Third-Party Risk Governance Crawl, Walk, Run… No just Run!

September 13th, 2017 by Brenda Ferraro

As I type the words of my very first blog, the weight of writing a blog worthy of your reading is heavy on my mind. You may have seen my name or watched one of my presentations where I hoped to influence companies to move away from compliance checklists to adopting shareable third-party assessment techniques.

Yet this blog isn’t about me. It’s about how third-party risk continues to crawl towards an economic approach across all industries.
My passion in life and career is to help companies resolve the snail pace of evolution from the vast frameworks and methodologies used across the globe to a standardized third-party risk governance using a flexible model for all companies, large and small. We all know that third-party governance is supposed to minimize risk in a fast-paced changing cyber landscape. It is beyond my comprehension why companies fail to understand that identifying and managing risk is necessary to minimize risk. Especially when we allow third-parties to handle our most sensitive data.

Then we have fourth, fifth and Nth parties that work with our third-parties and are also handling our data, with or without a proper risk assessment. I know, I know, there are contracts in place, but who is making sure the contracts are in force? Some of you – maybe. All of you – not so much. To minimize risk, you must first identify and then manage the risk. There is absolutely no way around it.

I learned how to interpret and evangelize creating new techniques, develop talent, and implement tool automation with two decades of skill building from prominent Chief Security Officers (CSOs), mentors, and peers (those individuals are; EA, RE, DL, JR, GG, RE, MS, KS, JW). I would be doing them injustice if I failed to share with you what I have learned.

Therefore, let’s begin with one of my favorite topics: healthy risk governance requires a company to take a calculated risk and ‘Run’. Run, by way of removing the minutia of proprietary questionnaires and compliance checklists. Using proprietary questionnaires and checklists is considered ‘crawling’ and wastes valuable time repeatedly asking the same due diligence questions. Crawling towards an economic approach to third-party risk opens us up to missing the mark on company control standards that must be evaluated.

Realization of the need to ‘Run’ requires us to adopt a new way of thinking, a fundamental shift to driving towards questionnaire share-ability and overlap. Where more and more companies re-use published questionnaires and documentation (evidence) available on an exchange repository. This topic alone about running towards an economic approach won’t solve third-party risk governance hunger, yet it will give a taste for what is to come.

To be at the front of the race to minimize risk is to run towards a better sharing solution, a faster way to identify and remediate risk, and ultimately build a stronger third-party risk governance ecosystem.

We will have to wait for the next blog to dive into the enormous amount of money that evaporates between companies and their third parties, diverting focus away from risk identification and mitigation. I dream of a world where we share information once, update information when risks are remediated, and when threats or regulatory requirements surface the ecosystem immediately obtains information to understand the vulnerabilities for mitigation.

I look forward to writing more blogs about the prescriptive approach to building a better, faster, stronger third-party risk governance ecosystem and I’d love to hear your thoughts on the topic. Send me a message with my blog title in the subject line to and come back next month as I plan to tackle the do’s and don’ts of risk scoring.

Categories: Blog