While doing my PhD, I picked up a lot of hours of teaching assistant work. If you’re envisioning young scholars and professors engaged in an intellectually stimulating exchange, a bit like the differential diagnoses in a re-run of House… stop.
Your vision is beautiful, but couldn’t be further from the truth.
The truth is a lot more mundane.
Teaching needs to happen. That is the deliverable.
Learning (which is the aim, ultimately) is the aspiration. But not the deliverable.
Both the teaching and the learning are highly mediated and largely outsourced between layers of decreasingly engaged and more poorly remunerated operatives.
Professors give lectures. Teaching assistants hold seminars and mark essays.
Students strive to attend, write and stay awake through it all.
Between the lecture, the seminar and the corrected essay, hopefully, the student achieves the ultimate aim… you know… of learning something.
But mostly, students try to skip class and dodge assignments. In fact, the excuses that students come up with to get essay extensions or reprieves remain to this day, twenty years on, my favourite part of the experience.
I never quite got ‘the dog ate my homework’ but I got ‘I am in love and can’t concentrate’ (awwww), ‘I was arrested’ (yeah, I know, I had questions too) and the great: ‘I am too busy organising a rave to do my essay’ (followed, implausibly, by ‘would you like to come’) and of course endless dead relatives.
And I was reminded of the litany of increasingly convoluted excuses my students would concoct when I had a conversation with someone this week who was working through a mental roster of acceptable excuses to front-load the fact that they were staring at DORA’s mandates around third party oversight and feeling their brain overheat… a bit like my student the raver on the day after his rave.
They were looking at the work ahead thinking I can’t do this… I won’t do this… can I get ahead of having to do this with a plausible excuse?
The short answer is no.
The longer answer is: you can get away with not doing this particular step. You may not get penalised for the delay or for fudging the paperwork (not getting your DD right or doing your essay are, you understand, symbolically the same for the purposes of this narrative). But will cutting this corner undermine the end game? Probably. And will the excuse matter, if it does? Not. One. Bit.
Let me restate, because repetition is the mother of learning: If you don’t take the necessary steps, the outcome may not be achieved. And if that happens, the quality of your excuses for skipping class and not doing the needful won’t matter one jot.
Neither will it matter that your TA didn’t chase you… or the partners you had outsourced parts of the process (I am back to talking about work now) didn’t pull their weight.
Let me ditch the analogy and make my point even clearer: you need to do your homework and pull back all your delegated accountability when it comes to third party oversight. You need full visibility and control because the excuses don’t cut it any more.
DORA requires financial entities to manage ICT third party risks. That entails doing due diligence, maintaining appropriate records, and testing third party suppliers’ operational capabilities. At this point you are probably thinking: everyone already does that stuff.
And you’re right.
But you will be right the way the professor who gave the lecture was comfortable that someone (i.e. me) would do the seminars and mark the essays – and, not only assess if the students had learned what was covered in the lecture, but also close any gaps in understanding… and while you are at it… close the delta between what was covered in the lecture and what may be covered in the exam.
That, my friends, is a gapingly huge distance. Effectively: teaching is no longer the deliverable. Learning is.
So: yes people are already ‘managing’ third party risk.
Sure they are.
How frequently they test operational resilience capabilities, how far they expect records to be constantly updated, and whether they even bother to ask any questions around outsourcing… and sub-outsourcing… that’s another matter.
Like the professor looks to the TA to do the thing that comes after their bit and the TA expects the students to do their bit after the seminars, we have historically done our bit when it comes to third party oversight and expected everyone else to do the same.
We have expected everyone along the chain to be responsible.
Now we are expected to be responsible for them. And that is a big delta right there.
The professor is now accountable for the TA and the student. The chain looks the same. And yet the professor may have cause to lose sleep over his 358 undergraduates’ understanding of the Platonic forms. Especially as he’s hardly ever met them, and barely remembers their names or levels of knowledge, let alone likelihood of a solid performance on exam day.
The professor always had a duty of care. But, if a student failed an exam, it may look bad in their statistics, but wasn’t exactly the professor’s fault.
The same way that, if an organisation’s suppliers had a double failover like a certain company I know… that left their clients (i.e. me and my team) doing Net Asset Valuations by hand for the longest weekend of my life… then, when the regulator came knocking, we had to demonstrate that we had done the requisite disaster recovery planning before the event… and that our valuations were accurate after the event. And we had. And they were. So it was all largely fine.
Today, this would be a very different conversation.
The double failover would not only be our problem, but also our fault. Because if DR provisions failed, it is the suppliers’ fault for not doing the thing – and it is also your fault for not realising they weren’t doing the thing.
So, sure, some of the things DORA asks for we are doing already. Of course, we have third party oversight already. But what we have, hasn’t specifically entailed me losing sleep over whether my preferred suppliers’ preferred suppliers have
Because DORA doesn’t want you to trust your suppliers to do their thing. It requires you to do simulations and stress testing. It requires you to underwrite their ability to handle major disruption or cyberattack.
In short: when the student goes in to take an exam, you – the professor – need to be confident they are ready. When, in the past, you wouldn’t even know their name.
The equivalence in the corporate setting translates to organisations needing to shift where accountability lies in all of their critical supplier relationships and risk matrices.
Not the paperclip people. But most of the others.
But you knew that, right?
Or maybe you didn’t know that, and maybe the TA responsible for your DORA seminar missed a trick.
What do those third party risk requirements mean in plain English?
Simply: Things that were always your problem, if they went wrong, now will also potentially be your fault, if you haven’t taken enough precautions to identify them as weaknesses and raise the bar of expectation from your suppliers.
And there’s more.
Your existing contracts are probably rendered irrelevant, and you need to re-paper all your relationships with new expectations, SLAs and reporting requirements and new demands for transparency.
You can no longer trust your suppliers to do their thing.
Because if they don’t show up for the lecture, it’s your problem. If they don’t learn at the lecture and they don’t leverage the seminar, it’s your problem.
If the dog eats their homework, it’s your problem.
And the only way to ensure that, even if it is your problem, it’s not your fault, is to know as much as possible about your third party suppliers at all times and keep raising the bar of how you expect them to show up.
I don’t know about you, but I would want to know everything about everything that may affect my business – and even more about the things that may both impact me negatively and get the regulator on my case.
And the equivalence of the benevolent professor who trusted in the process isn’t too stretched. Because now those students whose name you didn’t know, are now your responsibility.
You will have to be in the classroom with them for early warning systems.
You will have to know they are in the library and act if they are not.
And they will have to know that they are monitored and assessed at all times, that your expectations are specific and exacting, and that they can’t tell you the dog ate their homework because, for the first time in a long while, you already know they don’t have a dog.
