In a recent interview for a technical blog, I mentioned that I heard keynote speaker former U.S. Attorney General John Ashcroft (at the 2016 Securities Industry and Financial Markets Association’s (SIFMA) Internal Auditors Society conference) reference that organizations should prepare to adopt what he called “anticipatory compliance.” This concept involves outsourcers being able to demonstrate that they are actively anticipating, studying and acting on perceived threats (cyber and otherwise) both internally and with their outsourced business partners. Over the years I’ve advised organizations to heed this advice and, in further reviewing the increasing regulatory landscape here and abroad, I’d like to further recommend the adoption of what I’ve termed “participatory compliance” particularly when it comes to managing outsourced relationships with your key business partners.
Participatory compliance means that not only should your organization adopt the concept of anticipatory compliance, but you should also actively participate in anticipatory compliance activities to monitor the vendor’s resiliency to business disruption events.
It’s important to note that with an ever-changing threat landscape, participatory compliance goes beyond performing periodic risk reassessments and even continuous monitoring of your critical vendors and business units. The vendor must demonstrate its ability to continue to support the vital outsourced business processes in the event of disruptions. Business resiliency should be demonstrated for the many flavors in which disruptions come, such as cyber threats and manmade or natural disturbances. The reason for actively scrutinizing vendor resiliency is that far too often I’ve seen organizations perform a simple due diligence activity (usually a one-time risk assessment) and then not put forth the effort to monitor their overall security, privacy and resiliency posture on an ongoing and even continuous basis. For instance, in the U.S., financial regulators clearly mandate:
- Continuous monitoring of vendors to ensure the vendor is actively addressing and working with the outsourcer to anticipate perceived threats, outages, etc.; and
- Both the outsourcer and vendor perform (and document) “plausible and realistic” testing.
Additionally, U.S. regulators overseeing multiple industries have alluded to the fact that they’re ready to tip the scales by requiring organizations to document evidence of their participation in cyber and business resiliency drills with their key vendors. This is where participatory compliance comes into play.
So, what exactly does this mean for your organization?
You should inquire with your organization’s business units and business continuity teams to understand their resiliency strategies around critical processes, especially those that involve key vendors. Key vendors are those that have been identified during the risk evaluation as supporting your organization’s most critical business processes (i.e., the ones that can mean catastrophic losses to your organization in revenue, market or reputation). The resiliency strategies should include: a schedule for testing critical processes and activities and the exercises that the teams will go through; a list of who will participate; pre-determined remediation measures (to the extent feasible); and what reporting will be provided and to whom.
If you have any role in third party risk or ensuring compliance to business continuity or cyber activities, it is recommended that you request the option to participate in those resiliency activities. You should at least have the ability to passively “monitor” or review the results of their activities once they’re complete.
Benefits of Participatory Compliance
Understanding the benefits in applying participatory compliance to your organization will provide you with a view of the pleasant dividends that can be reaped from this approach.
First, participatory compliance allows you to liaise more closely with the business unit and the vendor. This closer relationship management provides a better understanding of what the business process is, the data involved, where the processing is taking place, and whether the vendor is up to the task of supporting them in the event of a disruption and can hit key metrics for resiliency, such as hitting Recovery Process Objectives (RPOs) or Recovery Time Objectives (RTOs). By better understanding the critical processes and the activities involved, and then applying this knowledge in a more focused assessment, you gain greater value enterprise-wide from your ongoing assessments of the business unit-vendor relationship.
Second, by allowing a “separate set of eyes” to witness the exercise, you gain the opportunity to add value to the business unit and the vendor that may reach beyond the limits of the information that lies within internal audit’s purview. Historically, both outsourcers and vendors have had the tendency to be hesitant in openly sharing such items with internal audit; however, they may be more open to share such results with vendor assessment teams, often soliciting advice for remediation or assurance that their activities are within the risk control tolerances defined by the outsourcer.
And finally, if there were any continuity or recovery issues identified through a previous assessment, participatory compliance allows the business unit (and assessment staff) to gain a new opportunity to track the progress of and close out open issues or observations that may have been encountered during a recent assessment.
The concept of participatory compliance is really nothing new; it simply needs to be more actively embraced and better defined within outsourcer and vendor policies and procedures. By embracing, promoting and performing participatory compliance activities, your organization is placed in a better light with regulators and other external assessment bodies. Participatory compliance also demonstrates to your board of directors and relevant C-suites your willingness and openness to work with key business units and vendors in addressing your organization’s ongoing concern regarding cyber and other business resiliency threats.
