The Top 5 Third-Party Risk Management Compliance Mistakes

Prepare your organization for the next TPRM audit by learning from these common mistakes.
Tom Garruba
Director of TPRM Services, Echelon Risk + Cyber
June 27, 2023
Blog top tprm compliance mistakes 0623

I’ve learned some valuable lessons over the course of 20 years working in cybersecurity, data privacy, audit, compliance and consulting. For instance, when rolling out the third-party risk management (TPRM) program at a Fortune 10 healthcare company, I discovered how critical it is to anticipate the needs of program auditors and examiners.

In fact, simplifying compliance initiatives has been a major driver behind every TPRM program I’ve been involved with, and I’ve had to navigate many hurdles along the way. Here are five of the biggest TPRM compliance pitfalls I’ve encountered, plus some advice on how overcome them.

Common TPRM Compliance Mistakes

1. Lack of Documentation

Gathering documented evidence of controls, processes and procedures is at the heart of all compliance audits. However, when working with clients, I often find their documentation to be outdated, obsolete, and/or inconsistent with current regulations and best practices. In many cases, there is no indication of ownership, review or signoff – and evidence of required tools and techniques often isn’t appended to existing procedures. What’s worse, much of the documentation I’ve reviewed is not written well enough for new team members to take ownership when necessary.

2. Ignorance of Corporate Policies and Standards

Most TPRM programs do their best to follow regulatory requirements and industry standards, but many are out of alignment with corporate or organizational policies and standards. Examples include:

  • Forgoing background checks for new vendors or suppliers (e.g., reviewing recent breaches, financial status, operational issues, etc.)
  • Not establishing connectivity standards based on data sensitivity (e.g., when to allow access through VPNs or via secure gateways)
  • Failing to wall off “No Go” zones, or areas in the network that should be segregated (e.g., through privileged access)
  • Using non-approved contracts when buyers “go rogue”
  • Bypassing the TPRM process altogether to get a new vendor onboarded ASAP

Going outside approved corporate policies exposes your organization to unnecessary risk and could result in your project not receiving the funding it needs to be successful.

3. Lack of Meaningful Metrics

Failing to measure progress toward risk objectives will slow the audit process. Take an honest look at your existing metrics. For instance, are they:

  • Accurately reporting on business and vendor risks?
  • Uncovering potential data and information adjustments?
  • Representative of the true assessment environment?
  • Providing relevant, contextual risk reporting to management and key business units?
  • Providing support and value to all stakeholders?

4. No Centralized Vendor Inventory

One major challenges for new TPRM programs is getting a handle on who their vendors and suppliers are. Some may be managed by the IT security team, while others are handled by procurement or another department. Not having an authoritative vendor list can bog down your TPRM project. That’s why it’s important to determine who owns and maintains your organization’s vendor inventory “Book of Record.”

Ensure your TPRM policy documentation either reflects your group’s ownership or references the owner’s policy. Also, periodically sync up with any teams involved in maintaining vendor inventories, such as sourcing/procurement, business owners, legal and (as a last resort) accounts payable.

5. Always in Reactive Mode

Too many TPRM programs operate in reactive mode and are constantly on their heels. This is a culmination of the previous four compliance mistakes, where programs lack documentation, policies, metrics and/or a central vendor inventory. Taking a more proactive approach to TPRM compliance will streamline your operations, enable you to update documentation as changes are made, and open the lines of communication with stakeholders around metrics and other program needs.

Watch the Webinar

Join Tom Garrubba, Director of Third Party Risk Management Services at Echelon Risk + Cyber, as he dissects practitioners' top TPRM compliance mistakes in their programs.

How to Avoid TPRM Compliance Mistakes

Here are four tips for taking a more proactive approach to TPRM compliance:

1. Centralize vendor and supplier documentation for attestation and review

Your TPRM solution should enable you (and your vendors) to upload documentation, policies, evidence, etc. to centralized vendor profiles. It should also be able to scan documentation for keywords to determine evidence suitability. If a scan reports a low level of adherence, then your TPRM solution should enable you to automatically request additional or updated documentation from the vendor.

2. Build and reinforce enterprise-wide vendor sourcing, selection and evaluation measures

When establishing or refining your third-party risk management program, consider formalizing the following:

  • Governing policies, standards, systems and processes to protect systems and data
  • Roles and responsibilities (e.g., RACI) of all team members involved
  • Third-party inventories to understand the scale and scope of vendor involvement
  • Third-party classification and categorization approaches
  • Risk scoring and thresholds based on your organization’s risk tolerance
  • Assessment and monitoring methodologies based on third-party criticality
  • Key performance indicators (KPIs) and key risk indicators (KRIs) to measure your program and third parties
  • Compliance and contractual reporting requirements
  • Incident response processes
  • Internal stakeholder reporting for management and the Board
  • Risk mitigation and remediation strategies

Each of these items is critical to building a comprehensive TPRM program plan that can withstand auditor scrutiny.

3. Identify meaningful metrics

KPI/KRI areas to consider include:

  • Risk metrics that help you understand the risk of doing business with a vendor or supplier (e.g., their adherence to controls)
  • Threat metrics provided by open-source threat intelligence providers that add context to the business environment
  • Compliance metrics to understand performance against commitments
  • Coverage metrics to determine if you have coverage of your vendor or supplier base

Prevalent has a KPI/KRI eBook that enumerates 25 of the most important metrics that you should consider in your TPRM program.

4. Build a central vendor inventory

Your TPRM solution should enable you to create a vendor inventory by either uploading a spreadsheet containing profile information or using an API connection to an existing procurement or accounts payable solution. As you onboard third parties into your central inventory, build profiles that include demographic information, beneficial ownership, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, recent regulatory findings, and financial performance. Having this information in a single location will make all other TPRM processes immensely easier.

Next Steps

For more tips on strengthening your TPRM program and improving your readiness for the next audit, check out my on-demand webinar with Prevalent, The Top Third-Party Risk Management Compliance Mistakes.

Tom garrubba echelon
Tom Garruba
Director of TPRM Services, Echelon Risk + Cyber

Tom is an internationally recognized subject matter expert, author, consultant, lecturer, and instructor for the Certified Third-Party Risk Professional and Assessor (CTPRP, CTPRA) programs. He’s an experienced professional with over 20 years of experience in performing and consulting on IT and operational risk, security, privacy, audit, resilience, and compliance in various industries.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo