Third-Party Risk Management Considerations for Your GRC Strategy

External Context: Understand the external business context in which the organization operates.

• Analyze the External Context
• Analyze External Stakeholder and Influencer Needs
• Watch the External Context

• Advisory services to help build a flexible, adaptable TPRM program
• Multiple questionnaire options to collect evidence from vendors
• Continuous monitoring of vendors’ cyber and business risks
• Integration with multiple different providers of cyber risk data for broad coverage

Internal Context: Understand the internal business context in which the organization operates.

• Analyze the Internal Context
• Watch the Internal Context

• Flexible weightings to provide the right context to vendor risks
• Map business processes to key controls to manage against

Culture: Understand the existing culture, including how leadership models culture, the organizational climate, and individual mindsets about the governance, assurance, and management of performance, risk, and compliance.

• Analyze Governance Culture
• Analyze Management Culture
• Analyze Risk Culture
• Analyze Ethical Culture
• Analyze Workforce Engagement
• Watch the Culture

Flexible, easy-to-use interface to ensure all levels of the organization benefit from the solution

Stakeholders: Interact with stakeholders to understand expectations, requirements, and perspectives that impact the organization.

• Understand Stakeholders
• Analyze External Stakeholder and Influencer Needs
• Develop Stakeholder Relations Plans

• Stakeholder-specific reporting to ensure needs are met throughout the organization
• Defined process for risk disposition

Direction: Provide direction by establishing clear mission, vision and values statements, high-level objectives, as well as guidance about how decisions will be made.

• Define Mission, Vision, and Values
• Analyze Opportunities, Threats and Requirements
• Define High-Level Goals
• Define Management Boundaries
• Define Decision-Making Criteria

• Centralized vendor inventory
• Categorize or tier vendors based on criticality to the business
• Monitor cyber and business threats from third-parties
• Flexible risk weightings to clarify what is important to the business

Objectives: Define a balanced set of measurable objectives that are consistent with decision-making criteria and appropriate for the established frame of reference

• Apply Decision-Making Criteria
• Develop Additional Decision-Making Criteria
• Consider Cumulative or Competing Effect of Objectives
• Document Objectives

• Identify what risks mean to the business, weight them, score them, and define remediation plans to address risks to an acceptable level
• Service Level target workflow to drive workflow management and timeliness of assessment assurance

Identification: Identify forces that may cause desirable (opportunity) or undesirable (threat) effects on the achievement of objectives, as well as those that may compel the organization to conduct itself in a particular way (requirement).

• Review Capability
• Identify Forces
• Identify Opportunities, Threats and Requirements
• Identify Interrelatedness & Trends

• Advisory services to build achievable milestones and program objectives
• Monitor Concentration Risk and/or risk landscape reduction using data to better understand of single point of failure type vendors vs. overlapping range of similar vendors at different levels of physical and security maturity

Assessment: Analyze current and planned approach to address opportunities, threats and requirements using decision-making criteria with quantitative and qualitative methods.

• Analyze Risk/Reward
• Analyze Compliance
• Prioritize Management of Threats, Opportunities and Requirements

• Measure residual risk after controls are applied and remediations take – with predictive reporting showing reduction in risks
• Regulatory- and framework-specific reporting showing progress to full compliance, with predictive scoring based on completing recommended remediations
• Flexible risk weightings ensure focus on the most important risks to the business
• Combination of cyber business monitoring and qualitative business risk analysis
• Stakeholder-specific reporting to get the right data in the right hands for risk-based decision-making

Design: Develop strategic and tactical plans to achieve the objectives, while addressing uncertainty and acting with integrity, consistent with decision-making criteria.

• Explore Options to Address Requirements
• Explore Options to Address Risk/Reward
• Design Transfer and Risk Financing Strategies
• Determine Planned Residual Risk/Reward and Compliance
• Address Inherently High Risk
• Develop Key Indicators
• Develop the Information Management Structure
• Establish Technology Architecture
• Develop Integrated Plan
• Enable Execution

• Regulatory- and framework-specific reporting measures level of compliance, with the ability to show how that changes with the application of recommended remediations
• Identify compensating controls in place to measure the maturity of the domain control
• Apply additional questionnaires to clarify residual risk indicators
• Multiple questionnaire options and importing of cyber monitoring scores for a complete view of risks
• Multi-variate risk scoring based on likelihood and impact
• Integrate with existing IRM/GRC tools to maintain workflow and improve adoption

Controls: Establish a mix of management, process, human capital, technology, information, and physical actions and controls that serve governance, management, and assurance needs.

• Establish Proactive Actions and Controls
• Establish Detective Actions and Controls
• Establish Responsive Actions and Controls

• Risk profiling to understand where inherent risk is
• Verification to compare answers provided by vendors vs. observed controls
• Review compensating controls to measure acceptability
• Centralized reporting – customizable by internal stakeholder or external party – showing existing risks and score, areas of improvement, and progress over time on risk mitigation efforts
• Configurable risk recommendations to provide a single voice as to how to mitigate vulnerabilities based on known or identified risks
• Bi-directional remediation workflow with full audit trail to ensure all parties are transparently aware of risk mitigation efforts

Policies: Implement policies and associated procedures to address opportunities, threats and requirements and set clear expectations of conduct for the governing authority, management, the workforce and the extended enterprise.

• Develop Codes of Conduct
• Establish Policy Structure
• Identify and Develop Policies
• Implement and Manage Policies
• Champion Policies
• Develop and Implement Ethical Decision-Making Guidelines

Advisory and health check services help to define and refine TPRM policies

Communication: Deliver and receive relevant, reliable, and timely information to the right audiences, as required by mandates, or as needed to perform responsibilities and effectively shape attitudes.

• Develop Reporting Plan
• Process Architecture
• Develop Communication Plan

Stakeholder-specific reporting – internal and external – showing inherent, residual, and actual risks throughout the vendor management lifecycle to drive action based on identified or dispositioned risks

Education: Educate the governing authority, management, the workforce, and the extended enterprise about expected conduct, and increase the skills and motivation needed to help the organization address opportunities, threats, and requirements.

• Define an Awareness and Education Plan
• Define a Curriculum Plan
• Develop or Acquire Content
• Implement Education
• Provide Helpline
• Provide Integrated Support

Using Advisory services, use adaptive enablement and key performance and risk indicators to drive improvements in Talent, Tools and Techniques.

Incentives: Implement incentives that motivate desired conduct and recognize those who contribute to positive outcomes to reinforce desired conduct.

• Define Desired Conduct
• Hire and Promote Based on Conduct Expectations
• Develop and Implement Compensation, Reward and Recognition Programs

Advisory services to define the program, help train internal stakeholders, and drive adoption

Notification: Provide multiple pathways to report progress toward objectives, and the actual or potential occurrence of undesirable and desirable conduct, conditions, and events.

• Capture Notifications
• Filter and Route Notifications
• Adhere to Data Protection Requirements

• Map results of assessments to multiple industry frameworks or compliance regimes
• Flexible prioritization of risks based on importance to the business
• Built-in workflow to route specific results or identified risks to the proper stakeholders for analysis, further investigation, or remediation.
• Fully-audited trail of communications between internal and external parties

Inquiry: Periodically analyze data and seek input about progress towards objectives; and the existence of undesirable conduct, conditions and events.

• Establish Multiple Pathways to Obtain Information
• Establish an Organization-Wide Integrated Approach to Surveys
• Establish an Integrated Approach to Self-Assessment
• Gather Information Through Observations and Conversations
• Report Information and Findings

• Automate collection and analysis of questionnaire-based vendor evidence
• Avoid survey fatigue by enabling a complete-once, share-many model using standard content
• Encourage vendor self-assessment by completing a standard questionnaire and sharing it to a network for use by multiple organizations
• Real-time vendor updates with risks adjusted in real-time
• Import multiple inputs for risk scoring
• Stakeholder-specific reporting – internal and external – showing progress to compliance, existing risks, and planned mitigations after remediations are applied

Response: Design and, when necessary execute responses to identified or suspected undesirable conduct, conditions, events, or weaknesses in capabilities.

• Establish Investigation Processes
• Prepare to Address Crisis Situations
• Follow Resolution Processes
• Improve Capabilities
• Discipline and Retrain
• Determine Disclosures

• Real-time alerts to potential business disruptions via cyber vulnerabilities and business intelligence
• Visualize flows of data between vendor relationships know instantly where the impact will reach and who to contact for resolution
• Remediation guidance to resolve risk to an appropriate level

Monitoring: Monitor and periodically evaluate the performance of the capability to ensure it is designed and operated to be effective, efficient, and responsive to change.

• Monitor and Evaluate Capability Design
• Identify Monitoring Information
• Perform Monitoring Activities
• Analyze and Report Monitoring Results

• Continuously monitor for the cyber and business risks of partners/suppliers/third-parties
• Move to a continuous assessment model
• Centralized reporting – customizable by internal stakeholder or external party – showing existing risks and score, areas of improvement, and progress over time on risk mitigation efforts
• Bi-directional remediation workflow with full audit trail to ensure all parties are transparently aware of risk mitigation efforts

Assurance: Provide assurance to management, the governing authority, and other stakeholders that the capability is reliable, effective, efficient and responsive.

• Plan Assurance Assessment
• Perform Assurance Assessment

• Utilize industry-standard questionnaire content to assess vendor security and privacy controls to determine control weaknesses and establish risks to be remediated
• Conduct Incident Response Scenario Based Tests to identify improvements of content gathered for assessments and information connections during a time of Crisis Management
• Flexible assessment schedules to accommodate business needs

Improvement: Review information from periodic evaluations, detective and responsive actions and controls, monitoring, and assurance, to identify opportunities for capability improvements.

• Develop Improvement Plan
• Implement Improvement Initiatives

• Identify concentration and top risks across the portfolio and/or network community to reduce risk proactively
• Risk qualification and quantification to combat the high volume identified risks