Customers in the throes of maturing their third-party risk management program often ask us, “What’s next?” Whether it is standing up a new program, expanding your existing program’s footprint, or replacing an outmoded competitive tool, having a plan is essential. If the old maxim, “A failure to plan is a plan to fail” is true, then you must begin every third-party risk management program with an end-state in mind. This could include:
In our 15 years working with thousands of customers and vendors, we’ve devised the following 6-step strategy to achieving complete third-party risk management. Be sure to download the full best practices guide that details the 6 steps, discusses how to measure your maturity level, and provides a checklist of best practice-recommended features to look for in a solution. Below is a summary of the 6 steps.
There are several decisions that must be made prior to kicking off a third-party risk management program. Key decisions to make at this step include:
As you begin to engage TPRM providers, make sure they have the flexibility to deliver both types of questionnaires, so you aren’t locked into a single, rigid questionnaire, and that they offer multiple collection methods to accommodate your business. Read the best practices guide for a full accounting of these attributes.
Once you’ve decided how to tier your vendors and selected questionnaire content, the next step to comprehensive third-party risk management is to begin monitoring the cyber and business risks of those vendors. Although periodic assessments are essential to gaining an understanding of how vendors govern their information security and data privacy programs at a point in time, it’s a lengthy process for surveys to be communicated out to vendors – and for vendors to begin submitting completed content and evidence. Plus, you’re likely only assessing vendors yearly, and a lot can happen to a vendor in a year between assessments! Let this monitoring help you inform your tiering decisions and get immediate insights into your hands so you can make better decisions as your internal controls assessments start coming in. The best practices guide reviews what to monitor.
The next step toward third-party risk management program maturity is evidence collection and due diligence review on submitted answers. As mentioned in Step 1, collection and due diligence review can take many forms:
Each approach has its pros and cons which we review in the best practices guide.
You’re at the point where you have completed (and perhaps validated) questionnaires and evidence – and now need to analyze and score all evidence so you can prioritize risk migration activity (discussed in the next step). Analysis tends to be a resource-draining exercise – namely performing tasks such as checking red flags in documentation, contextual comments, and considering variations in services vs. risks. The best approach to analyzing and scoring is to first centralize results into a risk and compliance register. Then, have flexibility in how you weight those risks – for example a on a 5x5 matrix of likelihood and impact – since not all risks are created equal. Read more in the best practices guide.
Remember the vendor tiering we discussed in Step 1 (plus how it’s informed by scanning in Step 2) and the risk register we covered in Step 4? Those attributes will be extremely important during this step and will help you dynamically categorize vendors based on risk levels and criticality to the business. They will also enable bi-directional remediation workflow and document management on the risk register. The key here is to look for capabilities that demonstrate how risk levels can change over time once recommended remediations are applied. That will be very important to the auditors.
It ain’t over until the auditor says so! One of the ways to speed compliance reporting is to gain visibility into each vendor’s level of compliance. Start by establishing a compliance “pass” percentage threshold against a risk category (e.g., X% compliant against a particular framework or guideline). All reporting will tie back to that percent-compliant rating and your team can focus on subareas where compliance pass rates are low. And since it isn’t *just* about compliance reporting, look for cybersecurity reporting capabilities in your chosen solution as well – areas like trending risk over time, risks per business impact area, highest risks by vendor, etc. The best practices guide details this.
Prevalent explained what an enterprise TPRM deployment looks like and described key features to look for in the solution evaluation process. Prevalent is the epitome of a complete third-party risk management solution, offering a holistic, automated TPRM program unified by a single, easy-to-use platform. If you would like to learn more on how to construct your complete third-party risk management strategy, check out our best practices guide.
Having a documented continuity plan is essential for ensuring business resilience during uncertain times. Our free...
Use this template to ensure consistent communications among internal stakeholders and external third parties during business...