In today’s interconnected world, third-parties play an important role in your organization’s success, but they can also be its weakest link in terms of risk management.
According to Gartner, 60% of organizations are now working with more than 1,000 third-parties. Despite the added complexities, these relationships are critical to business success – delivering affordable, responsive and scalable solutions that can help organizations to grow and adapt according to the needs of their customers. But as reliance on third-parties grows, so too does the exposure to additional risk.
If we are going to reap the rewards of third-party relationships, then we must also identify, manage and mitigate the risks. A rigorous TPRM program is key to achieving just that, which means effective third-party oversight is more important than ever. So how can you ensure that your third-party risk management (TPRM) processes are ready to face the challenges of our ever-evolving commercial landscape and what practical steps can be taken to improve them?
Third-party risk is more than a checkbox exercise
Often, organizations start thinking about TPRM as a result of compliance drivers. They are facing a wide range of regulatory requirements around data privacy, information security, and cloud hosting. Whatever the motivation, all too often we see this kind of activity treated as little more than checking a box.
Reducing this kind of risk management to an exercise in compliance doesn’t ensure that you address the root causes and underlying risks. In fact, by simply viewing TPRM as a set of minimum requirements, it’s easy to overlook potential risks that could become issues for your organization. It’s particularly true when vendors are viewed in isolation. This can mean that activities aren’t standardized and aligned across an entire organization, creating additional unforeseen risks within your vendors.
Instead, your organization should take a holistic approach. Integrating TPRM with your wider Governance, Risk and Compliance (GRC) can have huge benefits. By embedding your assessment program as part of your wider compliance landscape you won’t just be conducting a one-time vendor audit, you’ll be proactively assessing third-party risks and continuously improving operations, efficiencies and processes to enhance the security of every aspect of your supplier network. You will be able to pass information throughout the business, ensuring that risks are identified and treated on an ongoing basis.
Determining the scope of risk assessments is vital
Many organizations simply don’t have the resources to conduct assessments of all of their third-party providers at a granular level. So, your very first step should be to take an inventory of all of your third-parties, considering who your vendors are and what business functions they support. Then, armed with this information, you can prioritize your analysis. There are three key considerations to provide a structure for your assessment.
Cost is a sensible starting point for most organizations, and often the easiest way to structure your assessment. By looking at the contractual value of each vendor you can then tier them accordingly. Another way of categorizing your vendors is by considering the type of risk they expose your organization to. Consider factors such as geography, technology, and financial risk, then organize your risks based on how likely they are to occur. The most sophisticated approach is criticality which ranks each vendor by assessing which of your critical assets, systems and processes they impact, and what the repercussions of those risks would be to your organization.
Sometimes, there are other factors that might impact whether or not a third-party is included within the scope of your assessment. You may find, for example, that your vendor will not allow you to assess them. That’s often the case if you’re working with big companies like Google, Amazon or Microsoft, who may well be critical to your business success, but who are unlikely to give you bespoke information for your audit.
Alternatively, external factors might dictate the scope of your assessment. Whether it’s a global pandemic like COVID-19 or a major geopolitical event such as the Russia-Ukraine war, organizations will often conduct tactical assessments in order to analyze the impact of their expanded risk profiles.
It’s about quality not quantity
When it comes to crafting your TPRM Question Sets, less is most definitely more. You may be tempted to put together hundreds of questions covering every topic under the sun. But is this going to give you the information you need? And, more importantly, is your busy vendor even going to answer all of your questions?
Another important consideration is to decide just how specific to make your Question Sets. Make them too generic and you may not be able to capture the data you need. But make them too specific to your business and your vendor is going to find it incredibly difficult to provide answers in the detail you are looking for.
At the end of the day, it’s a balancing act – one that means you should keep your Question Sets as targeted as possible. So, rather than sending 200 questions, send 20, but make sure they are well thought through to ensure that they gather the information you need for your risk program. This is where it might be helpful to leverage existing Question Sets such as SCF, SIG and Cyber Risk Institute. Whether they have been provided by consultants or they’re part of an industry standard, this approach will help to ensure you get the data you need.
Practical steps to improve third-party risk management
There are four key actions to consider when it comes to improving a TPRM program.
Understand what’s going well, and what’s not
Conduct a self-assessment of your organization’s TPRM capability and ask key questions such as: what are our strengths? Where are our weaknesses? It’s a good idea to ensure part or all of the assessment is carried out by an external party as they will deliver impartial feedback and highlight potential areas for improvement.
Understand your target state
If you have a vendor-first strategy that leads to a large amount of outsourcing, it’s crucial that you understand your target state for third party due diligence. Have a roadmap that sets out realistic aims and objectives, and how you intend to achieve them. Looking to do too much too soon with your program can cause issues, slow down the progression and can be counter intuitive.
Build partnerships with vendors
Establishing a close relationship with critical vendors is central to the success of any TPRM program. Without partnerships, it becomes increasingly difficult to work toward common goals. Technology can help with monitoring and assessments, but having the ability to pick up the phone and openly discuss and address issues to mitigate any risks…[…] Read more »…