Sarah Robinson, senior director in the FTI Technology practice, discusses the Venn diagram of enterprise risk management.
Why is Third Party Response such a big topic across the C-suite, and why should general counsel offices be particularly focused on this area?
Sarah Robinson: The entire topic of third-party risk (TPR) management is complex and increasing in the challenges and number of players involved. At its heart is a very old proverb: Every chain is only as strong as its weakest link. The problem today involves three very interrelated factors.
One is volume, which has increased exponentially in the past 5 to 10 years. With the recession in 2008 and increased technical sophistication, there’s been a significant uptick in use of third parties across businesses of all sizes and across almost every industry. People are outsourcing whatever they can and trying to increase their margins with ever more complicated global supply chains.
Two is that regulatory scrutiny and fines continue to increase, sometimes to the tune of hundreds of millions of dollars. Regulatory scrutiny can be related to security, data privacy, and more traditional legal concerns. The interplay of increased scrutiny and higher fines means that lack of follow-through to address these concerns in a meaningful way can present a number of pain points that grow – and potentially compound over time.
Three is reputational impact. There’s a feeling across both our personal and professional lives that the technology we use must always be ‘on’ and usable – so there’s less room for error from that perspective. News cycles and pervasive social media mean that something that 10, 15 years ago might’ve been a local problem, or potentially localized to a particular geography, can quickly become a global issue.
Between volume, regulatory scrutiny, and reputational impact, few parts of any organization are left untouched. And that, frankly, is why so many C-suite executives are talking about the challenges (or should be), whether they are labeling them as third-party risk or not. A general counsel’s play in this is related to being a trusted adviser who can help their organization navigate across all of the stakeholders while obviously keeping a close eye on the regulatory and legal ramifications.
Multiple studies indicate that somewhere between 42 and 59% of companies have had a data security breach from a third party. Perhaps even more important, only 29% of those companies believe that their partners will actually notify them of a compromise. So the challenge is large, it’s complicated, it’s sophisticated, and it requires a thoughtful approach to address the plethora of resulting issues.
What TPR governance risk issues should be considered?
Third-party risk management brings into focus what I call the Venn diagram of enterprise risk management. There are security implications, as well as compliance matters, which in third-party risk really implicates many data privacy laws. Business lines are focused on getting to market and positioning themselves with the best capabilities; they focus on revenue and services. Timing is an important component for them, understandably. Their focus is not on how can they make sure that they’re compliant with various regulations or safeguarding their reputation in the marketplace. Thinking through an enterprise-wide governance strategy that takes into account all of the relevant stakeholders is critical to success.
Why can’t TPR simply be met with a good contract?
That’s intimately related to the reality that every business is a technology business today. The flow of data, the flow of technology, the requirements of technology bring into the same room stakeholders and business leaders from almost every part of a company. Contracts are certainly helpful and under privacy regulations – they can be a requirement. But the technology-centered nature of companies and the increased regulatory scrutiny that we talked about earlier effectively mean that organizations are held much more accountable for appropriate follow-through.
Did you share data appropriately? Did you delete it appropriately? Did you process it in a manner that was agreed upon? Under current legislation, individuals can initiate regulatory review in some cases. Bad actors within an organization can consciously or unconsciously expose the company to a plethora of risks based on their actions. And companies are being held accountable in ways that they have not been held accountable before. No longer can they construct a paper trail and have served as the bulwark of defense, particularly when facing enforcement actions.
These challenges are dynamic, and they require organizational agility like never before to address them.
How can organizations prevent lines of business or individuals from creating new third-party relationships that expose the company to greater enterprise risk?
This gets to the crux of overall governance. Fine-tuning a governance model that works for your organization and has a direct correlation with effective change management is the cornerstone of successfully managing the complexities of these challenges.
Change management isn’t just about creating good power point presentations to educate folks within an organization. Change management really needs to provide the tools and training and drive home the context for why and how we must change the way we do things. Adopting new technology, or making sure there’s sign-off on something before proceeding, requires many individuals to approach their jobs in slightly different ways. Having a governance model that’s appropriate to your culture has everything to do with whether or not your employees will absorb what you’re asking them to and behave accordingly.
These are complex issues, but ultimately, it’s a technology-centered problem. Roll out communication plans and job aids, whatever else might be contemplated to arm professionals to embrace this new way of doing things, and adjust accordingly. In essence, the governance style needs to be closely aligned with your culture. Adequate resources should be expended to ensure proper training and support materials are created and usable. It is a dynamic problem that requires dynamic solutions, and that includes ongoing efforts and continuous monitoring.
Will there be some latitude from the public and regulators since everyone is scrambling to make due during this crisis?
Unfortunately, I think that’s highly unlikely. Let’s take data privacy regulations. Two regulations of particular concern globally are the General Data Protection Regulation (GDPR) and the California Consumer Privacy (CCPA) Act. Both of these laws were passed long before COVID-19 changed the way we live and do business. These regulations call into focus the degree to which organizations are good stewards of the personal information of individuals. Saying that you didn’t know or you weren’t ready, when these regulations were passed with plenty of time to at least develop a thoughtful approach, is unlikely to sit well with regulators.
As enforcement actions are showing, GDPR and related privacy regulations have already triggered numerous significant enforcement actions, with fines into the hundreds of millions of dollars. It would be a little bit late to say that this pandemic has put my organization in a place where I cannot prepare or I was not prepared.
Can standards of care during a crisis actually create greater liability?
In the United States there is case law that indicates that ‘reasonable standards of care’ in the regular course of business is considered a lower standard of care than what is expected in a time crisis As we know there are greater potential ramifications of failing to meet that higher standard than ever before. The thought process is, in crisis we need to be able to rely even more upon people doing their jobs more carefully, taking a harder look at what they’re doing, why they’re doing it, and how they’re doing it.