Third-party compliance basics

By Chris Els • June 26, 2024

The term forensic refers to the application of scientific knowledge to legal problems, especially scientific analysis of physical evidence (as from a crime scene).

Third-party process forensics looks to discover legitimate partnerships, their process practices and industry compliance to protect everyone in the shared supply chain.

PURPOSE

The purpose for regulatory compliance is motivated by the following four objectives:

  1. Quality
  2. Health
  3. Safety
  4. Continuity

In all countries, regulators manage corporate compliance referencing over 30,000 global industry standards.

COMPLIANCE

Compliance can be industry and community specific, or focus on general protection such as quality, health, and safety. Compliance also has a place to protect individual rights, data security, data privacy and environmental sustainability.

More than 47,000 global listed companies invest in formal ESG policy and GRC certification compliance. However, less than 25% of third parties and their subcontractors serving these organisations invest in compliance and other measures to protect themselves and their clients. That means risk is ever present.

ECONOMIC DRIVERS

Economic drivers such as time, cost and corporate success resulted in the creation of industry and ethical institutions tasked to identify and promote process improvements,  production quality, health, safety and extended economic and universal sustainability.

TYPES OF SUPPLY CHAIN

There are 3 types of Supply Chain, 2 of which are often overlooked in the measure of risk protection.

  1. Physical Process of Supply Chain
    (Procurement and Logistics)
  2. Data Supply Chain
    (Data Integration, Security and Privacy
  3. Security Platform Chain
    (Data Center's, infrastructure, and Software solutions in the supply chain)

The 3 types of supply chain are interdependent. Risk of disruption comes from the following threats:



  1. NATURAL DISASTER
  2. HUMAN NEGLIGENCE
  3. MALICIOUS INTENT
  4. CYBER CRIME

Cyber Crime is a magnification of Malicious Intent and Human Negligence. A multibillion-dollar industry offers a range of options to combat cybercrime/ransomware. Organisations need to balance effective protection with operational performance, and within the constraints of limited budgets.

Data Supply-Chains are initiated by compliant enterprises who are motivated to share their supply chain opportunities with smaller downstream specialist suppliers. These downstream subcontractors are likely not regulated and 75% will not invest in or maintain a compliance program required to secure consumer trust in delivered services and products. Unregulated suppliers can introduce easy access to upstream corporate information systems, which increases the likely loss of data and threat of business-continuity.

Around 300,000 new pieces of malware are created daily to target individuals and organizations. From exploiting human error to launching sophisticated assaults capable of bypassing even the strongest security systems, cyberattacks can come in various forms. The five most common cyberattacks that wreak havoc include phishing (85% of all reported attacks), ransomware, malware, data breach and Distributed Denial of Service (DDoS).

Malware originating or passing through supplier network systems will directly impact verified and unverified touch points. Effective Third-Party Risk Management (TPRM) requires significant time and resources. You need to accurately identify who your vendors are. The inventory should be kept up-to-date and extend to fourth parties (your third-party vendor’s vendors). iTracker makes it easy to identify your vendor inventory.

FUNCTIONS THAT BENEFIT FROM COMPLIANCE

Information Security

Vendor Management

Business Continuity

Manufacturing

Internal Audit

Procurement

Supply Chain

Operations

People

R & D

Compliance is not restricted to statutory regulations and Industry standards. Organisations ensure they focus on behaviors' and processes in the interest of all stake holders. Internal audit teams work with specialist line of business executives to document measurable corporate policies for ongoing review and improvement.

Nearly Onn billion email accounts were exposed in 2021. That’s 1 in 5 internet users each year that get affected by data breaches, and in most cases provide cyber criminals access to user’s employers operational systems and information.

FACT: Your data will be breached, often.

You need to protect your organisation, your partners, and your community. For business continuity you need tested recovery plans for when your data is breached.

Before you can put the above in place, you need to know who has access to your data and information. Knowing how far down your supply chain goes is not a simple task. Gaps are soon established in complex service level agreements, and why might be considered secondary responsibilities are soon unrelated to priority dependencies, and soon enough forth level providers in a supply chain become a vulnerable entry point for hackers to reach in all the way up to the prize data at the top of the data chain.

Discovery is a legal forensic term, and it strikes me as odd that many turn to technology to apply assumptions to arrive and possible conclusions of risk. Following a trail of factual certainty can point one to a far more obvious and predictable cause, and assist with preparing for disruption in whatever form it presents itself. Sophisticated algorithms will inevitably guide an enquiring mind back to what exists and can link your data supply chain up and downstream.

Comment

P3 Audit

P3 Audit announces new Partnership with Croner UK.

By By P3 Audit Marketing Team June 26, 2024
P3 Audit, a specialist managed service provider of Global Third-Party Payroll Business Continuity and Compliance Testing, today announced that it has entered into partnership with Croner , one of the oldest and most trusted employer support services in the UK. Through this partnership, both P3 Audit and Croner bring added value and a connected service experience to their collective clients. Speaking about the partnership, Paul Holcroft, Managing Director at Croner, said: “We welcome the alliance collaboration with P3 Audit whose UK client base can benefit from our HR, employment law, and health & safety services. This cooperation also offers our clients the potential assurance that their third-party vendors are operating compliantly and without risking business continuity.” “ Croner extends compliance and business continuity to our clients who have welcomed work from home as a critical part of their operations, without realising the obligations and risk assumed by employers” said Chris Els, CEO of P3 Audit. “While P3 Audit focus on testing vendor business continuity as well as contract SLA compliance, we are proud of our partner collaborations that ensure extended business resilience for our clients.” To learn more about the P3 Audit expertise in Business Continuity Plan testing, or to discuss how you can maximise and galvanise your third-party vendor relationships, contact us today!
P3 Audit

What you might find in the Shadows of a Supply Chain Compliance Audit

By By Chris Els June 26, 2024
Validating legitimacy of third parties and their own supporting ecosystems
P3 Audit

Change

By By Chris Els June 26, 2024
Change is certain. If we can accept the certainty of change then we can be open to its predictability. If we can predict change, we can prepare for it. If we are prepared for change then we will no longer resist it, but rather anticipate it and take advantage of it. In outsourced relationships our success depended on collaborating with downstream professionals to fulfil functions where we were not the experts. It is rare that a client will have contact with a subcontractor or even be aware their services are outsourced further downstream. Regulatory compliance, especially relating to data security and privacy, is shining a light on the need for greater transparency in supply chain relationships. Accepting responsibility for the success of “change” means also taking accountability for user onboarding, user adoption, and successfully implementing new ways of doing things. This invariably means including new technology to empower new processes. When implementing something new, it is as important to sunsets the "old" as quickly as possible. Measures of success remain strategic business ambitions that initiated the change. Change management has been a critical part of any new technology adoption and, most importantly, in any implementation project. Investments in technology, new processes, and new people/talent are made precisely to effect change. If change is not required, then its simple - do nothing. If one is going to invest in Change, lets ensure Change Management is considered and committed to first. Consider Change Managers the Architects of Success. Controversial maybe, but if Change Managers have ownership of design, then let them be accountable for what technology, processes and people will be required to achieve the change. At very least ensure they are included in any proposed investments in change and its associated spend – people, processes, and technology. Change Management is a strategic function. A lack of investment in Change Management will lead to projects failing. Look a bit closer and one might find downstream processes and supply partners are left out of the Change Management process, and can be the point of failure of any new technology and processes being implemented. The basic principles of supply chain can be overwhelming. In any one process, there can be hundreds of downstream suppliers of product and services. These “unknown” participants can introduce threats to a program’s success, and ultimately risk a customer’s business continuity. Neglecting to include participating third parties in any change management program will prove costly. I was fortunate to meet up with Michele De Kreek of Up-Time Consulting. This specialist change management consultancy understands third parties’ impact and the importance of including them in any change management process. I asked Michele to demystify the function of change management for me:
P3 Audit

Unravelling the Gordian Knot

By By Chris Els June 26, 2024
The differences between supply chains, data supply chains, cyber supply chains, and software supply chains.
More Posts