I’ve spent the better part of the last 15 years working as a practitioner in third-party risk management, as well as consulting with hundreds of customers across all industries to help them build their TPRM programs. What I’ve learned along the way is that there are five building blocks that comprise the foundation of a successful TPRM program. Each block is successive, meaning you can progress from the bottom-up to reach your ultimate goal of a transparent, efficient and scalable program.
Here’s an overview of the TPRM building blocks and why they are important.
What you understand about your existing third-party risk management program informs how you make very important decisions, and where to begin the program for that matter. Start by understanding your vendor universe to determine your vendor portfolio risk landscape. What vendors do you have?
Next, organize data in categories to inform proper risk tiering. I’ve found that many companies don’t have a formalized classification model in place – sometimes even the larger and more mature companies lack this. Without a classification model, you won’t be able to tier your vendors or determine which type of due diligence to apply. To properly classify your vendors, start with identifying what is the most critical data needing the most due diligence – and work down from there. And remember, the size of the vendor doesn’t always dictate the level of due diligence. Small mom-and-pops might mean greater risk depending on the types of data they handle.
Once you have classified your vendors based on the data they handle, identify additional key risk factors such as engagement scope, location of service, volume of data, service type, etc. for proper risk due diligence. Survey internal teams to identify what type of engagement the vendor is doing, what kind of hosting is in place, what type of content is exposed.
Here, finally, you begin to measure vendor responses against control standards. Once risk is observed via threat intelligence or questionnaire responses, determine risk tolerance based on your company’s Key Controls (e.g., must-haves) to make well-informed, risk-based decisions. At this stage, you configure the way you conduct proper due diligence. And remember, you don’t have to pursue risk remediation for all risks; if the organization believes risks are within acceptable levels of risk tolerance you can instead focus on the outliers.
Up to this point you have made decisions on who your vendors are; classification and stratification based on the data they handle and other attributes; and what risk tolerance you’re willing to accept. This final building block is where risk disposition happens. Determine if your organization requires the vendor to have compensating controls in place, or if you enforce a risk mitigation program to reduce risks to an acceptable level.
Will these building blocks address 100% of your third-party risk management requirements? Probably not. However, this is a solid starting point for addressing the critical areas that organizations tend to side-step in their haste to build TPRM programs.
Prevalent delivers the industry’s only purpose-built, unified third-party risk management platform. Delivered in the simplicity of the cloud, the Prevalent platform combines automated vendor assessments, continuous threat monitoring, and a network of standard shared assessments for organizations to gain a 360-degree view of vendors to simplify compliance, reduce risks, and improve efficiency. Plus, Prevalent offers customers expert advisory services optimize and scale their risk management programs.
Why not begin with a maturity assessment? Prevalent can help you determine where you are in the development of your program and provide a roadmap to greater levels of maturity. Contact us today.