Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

The 5 Building Blocks of Third-Party Risk Management

To build a third-party risk management (TPRM) program and move it to greater levels of maturity, you must do these 5 things.
Brenda Ferraro
Vice President of Third-Party Risk
December 05, 2019
Blog building blocks dec 2019

I’ve spent the better part of the last 15 years working as a practitioner in third-party risk management, as well as consulting with hundreds of customers across all industries to help them build their TPRM programs. What I’ve learned along the way is that there are five building blocks that comprise the foundation of a successful TPRM program. Each block is successive, meaning you can progress from the bottom-up to reach your ultimate goal of a transparent, efficient and scalable program.

Here’s an overview of the TPRM building blocks and why they are important.

1. Understand

What you understand about your existing third-party risk management program informs how you make very important decisions, and where to begin the program for that matter. Start by understanding your vendor universe to determine your vendor portfolio risk landscape. What vendors do you have?

2. Classify

Next, organize data in categories to inform proper risk tiering. I’ve found that many companies don’t have a formalized classification model in place – sometimes even the larger and more mature companies lack this. Without a classification model, you won’t be able to tier your vendors or determine which type of due diligence to apply. To properly classify your vendors, start with identifying what is the most critical data needing the most due diligence – and work down from there. And remember, the size of the vendor doesn’t always dictate the level of due diligence. Small mom-and-pops might mean greater risk depending on the types of data they handle.

3. Stratify

Once you have classified your vendors based on the data they handle, identify additional key risk factors such as engagement scope, location of service, volume of data, service type, etc. for proper risk due diligence. Survey internal teams to identify what type of engagement the vendor is doing, what kind of hosting is in place, what type of content is exposed.

4. Standardize

Here, finally, you begin to measure vendor responses against control standards. Once risk is observed via threat intelligence or questionnaire responses, determine risk tolerance based on your company’s Key Controls (e.g., must-haves) to make well-informed, risk-based decisions. At this stage, you configure the way you conduct proper due diligence. And remember, you don’t have to pursue risk remediation for all risks; if the organization believes risks are within acceptable levels of risk tolerance you can instead focus on the outliers.

5. Act

Up to this point you have made decisions on who your vendors are; classification and stratification based on the data they handle and other attributes; and what risk tolerance you’re willing to accept. This final building block is where risk disposition happens. Determine if your organization requires the vendor to have compensating controls in place, or if you enforce a risk mitigation program to reduce risks to an acceptable level.

Will these building blocks address 100% of your third-party risk management requirements? Probably not. However, this is a solid starting point for addressing the critical areas that organizations tend to side-step in their haste to build TPRM programs.

Prevalent can help

Prevalent delivers the industry’s only purpose-built, unified third-party risk management platform. Delivered in the simplicity of the cloud, the Prevalent platform combines automated vendor assessments, continuous threat monitoring, and a network of standard shared assessments for organizations to gain a 360-degree view of vendors to simplify compliance, reduce risks, and improve efficiency. Plus, Prevalent offers customers expert advisory services optimize and scale their risk management programs.

Why not begin with a maturity assessment? Prevalent can help you determine where you are in the development of your program and provide a roadmap to greater levels of maturity. Contact us today.

Leadership brenda ferraro 2
Brenda Ferraro
Vice President of Third-Party Risk

Brenda Ferraro brings several years of first-hand experience addressing the third-party risks associated with corporate vendors, services and data handling companies. In her quest to economize third-party risk, she organized a myriad of stakeholders and devised an approach to manage risk, receiving recognition from regulators and a multitude of Information Security and Analysis Centers (ISACs). In her role with Prevalent, Brenda works with corporations to build single-solution ecosystems that remove the complexities of Third-Party Risk Management by way of a common, simple and affordable platform, framework and governance methodology. Prior to joining Prevalent, Brenda led organizations through control standardization, incident response, process improvements, data-based reporting, and governance at companies including Aetna, Coventry, Arrowhead Healthcare Centers, PayPal/eBay, Charles Schwab, and Edwards Air Force Base. She holds certifications in vBSIMM, CTPRP, ITIL and CPM.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo