Higher education regulatory requirements are increasing year over year. The price to pay is more than just lagging behind – lack of formal policies and procedures to meet these requirements can lead to financial repercussions, bad press, and overall lack of trust which can hurt the university in more ways than one. Compliance needs to be at the forefront of every strategic initiative, ensuring preparedness for any regulations set for the industry.
Complying with these regulations all begins with creating tried and true policies and procedures for dealing with internal and external parties; from performing an annual risk assessment to address GLBA requirements, to engaging in meaningful conversation with your third parties to ensure the comfort of the controls they perform to secure your data, robust controls need to be implemented. The latter is often an area in which many organizations struggle; all too often the process for selecting new third parties is unilateral or lacks involvement from necessary parties such as general counsel, IT, or compliance. Further, most procurement departments do not have the resources to perform the proper vetting or due diligence of new or existing third parties, and to add to that, haven’t agreed-upon metrics to vet against. A defined Third-Party Risk Management (TPRM) program is crucial to ensure all third parties that a university engages with are tracked and cycled through standardized processes.
Current State vs. Desired State
The TPRM lifecycle can be broken down into two major parts: acquisition and continuous monitoring. Acquisition focuses on both inherent and residual risk, while continuous monitoring by the organization mainly corresponds to the level of comfort that a university has with the residual risk that a third party maintains. Inherent risk is defined as the natural level of risk inherent in a process or activity without doing anything to reduce the likelihood or mitigate the severity of a mishap, while the residual risk is defined as the amount of risk associated with an action or event remaining after natural inherent risks have been reduced by control mitigation. In this case study, we will be highlighting a university that realized the importance of TPRM and how we assisted them in standing up and operationalizing their program.
The university maintained existing processes but was still missing key parts of the TPRM lifecycle. Namely, processes were in place to understand inherent risk and residual risk, however, risk classifications were not formally defined, which made it difficult to establish procedures for inventorying/classifying third parties and performing continuous monitoring. For the focus of this ‘Our Thoughts On’ article, we will be analyzing the current state and desired state of the third-party acquisition and continuous monitoring steps in the TPRM lifecycle.
As part of the due diligence process, university procurement spearheaded a process to evaluate new potential third parties. This due diligence process included assessments to understand the inherent and residual risk that a new third party possessed based on questions around operational, financial, and data security. Procurement was responsible for assessing the operational and financial risk, while IT was responsible for assessing data security; each assessment was given a score, which in turn allowed procurement and IT to make informed decisions on whether to continue or terminate the acquisition process. Once this initial assessment was performed, and if the university decided to move forward, the legal department was involved to draft a contract to engage with the third party.
The university’s acquisition process had all of the basic tools to make informed decisions about potential third parties. However, procurement was unilaterally responsible for assessing potential third parties based on their initial responses to operational and financial questionnaires, and similarly, IT was unilaterally responsible for assessing data security. We recommended that a TPRM committee be formed that included members from procurement, IT, accounting, and legal to ensure a shared responsibility model. Additionally, the TPRM committee should define criteria to establish the level of inherent and residual risk that the university is comfortable (aka their risk appetite or tolerance) with to provide the departments with agreed-upon metrics to use when deciding to engage with a new third party.
After accepting a third party, and based on the operational, financial, and data security assessments performed, the university should use agreed-upon risk classifications (i.e., critical, high, medium, low), as determined by the TPRM committee, to apply a risk classification to a third party. Also, a criticality assessment should be performed to determine the impact that a third party may have on university operations if third-party operations were to cease and there was no alternative third party to support the role that was being performed. Criticality assessments may bump low-risk third parties to a higher category based on the services that they provide.
By assigning third parties to risk classifications, it allows organizations to define the level at which, both in frequency and depth, that operational, financial, and data security assessments need to be performed on an ongoing basis. The TPRM committee should design the frequency and depth of review for existing third parties based on their risk appetite and bandwidth to perform these tasks. For example, a university may decide to perform annual and complete data security assessments for a third party classified as critical. On the other hand, universities may only perform bi-annual data security assessments that contain some of the questions for third parties classified as medium or low.
Schneider Downs IT Risk Advisory team is working as a consultant to create a formal TPRM framework to follow. By using our experience in the third party space with Global Systemically Important Banks (G-SIBs), healthcare institutions, energy conglomerates, retail, and higher educational institutions, we provide scalable TPRM processes to allow organizations to streamline their process and improve their overall risk posture.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.