Why TPRM is a Pain and What You Can Do About It

Third-Party Risk: Coming at You from All Angles

Your organization likely gets more done today, with fewer internal employees, than ever before. This is thanks in large part to the support of external vendors, suppliers, service providers and other third parties. Of course, while outsourcing brings clear benefits, it can also present immense risk to your business.

A Well-Trodden Path for Breaches … and Regulations

It’s no secret that each third party you work with increases your exposure to data and privacy breaches. Every day, companies across all industries discover this the hard way, including GE, Marriott, Target, Sprint, and LabCorp to name just a few. The result? Lost customers, fines, penalties, credit monitoring fees – you name it. And as more third-party breaches are announced by their victims, more regulations are introduced by industry and government watchdogs. CCPA, GDPR, CMMC and several other regulations specifically call for third-party risk assessment and/or monitoring.

The Pandemic Raises New Questions

As if data, privacy and compliance challenges weren’t enough to keep you up at night, the coronavirus pandemic has laid bare supply chain exposures to natural disasters and other (sometimes unforeseen) disruptions in unprecedented ways. It’s forcing all businesses to absorb and adjust to the new reality of remote workforces, emergency mandates, health risks, supply breakdowns and other hurdles. How are your third-party partners managing this, and what impact is it having on your business? What’s the potential fallout to come? What policies and procedures do they have in place to handle the next challenge?

So, with businesses becoming increasingly outsourced and virtual, and the global environment becoming increasingly uncertain, how can you foresee and manage third-party risk with any level of confidence?

Third-Party Risk Management (TPRM) Can Be Painful

Doing It the Hard Way

In the past, most organizations took a manual approach to third-party risk management. It was chaotic, bloody, hand-to-hand combat. Armed only with spreadsheets, assessors had to barrage vendors and suppliers with questionnaires and then chase down their responses. While this was bad for the assessors, it was even worse for the vendors having to field these requests -- and answer the same questions from different customers; over, and over, and over. No wonder 34% of companies say it takes over a month to complete an assessment of a top-tier vendor.

Unfortunately, a recent study found that 50% of companies are stuck in the past, still relying solely on spreadsheets to manage their auditing and controls. With most enterprises working with hundreds of vendors, it would take an army of assessors using manual methods to gather third-party risk data that is complete, current or useful in any way.

Did It the Hard Way, but There’s More to Do

And that’s just the collection problem. Say you’re able to get responses from your most critical vendors. What do you do with the data? How do score, prioritize and remediate the risks? How do you know if the responses are even accurate? Are they consistent with historical data? Do they correlate with one another? Do they correlate with what vendor exposures are already out in the wild (e.g., known data breaches, customer data on the dark web, legal actions, fines, etc.)? Are you prepared to answer these questions when the board, regulators, and all the other people who haunt your dreams come knocking? It’s stressing us out just to write this!

So, maybe you managed to collect risk data from your vendors, report it to everyone who matters, and actually do something about it. It’s not over. Everything is changing all the time. Vendors come and go. How they handle your data changes. New cyberattacks and new security exposures surface every day. Your intelligence is already outdated. You’re going to need to do this on a regular basis.

What About Bob?

On the other hand, you may be thinking, “I don’t need to worry about this stuff. That’s [Bob] in [IT]’s problem.” By all means, send this over to Bob, but third-party risk is a challenge for several departments in most organizations. And ownership can vary, depending on who you ask. 37% of companies say information security owns it, 22% say IT, 14% say risk management, 9% say vendor management, and 6% say legal/compliance. With so many departments involved, who really owns the problem? How do you align everyone to make substantive progress in identifying and reducing vendor risk?

We Get It: TPRM Isn’t Fun

In a perfect world, we wouldn’t have to worry about the “baggage” of third-party risk. Information systems would be bulletproof and seamless. Vendor staff would be robotic and loyal. Criminals and enemy states wouldn’t exist. Everyone would be friends.

It’s not a perfect world. You clearly need your vendors to get business done, but you need to be smart and aware of the risk at the same time. The reality is that vendor ecosystems are organic and unpredictable, as is the global environment. That makes third-party risk management particularly painful. At times it’s chaotic, and at other times it’s just a grind.

That’s why Prevalent exists. We’re here to make third-party risk management a lot less painful and a lot more productive.

The Prevalent Approach to TPRM

Prevalent is here to revolutionize how you address the risks of an increasingly interconnected, interdependent and unpredictable world. Every day, we are transforming how our customers view, manage and govern their third-party relationships. We do this by delivering community networks, services and products that enable businesses to better reveal, interpret and reduce third-party risk.

Networks: Delivering Instant Access to Vendor Risk Intelligence

Our customers have access to a vast trove of on-demand risk intelligence for over 10,000 vendors. These libraries leverage the power of the Prevalent community to deliver historical and real-time insights into both cyber and business risks from over 567,000 sources. With Prevalent Vendor Risk Networks, our customers quickly scale their TPRM programs with instant access to vendor risk scores and supporting reports. For those vendors who aren’t yet in the networks, Prevalent will complete new assessments upon customer request. We’re also building new, self-service capabilities into our platforms, enabling vendors to complete and submit self-assessments that they can easily share with their own customers.

Services: Doing the Hard Work of TPRM for You

At Prevalent, we’ve been helping customers to identify, understand and reduce third-party risk for over 15 years. We started as a team of consultants willing to ask vendors tough questions on behalf of clients. Today, that team has grown into a full-service department of researchers, auditors and customer success professionals dedicated to freeing our customers of the burdensome aspects of third-party risk management. We can handle everything from onboarding vendors and conducting assessments, to identifying risks and tracking remediation. You skip the hard work and get the intelligence and reports you need to focus on vendor strategy and overall risk reduction.

Products: Unifying Vendor Management, Assessment and Monitoring

Our customers are equipped with the most automated and intelligent third-party risk management platform available today. The Prevalent Third-Party Risk Management Platform unifies vendor management, risk assessment and threat monitoring to deliver a 360-degree view of risk. The platform makes it easy to onboard vendors; assess them against standardized and custom questionnaires; correlate the assessments with external threat data; reveal, prioritize and report on the risk; and facilitate the remediation process. Customers can use the platform either for their own, self-managed TPRM initiatives or in collaboration with our services team.

Get On the Path to TPRM Maturity

Regardless of where you are today, Prevalent can help you build a third-party risk management program with unmatched visibility, efficiency and scale. We’ll work with you to find a mix of managed services, network membership and/or TPRM platform access that works best for your organization. You’ll gain a fast time to value, be equipped to make intelligence-driven decisions, and measurably reduce vendor-related risk – all with fewer headaches for you and your team.

Here are just a few examples of what our customers have achieved:

• One of the world’s largest pharmaceutical companies cut 550 hours from their assessments, saved tens-of-thousands of dollars on outsourcing, and redirected people and funds to more strategic risk management projects.
• One of the world’s top-ten insurance companies reduced their time onboarding vendors and performing assessments by 50%.
• A U.S. top-20 insurance company increased annual vendor assessments by 233%, without adding staff.

Overall, Prevalent customers have reported an 80% average reduction in vendor onboarding time, 5x scalability in assessing vendors using our platform, and 8x scalability in assessing vendors via managed services.

Third-party risk management doesn’t have to be a never-ending, soul-crushing march to nowhere. Discover what Prevalent can do for you. Request a demo today.