Third-Party Risk Assessment Explained

Why Are Third-Party Risk Assessments Essential?

Recent years have seen several major disruptions that greatly affected businesses and their supply chains, including events such as the war in Ukraine, the COVID-19 pandemic, the SolarWinds data breach, the blockage of the Suez Canal, and a semiconductor shortage. These disruptions have caused operational difficulties, financial losses, and legal consequences for many organizations. Despite the unpredictability of these events, organizations with robust third-party risk management (TPRM) programs were often able to lessen their impact.

By implementing a robust third-party risk assessment process, your organization can build a deep understanding of your third-party supply chain and holistically assess hard-to-find risks such as concentration risk and fourth-party ESG and reputational risk. This strengthens your resilience during crises, while enabling you to make intelligent, informed business decisions about the risk posed by engaging new vendors.

What Are The Different Categories of Third-Party Risk?

When working with third parties, there are three main types of risks to consider: profiled risk, inherent risk and residual risk. These risk types inform the level of depth your assessment process should take and the remediation actions you should require from vendors based on their information security and business practices.

• Profiled Risk is the risk that a third party poses to your organization based on externally observable information such as their location, industry, usage of fourth parties, ownership, or basic ESG policies. Third parties with operations in a geo politically unstable region, or one that leverages several third parties of their own may deserve additional scrutiny during the third-party risk assessment process.

• Inherent Risk is the risk that a third party poses based on their internal controls and business practices. For example, an organization that will access your customer data and has been third-party audited and verified to be in compliance with GDPR may have a lower inherent risk score than an organization without a formalized information security or data privacy program.

• Residual Risk is the level of risk that remains after the vendor has implemented your organization's requirements or if they have implemented the appropriate compensating controls. Residual risk is sometimes referred to as “acceptable risk” when an organization has decided to accept remaining risks associated with the third party.

It's important to consider these three types of risks when assessing and managing third parties, in order to effectively identify, mitigate and manage the potential hazards that they may pose to your organization.

How Do You Score Third-Party Risks?

Assessing third-party risk involves calculating risk scores that account for the likelihood of an event occurring and the potential impact of that event. For instance, consider a vendor that provides services to a hospital and handles large amounts of protected health information (PHI) but is not compliant with the Health Insurance Portability and Accountability Act (HIPAA).

In this case, the vendor would be classified as a business associate and would be subject to the same regulatory requirements as the healthcare provider. The impact in this scenario would be significant, potentially resulting in fines for both the healthcare provider and the business associate. The likelihood of non-compliance being discovered by regulators would also be high. This would represent an unacceptable risk for any healthcare organization and would likely result in the termination of the contract.

This example emphasizes the significance of conducting extensive third-party risk assessments, particularly for organizations that handle large amounts of sensitive data, such as government contractors and healthcare providers. In many situations, regulations like HIPAA hold the primary organization accountable for non-compliance by their vendors, making it crucial for organizations to properly evaluate and mitigate the risks associated with their third-party relationships.

Third-Party Risk Assessment Steps

1. Assemble Internal Stakeholders

The most successful third-party risk assessment programs involve input and/or participation from stakeholders representing multiple roles with different priorities. Understanding these priorities can help streamline your program and ensure that key steps aren’t being missed or overlooked. By assembling a cross-functional team to plan and guide your assessment program, you can help to ensure organizational adoption and long-term success.

2. Define Your Acceptable Level of Residual Risk

It is important to understand that even with the best efforts, some level of risk will always be present when working with third parties. Before assessing potential partners, you need to establish what level of risk is acceptable for your organization. This will help in making vendor selection and risk management more efficient and uniform. This method can also help you quickly identify third parties that may not align with your business objectives and risk tolerance.

3. Build Your Third-Party Risk Assessment Process

To effectively manage third-party risk, it is important to have a standardized process in place. However, the risk assessment process may vary depending on the third party, their level of criticality to your supply chain, access to sensitive data, and susceptibility to continuity events. For example, third parties with high criticality and potential risk will require more thorough due diligence than those with lower risk. Having a structured process in place will enable your program to operate more efficiently and help you make better, risk-based decisions about your third-party relationships.

Starting with an internal profiling and tiering assessment can help to categorize your vendors and map out the type, scope and frequency of assessment required for each group.

4. Send Third-Party Risk Assessment Questionnaires

To effectively manage third-party risk, it's important to gather information about the vendor's internal controls. One way to do this is by sending out questionnaires. These questionnaires can cover a wide range of topics such as information security practices, compliance requirements, financial stability, and fourth- and Nth-party supplier data.

When choosing questionnaires for primary risk assessments, companies must decide whether to use an industry-standard questionnaire or create their own. Standardized questionnaires like the Standard Information Gathering (SIG) questionnaire, the H-ISAC questionnaire for healthcare organizations, and the Prevalent Compliance Framework (PCF) questionnaire are widely accepted and familiar to most vendors and suppliers. However, if a third party already has an information security certification such as CMMC or SOC 2, it may be accepted in lieu of requiring an assessment response. Alternatively, you may supplement them with proprietary and/or ad-hoc assessments to gather information about specific controls or potential risks outside of cybersecurity.

Another option is to use frameworks when designing vendor assessment questionnaires. Frameworks like the NIST Cybersecurity Framework, ISO 27001, and NIST 800-30 can help ensure that questionnaires are standard across the supply chain and reflect best practices. Additionally, if specific regulations like the GDPR or PCI apply, it may be beneficial to incorporate questions related to those standards directly into the program.

5. Complement Assessments with Continuous Risk Monitoring

Cybersecurity vulnerabilities, supply chain challenges, and compliance requirements evolve on a continual basis. Therefore, be sure to conduct continuous risk monitoring to catch any cyber, business, financial or reputational risks that arise between your periodic vendor assessments. You can also use risk data to verify that a third party's assessment responses are consistent with their real-world business activities.

Vendor Data Breaches, Exposed Credentials and Other Cyber Risks

In today's constantly evolving cyber landscape, organizations must proactively monitor external cybersecurity risks across their vendor ecosystem rather than take a one-off approach to assessing vendor risk. Potential risks to keep an eye out for include:

• Credential exposures

• Confirmed data breaches and incidents

• Misconfigured web applications and vulnerabilities

• Typosquatting and other brand threats.

For more information on identifying these and other risks, refer to our post on Cyber Supply Chain Risk Management (C-SCRM) Best Practices.

Third-Party Finances, Business Practices and Reputation

In addition to cybersecurity risks, it's also crucial to monitor suppliers' financial stability, business practices and reputation. Financial failure, operational disruptions or negative press can have significant implications for your business, as well as environmental, social and governance (ESG) challenges such as modern slavery, bribery/corruption, and consumer protection issues. To mitigate these risks, research suppliers' business practices, raw material sourcing, and other key processes that could pose reputational or ethical concerns. Additionally, request reference customers and partners to gain further insight into the third party's ability to meet SLAs and other contractual obligations.

Selecting a Monitoring Strategy

When building a monitoring program, it's important to have a comprehensive and efficient strategy in place. Many companies leverage automated vendor threat monitoring software for risk identification and scoring. This can help organizations efficiently gather intelligence from a variety of sources, such as open-source intelligence.

6. Categorize and Remediate Risks

When assessing third-party risks, it's important to categorize them as either acceptable or unacceptable. Unacceptable risks will need to be addressed before working with the vendor. Remediating these risks can take various forms, such as requiring a security certification like SOC 2, ending relationships with fourth- and Nth-party vendors, or changing business practices that could lead to supply chain or other disruptions.

Having a defined incident response strategy in place is also crucial in the event of a data breach or other disruption caused by a vendor. With a pre-established plan, you can significantly speed response time and minimize the impact on your organization.

How to Start a Third-Party Risk Assessment Program

Many companies make the mistake of using a combination of email and spreadsheets when launching an assessment program. This manual approach can be time-consuming and difficult to manage, especially when working with a large number of vendors. It also often results in limited and unreliable data.

To launch an effective assessment program, it's recommended to consider using a vendor intelligence network, which offers access to a library of vendor risk reports based on standardized assessment data. Another option is to use an automated third-party risk assessment solution, which allows for greater customization and control over the assessment process. Alternatively, if a more hands-off approach is preferred, a managed service provider can conduct assessments on your behalf.

Next Steps

Prevalent offers third-party risk assessment solutions and services as part of our comprehensive third-party risk management platform. To discuss your specific needs with a Prevalent expert, request a personalized demo today.