Third Party Risk Management

We live in a world where products and services are now manufactured by more than one provider located in different countries. However, the proliferation of the internet and IT technology shifted the outsourcing concept to a new dimension.

Outsourcing is the practice of shifting part of the workload, tasks, work operations, or processes to an external vendor for a specific period. Organizations go to achieve numerous benefits such as competitive advantage, reducing costs, enhancing customer services, taking advantage of external expertise and assets, and improving efficiency and profitability. However, it brings many risks to adopters, mainly if a data breach occurred due to outsourcing.

For years organizations used to work closely with different outsources, agents or licensors; however, what changed currently is the increased risks of cyberattacks, the regulatory compliance, and how companies approach third-party risks when utilizing their services. Especially how a third-party provider will handle the primary organization's confidential IT information.

As the digital transformation moves steadily to occupy all work aspects, organizations become more reliant on IT to conduct their business. For instance, most of them are now utilizing the internet as a storefront to sell their products and services; they access large database repositories such as public and commercial databases to gain insight into customers and market trends. The huge dependence on IT technology to conduct various work tasks has raised the IT budget explosively. This forced most organizations to transfer the management of part of their IT assets, staff, and related work operations to external vendors to save costs and increase their competitive advantages.

What is meant by IT outsourcing?

IT outsourcing is the practice of using services offered by a third-party vendor to deliver some or all IT functions such as managing IT infrastructure, running service desks, maintaining data centers. IT outsourcing comes in two forms:

1. Fully managed service: When the IT provider manages all organization IT support and maintenance.
2. Co-sourced IT support: When the IT provider offers support for the client organization's IT team or conducts IT functions during peak. Giant organizations commonly use this approach.

IT outsourcing can be offered by an external vendor or multiple once depending on the organization's needs.

Types of IT outsourcing

Offshore outsourcing Offshore outsourcing is when the organization sends its IT-related work to an IT provider located in a foreign country such as India or China. For example, many USA organizations have their customer support departments in India.

Nearshore outsourcing This outsourcing model occurs when an organization sends its IT-related work to an IT provider in a country that shares borders. For example, a USA company utilizes services from Canadian IT providers.

Domestic outsourcing In the domestic outsourcing model, the external IT provider is located in the same country as the client organization. The service is offered either onsite or remotely.

Cloud providers This is the most used outsourcing model; an organization uses services from other IT providers located anywhere globally via the internet to support their IT functions. For example, utilizing Infrastructure-as-a-Service, Platform-as-a-Service, and Software-as-a-Service.

Managed services In this model, an external provider is used to offer some network management and security-related tasks such as virtual private networks (VPNs), firewalls, networking monitoring, and auditing, and reporting.

What types of IT services are typically outsourced?

The most common outsourced services are web and software development, web hosting, technical support, disaster recovery, incident response, backup, data centers management, email service, security-related tasks such as antimalware, spam filtering, and other online threat protection.

What is IT outsourcing risks?

The ongoing spread of the COVID19 pandemic has forced most organizations to depend on external IT providers to support the remote workforce. Managing third-party risks becomes very urgent. We can recognize the following three primary risks associated with IT outsourcing:

1. Confidential information: Third-party providers may handle primary organization sensitive information as a part of their work. To measure this risk, an organization should examine the amount and type of sensitive data managed by the third-party provider and the frequency of times this data is processed. Whenever the frequency and amount of sensitive data increases, the risk weight is increased as well. To mitigate this, client organizations should conduct frequent visits to the third-party provider to check the implemented security controls to protect sensitive data. Hiring an external auditor to check the provider's security controls is also a good measure to assure the provider's security and data protection controls.

2. Business continuity: What is the business continuity plan of the third-party providers? Can they continue operating in case a natural disaster occurred? Political instability events affected third-party provider work. What is the impact of such conditions on client organization work operations?

3. Compliance risks: External providers may store a client organization's sensitive data outside its country. For example, according to the General Data Protection Regulation (GDPR), any company process or store EU citizen data must be subject to it. What if a third-party provider stores a European organization's customer data in Asia? Various similar data protection regulations must adhere to when utilizing external third-party services to avoid violating such regulations.

Summary

There are different reasons to outsource IT functions to external providers. However, the risks associated with such leasing must be addressed well. For instance, in addition to the risks mentioned in this article, some IT providers may also partner with other external providers to produce some services, which results in scattering primary organization data and services to unpredictable geographical locations and hidden parties.