRM Analysis

The Collapse of SVB: Analysis of Risk Indicators and Next Steps for TPRM

Get Supply Wisdom’s comprehensive analysis on SVB, including indicators across a full spectrum of risks, the causes of the collapse, and precautionary steps you can take in response to the SVB collapse.