How do you manage third-party risks?

Rapule Kgalaki, manager: Governance, Performance, and IT Audits at the Department of International Relations and Cooperations.

---

The maturity levels of IT risk management in South African organisations are generally low, according to Rapule Kgalaki, manager: Governance, Performance, and IT Audits at the Department of International Relations and Cooperations.

Kgalaki says South African corporations have not woken up to the call of digital transformation, which requires them to "think digitally and globally".

Kgalaki will be speaking at ITWeb Governance, Risk & Compliance 2019, to be held on 20 and 21 February at The Forum, in Bryanston, on: 'Outsourcing: governing and managing third parties'.

He highlights the third-party risks facing organisations across most of the major sectors in SA.

Kgalaki explores companies' avoidance of corporate governance or IT governance pertaining to third-party partners and outsourcing services.

"We have observed that most boards have not set the correct tone in the boardroom in terms of dealing with third-party risk management. There is either no interest in identifying or monitoring third parties, or a lack of the skills needed to do so at exco level.

"In addition, over the past five to 10 years or so, we have seen poor risk governance, leadership and discipline, resulting in the breaking down of controls to manage third-party risks in organisations, and excos unable to deal with risk concerns and early warnings raised by assurance providers.

"Most of the organisations' board members do not consider third-party risk when assessing strategic risks, when entering new markets, manufacturing or inventing new products, or making strategic investments. Strategic risks and third-party risks are not consolidated," adds Kgalaki. "There is no oversight."

Next, he cites the lack of key governance documents and the absence of monitoring at network or access level.

"South Africans seem to hate documentation. Most organisations lack security policies, processes or procedures that deal with third-party risks at the access level and mitigate how confidentiality in the organisation is handled."

South Africans seem to hate documentation. Most organisations lack security policies, processes or procedures that deal with third-party risks.

Rapule Kgalaki

He says there is total lack of third-party risk profiles in most South African corporations, and this is due to inadequate skills in the risk management within the organisation.

There is also a failure to independently verify that third parties comply with clients' set security objectives, and a failure to request copies of third-party security policies, processes and procedures.

Finally, there is a lack of properly formulated service level agreements to monitor third-party performance, he notes.

Then, when selecting third-party partners, there is a failure to properly vet them, Kgalaki warns.

"For many years, fake qualifications and bogus companies have ravaged local sectors, irrespective of the size of the organisation. There is just no mechanism to properly vet third parties. This control failure could result in incompetency, and no delivery. In the public sector in particular, foreign agents exploit this loophole by bringing on board spies to steal proprietary data such as intellectual property and patents. This is the biggest concern."

Most organisations do not have proper strategies in place to vet the third-party resources.

Another issue, Kgalaki says, is there is too much reliance on third-party skills and services, as well as a lack of skills transfer programmes.

"Interestingly, there is a culture in SA whereby if risks are transferred, the whole accountability is also transferred to the third party. This is a bad idea; it takes responsibility away from the board."

Companies struggle to formulate skills transfer programmes, he explains. "Too often, these programmes are part of the exit strategy to manage the termination process of the existing third-party contracts."

There's also an issue of non-existent, ineffective or inefficient risk assessment and the inability to integrate emerging risks in the risk management programme.

"Most organisations still struggle with the basics of risk management, both in the public and private sector. In my experience, the failure of risk management arises when risk assessment activities do not identify the critical third-party risks effectively, efficiently and timeously. Or, even worse, nothing happens when a risk assessment is completed and most updated risk registers are not shared with relevant stakeholders. This is often due to the lack of clear communication channels in the organisation."

Inadequate skills are allocated into risk assurance providers, he says, or a poor risk management methodology or model is followed in assessing third-party risks. "The lack of processes in place to deal with the ever-changing environment and emerging risks are neither considered nor incorporated."

Delegates attending Kgalaki's talk can expect a fresh perspective on IT governance and learn how to deal with changing third-party threats effectively.