TSPs: Making the Case to Invest in Risk and Resiliency

Posted on: September 12, 2022
Author: Lauren Kornutick

Full Frame Shot Of Modern BuildingTechnology has evolved rapidly in the past 20 years. It connects us across digital platforms, automates low-value repetitive tasks, and allows us to have better insights into the world around us. Metaphorically speaking, technology is the backbone of our digital world

Technology and data service providers (TSPs) have become critical contributors in the successful operations of every organization. Think about it: if your technology or data warehouse were to fail, could you continue running your most critical business services? If you experienced a data breach, could your organization survive the reputational damage and loss of consumer confidence? Are you able to respond to and manage all of the SLAs (service-level agreements) that you’re required to adhere to contractually? 

But as much as technology has evolved, the regulatory climate that provides guardrails has not quite caught up. Yes, there are some aspects of technology and data protection that fall within the parameters of privacy and cybersecurity laws. There are also some digital platforms that provide information and serve as a digital meeting place or marketplace that are subject to regulations on content. There are even emerging regulatory requirements on the horizon such as the Digital Operational Resilience Act (DORA) that will extend regulatory reach to some technology and data service providers. But even if these rules do not apply to all technology firms, it makes solid business sense to plan for this eventuality. Even if it is difficult to use that regulatory hammer to secure funding for budget to purchase technology, this should not stop a progressive organization from using effective risk management disciplines to run their programs and serve their customers. Or, as so well articulated by the great British writer C. S. Lewis, “Integrity is doing the right thing, even when no one is watching.”

Investing in Risk and Resiliency is the Right Thing to Do

Many corporations have defined their corporate values centering around doing business with compliance, trust, or ethics and integrity as a core value. Closely tied to those values are programs that enhance an organization’s operational risk management, compliance, and governance procedures; ESG (environmental, social, and governance); and reputation and perception in the market. A recent study by OCEG indicates that operational risk programs are viewed as unnecessary overhead by business units. So, how do you tie back the value of your program to the company’s bottom line? According to research performed by Ethisphere’s Ethics Index, “the listed 2022 World’s Most Ethical Companies honorees outperformed a comparable index of large-cap companies by 24.6 percentage points from January 2017 to January 2022.” This is the return on resilience: by investing in risk and compliance programs that are tied to your core value of trust, you’re better able to sense, prevent, detect, and respond to the risks that are developing in the world around you.

Lead with a Top-Down and Bottom-Up Approach

Operational resilience – like cybersecurity and corporate compliance – is everyone’s responsibility. Many of our own customers have said that having a “tone at the top” from leadership is critical to get their business team’s buy-in, as no one really wants to take a time out to work on their continuity plans or risk mitigation strategy.

To help you build the business case for investing in best practices for operational resilience, top-down and bottom-up approaches should be used within the organization. Top-down approaches ensure that the organization is taking the necessary steps to advance maturity, ensure that everyone receives the same message about resilience policy and procedures, and instill a culture of integrity within the organization. A bottom-up approach occurs when teams are issue spotting via speaking up about issues that they are encountering, control testing, or remediating audit findings. To have a holistic view and ensure that everyone is engaged and enabled for operational resilience, teams should be encouraging two-way communication between the leadership team who is accountable for governance and the team members who are responsible for execution.

Supply Chain Ecosystem

Technology firms that do business in the supply chain ecosystem of highly regulated entities must respond to RFP (request for proposal) requests understanding their back-end IT security, disaster recovery, compliance, and privacy programs. Organizations that have already made the investment in developing robust policies and procedures or worked toward their ISO IT security, business continuity, and risk management certifications are able to prove to their customers that they care about mitigating risk. Having these programs makes it more likely to get through the RFP process without customer requests for program improvement and pass customer audit requirements after initial onboarding.

Contractual Obligations

Closely related to being viewed as a better partner are the many contractual obligations that can be imposed upon your organization. A contractual obligation is a legal obligation that must be fulfilled in exchange for goods or services and covers payment, delivery, and quality. Here are some examples of instances that may arise in the contracting process:  

  • Your customer may ask you to meet a specific SLA in the event of a data breach so that they can activate their incident management processes 
  • Your customer may be subject to third-party outsourcing requirements by their own regulators, like the European Banking Authority’s Outsourcing Requirements, and they may ask to sign an addendum  
  • Your customer may ask you to sign contractual language stating that you will provide ESGrelated data because they have chosen to monitor their supply chain’s emissions, diversity, or governance  
  • Your customer may impose audit requirements on you to determine whether your security and continuity controls are operating as expected and in accordance with their risk management policies  

In all cases, having already made the investment in your risk and resiliency program will make it easier to say that you can agree to the terms that your customer is trying to impose upon you, get the customer the data they are asking for, or at least give you a good basis for which to negotiate more favorable terms.   

Ability to Procure Cyber Insurance

According to an article in Insurance Business America, the cyber insurance market started to harden in 2020 after a surge in ransomware events. This means that insurance underwriters are re-evaluating how they rate cyber insurance to maintain profitability because the amount of claims they are paying has increased. The underwriting process is also becoming more onerous for insureds as questionnaires related to basic cyber hygiene and risk management programs have become more detailed. Having a robust resiliency program can help you prove to your insurance carriers that you are going beyond basic program management, making it more palatable for the carrier to offer you higher limits or lower rates.   

The Regulatory Landscape is Always Changing

Remember, the only constant in resiliency is change. It is critical to keep your eye on what regulators are pushing down the pipe. While your organization may not be subject to direct regulatory scrutiny today, regulatory changes could carve you into some or all of the requirements that financial services providers are subject to.   

How Can Fusion Help?  

It is critical to leverage technology to gain insight into your organizations risk frameworks and compensating controls that your customers care about.  

Using Fusion with our new partner UCF, you can import risk frameworks and other authority documents and their corresponding control objectives and controls with a push of a button.   

Fusion’s solutions serve as a data hub for risk and resiliency, enabling you to:  

  • Leverage key indicators to continuously track the most important risk and performance metrics 
  • Surface key metrics for the vendors which are most critical to your operational landscape
  • Deploy incident management to direct teams’ responses to incidents 
  • Meet your customers requirements on scenario testing and other obligations  

For more information on Fusion’s solutions, contact your Account Manager or request a demo today!