Meet the expert: Onur Korucu to speak at PrivSec Focus: Third-Party Risk

Livestreaming on Tuesday April 26, PrivSec Focus: Third-Party Risk brings industry experts together to examine the crucial role that third-party risk management (TPRM) plays as third-party networks expand to meet the needs of the global business community.

An effective TPRM programme can reduce the likelihood of a cybersecurity incident, lower exposure to legal liability and safeguard a brand’s reputation. But managing third-party risk is increasingly challenging.

Onur Korucu will be among the experts speaking at PrivSec Focus: Third-Party Risk. Onur is an information security, compliance, and privacy professional mainly focused on emerging technologies from information security and data protection topics.

In addition to her technical engineering degree and MSc degree, she has an LL.M in Information and Technology Law and completed a Business Analytics executive education programme at the University of Cambridge.

We spoke with Onur to hear about her professional journey so far, and her thoughts on the reliability of third-party risk assessment questionnaires and the role they play in reducing risk exposure.

Can you briefly outline your career pathway?

”I work as a Sr. GRC, Data Protection and Cyber Security Manager at Avanade UK & Ireland. I help organisations to create robust, tailor-made and well-established information security governance structures and data protection practices that mitigate the risks they face in their business-as-usual, and help them comply with the regulatory requirements.

My current position within Avanade gives me the opportunity to work in top tier technology firms, such as Microsoft and Google. I help them optimise their GRC practices using my previous experience, as well as data analytics and emerging technologies (cloud computing, big data) know-how that I obtained from University of Cambridge Executive Education.

Following my LL.M degree, I published a book about risk-based global approaches to improve data protection. I am preparing to publish another book on one of the emerging technologies, cloud computing security. I have certifications including CISM, CRISC, CDPSE, ISO 27001 LA, ITIL-F, and Cobit-F.”

Why are questionnaires so important within third-party due diligence programmes?

”As the global marketplace grows increasingly complex and competitive, third-party relationships have become critical to cost reduction, compliance with the regulations, and increasing capability. They can help enhance customer experience, accelerate speed-to-market and protect reputation.

There are a number of factors driving organisations to place increased importance on third- party risk which can be broadly grouped into the following areas: Regulation; Market condition; Reputational impact; Technology; and Overseas providers.

Regulators require organisations to acknowledge the additional risks posed by doing business with an outsourced third party. In order to acknowledge and address the risk properly, a third-party risk assessment must be completed on each vendor and on the product or service the vendor will provide.

Strong governance is required for confidence in your extended control environment, particularly with heightened regulatory expectations.”

What are the main challenges that exist when businesses entering into third-party relationships rely on questionnaires?

”Third-party relationships carry key risks that may have a significant impact on your business operations. More organisations are utilising third parties to achieve their strategic objectives, to increase efficiency and cost savings by shifting non-core or specialised functions to more experienced providers.

Managing third party risks end-to-end is complex and presents several challenges, which are as follows:

Increased regulatory expectations

Regulations are increasingly more onerous and wider in scope, encompassing all types of third parties, intra-group arrangements, and cloud service providers.

Cross-organisational complex operating model

A decentralised model brings inconsistent risk decisions, creating a disconnect between procurement, risk functions, IT department, and the second line.

Technology and data

Lack of automation, creating a reliance on overly manual processes.”

What opportunities exist for improving the strength of questionnaires and lowering risk exposure?

”Companies can reduce their overall third-party risk profile by embedding third-party risk management practices in all levels of the organisation, including:

• Moving from having no formal governance over third parties and taking risks for short-term benefits, to a more intelligent risk-based approach that is better aligned with your enterprise strategy.
• Evolving from having employees with little training to trained professionals and executive champions that align service delivery to strategic objectives.
• Developing standardized processes and proactive decision making using analytics.
• Creating fully customized, value add tools that support decision making.

Managing third-party risk is an ongoing process. It’s about prevention rather than reaction.

Analysing the internal dynamics of companies and corporate culture trends that may pose risks is only possible with tailor-made questionnaires.

There are tremendous benefits to be gained from embracing the extended enterprise, and indeed today’s competitive business environment demands it. Strong governance must go hand-in-hand, mitigating risk while enhancing rewards, and positively impacting your reputation and bottom line.”