São Paulo/SP 2/2/2023 – The risk management and compliance process must cover the company as a whole, covering all employees and processes, including third parties.
*By Eduardo Camolez
The risk management and compliance process must contemplate the company as a whole, encompassing all employees and processes. Currently, more and more third parties are involved in the value chain and this implies greater challenges in risk management.
Some regulatory bodies such as BACEN (Central Bank of Brazil) request that the contracting companies assess the risks related to third parties that offer services considered critical for the company. The results of such analyzes must be reported to BACEN.
Another aspect that is of great concern to top management is the risk of leaking sensitive data. As much as the company has implemented a series of controls, if the third party makes use of sensitive data collected by the company, in the provision of services, and such data is leaked, the company will be jointly and severally liable to the GDPR (General Data Protection Act).
The risk assessment or third-party audit process may be based on a number of internationally accepted frameworks, such as ISO 27001, COBIT (Control Objectives for Information and related Technology), CIS (Center for Internet Security) or more specific ones, such as the Pix Security Manual, issued by BACEN.
There is no single framework to be used for a company's risk management process. In general, each company has its own Risk Analysis methodology, adapted to its reality and considering several factors such as the market niche to which it belongs, specific laws and regulations, seasonality, among others. It works the same way for third-party risk management.
The execution of the work itself can be carried out in several ways. An alternative is to carry out a self-assessment, where the risk management area prepares a questionnaire and sends it to the third party to respond and provide evidence regarding the controls implemented. Another way is to carry out an on-site visit, where it is possible to interview the managers involved with the controls and verify their execution in person. Another aspect that can be calibrated is the level of scrutiny, that is, if just one piece of evidence per executed control is considered sufficient or if the evaluation will seek to analyze the effectiveness of the control itself, evaluating a sample of evidence.
The results of this work are a risk index, which, depending on the company's risk management methodology, may be acceptable or not, and the contract with the evaluated third party may even be broken, and the action plan agreed with the third party. , in order to increase the maturity of the information security environment.
Eduardo Camolez, partner and GRC leader at Safeway, says that “It is important to bear in mind that management does not end at this point, it is necessary to maintain constant contact with the third party in order to know the evolution of the implementation of the action plan. At this point, support can also be offered in defining controls and establishment of best information security practices.”
Finally, Camolez advises that “It is essential to create and maintain an audit plan, to periodically revisit third-party controls, according to the criticality of the services provided and the risk assessed”.
THE SAFEWAY is a company of Information security, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet the needs of the business. In these years of experience, we have proudly accumulated several successful projects that have given us credibility and prominence among our clients, which largely constitute the 100 largest companies in Brazil.
Let's make the world a safer placeo to live and do business!