I’ve learned some valuable lessons over the course of 20 years working in cybersecurity, data privacy, audit, compliance and consulting. For instance, when rolling out the third-party risk management (TPRM) program at a Fortune 10 healthcare company, I discovered how critical it is to anticipate the needs of program auditors and examiners.
In fact, simplifying compliance initiatives has been a major driver behind every TPRM program I’ve been involved with, and I’ve had to navigate many hurdles along the way. Here are five of the biggest TPRM compliance pitfalls I’ve encountered, plus some advice on how overcome them.
Gathering documented evidence of controls, processes and procedures is at the heart of all compliance audits. However, when working with clients, I often find their documentation to be outdated, obsolete, and/or inconsistent with current regulations and best practices. In many cases, there is no indication of ownership, review or signoff – and evidence of required tools and techniques often isn’t appended to existing procedures. What’s worse, much of the documentation I’ve reviewed is not written well enough for new team members to take ownership when necessary.
Most TPRM programs do their best to follow regulatory requirements and industry standards, but many are out of alignment with corporate or organizational policies and standards. Examples include:
Going outside approved corporate policies exposes your organization to unnecessary risk and could result in your project not receiving the funding it needs to be successful.
Failing to measure progress toward risk objectives will slow the audit process. Take an honest look at your existing metrics. For instance, are they:
One major challenges for new TPRM programs is getting a handle on who their vendors and suppliers are. Some may be managed by the IT security team, while others are handled by procurement or another department. Not having an authoritative vendor list can bog down your TPRM project. That’s why it’s important to determine who owns and maintains your organization’s vendor inventory “Book of Record.”
Ensure your TPRM policy documentation either reflects your group’s ownership or references the owner’s policy. Also, periodically sync up with any teams involved in maintaining vendor inventories, such as sourcing/procurement, business owners, legal and (as a last resort) accounts payable.
Too many TPRM programs operate in reactive mode and are constantly on their heels. This is a culmination of the previous four compliance mistakes, where programs lack documentation, policies, metrics and/or a central vendor inventory. Taking a more proactive approach to TPRM compliance will streamline your operations, enable you to update documentation as changes are made, and open the lines of communication with stakeholders around metrics and other program needs.
Here are four tips for taking a more proactive approach to TPRM compliance:
Your TPRM solution should enable you (and your vendors) to upload documentation, policies, evidence, etc. to centralized vendor profiles. It should also be able to scan documentation for keywords to determine evidence suitability. If a scan reports a low level of adherence, then your TPRM solution should enable you to automatically request additional or updated documentation from the vendor.
When establishing or refining your third-party risk management program, consider formalizing the following:
Each of these items is critical to building a comprehensive TPRM program plan that can withstand auditor scrutiny.
KPI/KRI areas to consider include:
Prevalent has a KPI/KRI eBook that enumerates 25 of the most important metrics that you should consider in your TPRM program.
Your TPRM solution should enable you to create a vendor inventory by either uploading a spreadsheet containing profile information or using an API connection to an existing procurement or accounts payable solution. As you onboard third parties into your central inventory, build profiles that include demographic information, beneficial ownership, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, recent regulatory findings, and financial performance. Having this information in a single location will make all other TPRM processes immensely easier.
For more tips on strengthening your TPRM program and improving your readiness for the next audit, check out my on-demand webinar with Prevalent, The Top Third-Party Risk Management Compliance Mistakes.