Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Third-Party Risk Management Considerations for Your GRC Strategy

It's time to audit your GRC program for these critical TPRM capabilities.
Scott Lang
VP, Product Marketing
January 16, 2020
Blog grc audit 1 jan 2020

GRC – short for Governance, Risk, and Compliance – is the alignment of processes, technologies, and people in an organization with a repeatable framework for risk-based decision making. But what is involved in GRC, and does it account for the risks presented by third parties? Considering that more than 60% of data breaches involve a third-party of some kind, how can organizations develop a simplified, holistic risk management strategy that encompasses not only internal risk factors, but also those introduced by external parties they do business with? This blog will address those questions and provide a summary of capabilities to look for as you build out your GRC strategy using a common industry-standard framework: the OCEG.

What is involved in GRC?

GRC starts with defining business goals and arranging business processes and organizational oversight to ensure the business achieves those goals. This is the “G” – governance. Then comes the “R” part – employing the principles of risk management in defense of those goals, for example having IT risk management processes in place that provide a framework for gaining visibility into and taking action on potential cyber risks that could impact the business. Finally, ensuring compliance – the “C” – with regulatory and industry frameworks built to ensure your organization’s “G” and “R” factors are aligned with proven and accepted practices.

How is Third-Party Risk related to GRC?

While inherently an internal exercise, fundamental GRC practices can be extended to include organizational third-party/external business relationships. Leveraging many of the same principles, third-party risk management – or TPRM – is an outward-facing subset of GRC in that TPRM provides the capability to identify and manage IT risk in the supply chain (e.g., vendors, suppliers, partners, etc.) – your extended enterprise – to ensure an acceptable level of partner risk and to measure vendors’ adherence to compliance mandates. The extended enterprise is a point of concern in the modern, outsourced, flexible environment – a simple extension of the business supporting revenue generating activities.

Specifically, TPRM automates collection and analysis of questionnaire-based vendor evidence; identifies and prioritizes vendor risks; outlines risk remediation recommendations with specific actionable guidance; continuously monitors cyber and business risks through external scanning, business intelligence, and penetration testing; and reports by compliance regime or industry framework.

Conceptually, GRC and TPRM are similar in their approaches and outcomes, with TPRM benefiting from GRC in that a holistic GRC strategy helps make TPRM more proactive and less reactive. And, TPRM considers second and fourth parties in the extended enterprise as well.

Building an GRC program? Consider this framework to ensure TPRM is addressed from the start.

If you are looking to provide some structure around your GRC program – or start up a more formal program – and want to ensure your third-party risk concerns are addressed from the start, we recommend the Open Compliance and Ethics Group’s OCEG Red Book – a well-received common industry framework for GRC. We have mapped best practices TPRM capabilities into this model in the table below.

OCEG GRC Capability Model


Best Practice TPRM Capabilities

L – Learn: Examine and analyze context, culture, and stakeholders to learn what the organization needs to know to establish and support objectives and strategies.

External Context: Understand the external business context in which the organization operates.

  • Analyze the External Context
  • Analyze External Stakeholder and Influencer Needs
  • Watch the External Context
  • Advisory services to help build a flexible, adaptable TPRM program
  • Multiple questionnaire options to collect evidence from vendors
  • Continuous monitoring of vendors’ cyber and business risks
  • Integration with multiple different providers of cyber risk data for broad coverage

Internal Context: Understand the internal business context in which the organization operates.

  • Analyze the Internal Context
  • Watch the Internal Context
  • Flexible weightings to provide the right context to vendor risks
  • Map business processes to key controls to manage against

Culture: Understand the existing culture, including how leadership models culture, the organizational climate, and individual mindsets about the governance, assurance, and management of performance, risk, and compliance.

  • Analyze Governance Culture
  • Analyze Management Culture
  • Analyze Risk Culture
  • Analyze Ethical Culture
  • Analyze Workforce Engagement
  • Watch the Culture

Flexible, easy-to-use interface to ensure all levels of the organization benefit from the solution

Stakeholders: Interact with stakeholders to understand expectations, requirements, and perspectives that impact the organization.

  • Understand Stakeholders
  • Analyze External Stakeholder and Influencer Needs
  • Develop Stakeholder Relations Plans
  • Stakeholder-specific reporting to ensure needs are met throughout the organization
  • Defined process for risk disposition
A – Align: Align performance, risk, and compliance objectives, strategies, decision-making criteria, actions, and controls with the context, culture, and stakeholder requirements.

Direction: Provide direction by establishing clear mission, vision and values statements, high-level objectives, as well as guidance about how decisions will be made.

  • Define Mission, Vision, and Values
  • Analyze Opportunities, Threats and Requirements
  • Define High-Level Goals
  • Define Management Boundaries
  • Define Decision-Making Criteria
  • Centralized vendor inventory
  • Categorize or tier vendors based on criticality to the business
  • Monitor cyber and business threats from third-parties
  • Flexible risk weightings to clarify what is important to the business

Objectives: Define a balanced set of measurable objectives that are consistent with decision-making criteria and appropriate for the established frame of reference

  • Apply Decision-Making Criteria
  • Develop Additional Decision-Making Criteria
  • Consider Cumulative or Competing Effect of Objectives
  • Document Objectives
  • Identify what risks mean to the business, weight them, score them, and define remediation plans to address risks to an acceptable level
  • Service Level target workflow to drive workflow management and timeliness of assessment assurance

Identification: Identify forces that may cause desirable (opportunity) or undesirable (threat) effects on the achievement of objectives, as well as those that may compel the organization to conduct itself in a particular way (requirement).

  • Review Capability
  • Identify Forces
  • Identify Opportunities, Threats and Requirements
  • Identify Interrelatedness & Trends
  • Advisory services to build achievable milestones and program objectives
  • Monitor Concentration Risk and/or risk landscape reduction using data to better understand of single point of failure type vendors vs. overlapping range of similar vendors at different levels of physical and security maturity

Assessment: Analyze current and planned approach to address opportunities, threats and requirements using decision-making criteria with quantitative and qualitative methods.

  • Analyze Risk/Reward
  • Analyze Compliance
  • Prioritize Management of Threats, Opportunities and Requirements
  • Measure residual risk after controls are applied and remediations take – with predictive reporting showing reduction in risks
  • Regulatory- and framework-specific reporting showing progress to full compliance, with predictive scoring based on completing recommended remediations
  • Flexible risk weightings ensure focus on the most important risks to the business
  • Combination of cyber business monitoring and qualitative business risk analysis
  • Stakeholder-specific reporting to get the right data in the right hands for risk-based decision-making

Design: Develop strategic and tactical plans to achieve the objectives, while addressing uncertainty and acting with integrity, consistent with decision-making criteria.

  • Explore Options to Address Requirements
  • Explore Options to Address Risk/Reward
  • Design Transfer and Risk Financing Strategies
  • Determine Planned Residual Risk/Reward and Compliance
  • Address Inherently High Risk
  • Develop Key Indicators
  • Develop the Information Management Structure
  • Establish Technology Architecture
  • Develop Integrated Plan
  • Enable Execution
  • Regulatory- and framework-specific reporting measures level of compliance, with the ability to show how that changes with the application of recommended remediations
  • Identify compensating controls in place to measure the maturity of the domain control
  • Apply additional questionnaires to clarify residual risk indicators
  • Multiple questionnaire options and importing of cyber monitoring scores for a complete view of risks
  • Multi-variate risk scoring based on likelihood and impact
  • Integrate with existing IRM/GRC tools to maintain workflow and improve adoption
P - Perform: Address threats, opportunities, and requirements by encouraging desired conduct and events, and preventing what is undesired, through the application of proactive, detective, and responsive actions and controls.

Controls: Establish a mix of management, process, human capital, technology, information, and physical actions and controls that serve governance, management, and assurance needs.

  • Establish Proactive Actions and Controls
  • Establish Detective Actions and Controls
  • Establish Responsive Actions and Controls
  • Risk profiling to understand where inherent risk is
  • Verification to compare answers provided by vendors vs. observed controls
  • Review compensating controls to measure acceptability
  • Centralized reporting – customizable by internal stakeholder or external party – showing existing risks and score, areas of improvement, and progress over time on risk mitigation efforts
  • Configurable risk recommendations to provide a single voice as to how to mitigate vulnerabilities based on known or identified risks
  • Bi-directional remediation workflow with full audit trail to ensure all parties are transparently aware of risk mitigation efforts

Policies: Implement policies and associated procedures to address opportunities, threats and requirements and set clear expectations of conduct for the governing authority, management, the workforce and the extended enterprise.

  • Develop Codes of Conduct
  • Establish Policy Structure
  • Identify and Develop Policies
  • Implement and Manage Policies
  • Champion Policies
  • Develop and Implement Ethical Decision-Making Guidelines

Advisory and health check services help to define and refine TPRM policies

Communication: Deliver and receive relevant, reliable, and timely information to the right audiences, as required by mandates, or as needed to perform responsibilities and effectively shape attitudes.

  • Develop Reporting Plan
  • Process Architecture
  • Develop Communication Plan

Stakeholder-specific reporting – internal and external – showing inherent, residual, and actual risks throughout the vendor management lifecycle to drive action based on identified or dispositioned risks

Education: Educate the governing authority, management, the workforce, and the extended enterprise about expected conduct, and increase the skills and motivation needed to help the organization address opportunities, threats, and requirements.

  • Define an Awareness and Education Plan
  • Define a Curriculum Plan
  • Develop or Acquire Content
  • Implement Education
  • Provide Helpline
  • Provide Integrated Support

Using Advisory services, use adaptive enablement and key performance and risk indicators to drive improvements in Talent, Tools and Techniques.

Incentives: Implement incentives that motivate desired conduct and recognize those who contribute to positive outcomes to reinforce desired conduct.

  • Define Desired Conduct
  • Hire and Promote Based on Conduct Expectations
  • Develop and Implement Compensation, Reward and Recognition Programs

Advisory services to define the program, help train internal stakeholders, and drive adoption

Notification: Provide multiple pathways to report progress toward objectives, and the actual or potential occurrence of undesirable and desirable conduct, conditions, and events.

  • Capture Notifications
  • Filter and Route Notifications
  • Adhere to Data Protection Requirements
  • Map results of assessments to multiple industry frameworks or compliance regimes
  • Flexible prioritization of risks based on importance to the business
  • Built-in workflow to route specific results or identified risks to the proper stakeholders for analysis, further investigation, or remediation.
  • Fully-audited trail of communications between internal and external parties

Inquiry: Periodically analyze data and seek input about progress towards objectives; and the existence of undesirable conduct, conditions and events.

  • Establish Multiple Pathways to Obtain Information
  • Establish an Organization-Wide Integrated Approach to Surveys
  • Establish an Integrated Approach to Self-Assessment
  • Gather Information Through Observations and Conversations
  • Report Information and Findings
  • Automate collection and analysis of questionnaire-based vendor evidence
  • Avoid survey fatigue by enabling a complete-once, share-many model using standard content
  • Encourage vendor self-assessment by completing a standard questionnaire and sharing it to a network for use by multiple organizations
  • Real-time vendor updates with risks adjusted in real-time
  • Import multiple inputs for risk scoring
  • Stakeholder-specific reporting – internal and external – showing progress to compliance, existing risks, and planned mitigations after remediations are applied

Response: Design and, when necessary execute responses to identified or suspected undesirable conduct, conditions, events, or weaknesses in capabilities.

  • Establish Investigation Processes
  • Prepare to Address Crisis Situations
  • Follow Resolution Processes
  • Improve Capabilities
  • Discipline and Retrain
  • Determine Disclosures
  • Real-time alerts to potential business disruptions via cyber vulnerabilities and business intelligence
  • Visualize flows of data between vendor relationships know instantly where the impact will reach and who to contact for resolution
  • Remediation guidance to resolve risk to an appropriate level
R – Review: Conduct activities to monitor and improve design and operating effectiveness of all actions and controls, including their continued alignment to objectives and strategies.

Monitoring: Monitor and periodically evaluate the performance of the capability to ensure it is designed and operated to be effective, efficient, and responsive to change.

  • Monitor and Evaluate Capability Design
  • Identify Monitoring Information
  • Perform Monitoring Activities
  • Analyze and Report Monitoring Results
  • Continuously monitor for the cyber and business risks of partners/suppliers/third-parties
  • Move to a continuous assessment model
  • Centralized reporting – customizable by internal stakeholder or external party – showing existing risks and score, areas of improvement, and progress over time on risk mitigation efforts
  • Bi-directional remediation workflow with full audit trail to ensure all parties are transparently aware of risk mitigation efforts

Assurance: Provide assurance to management, the governing authority, and other stakeholders that the capability is reliable, effective, efficient and responsive.

  • Plan Assurance Assessment
  • Perform Assurance Assessment
  • Utilize industry-standard questionnaire content to assess vendor security and privacy controls to determine control weaknesses and establish risks to be remediated
  • Conduct Incident Response Scenario Based Tests to identify improvements of content gathered for assessments and information connections during a time of Crisis Management
  • Flexible assessment schedules to accommodate business needs

Improvement: Review information from periodic evaluations, detective and responsive actions and controls, monitoring, and assurance, to identify opportunities for capability improvements.

  • Develop Improvement Plan
  • Implement Improvement Initiatives
  • Identify concentration and top risks across the portfolio and/or network community to reduce risk proactively
  • Risk qualification and quantification to combat the high volume identified risks

If your GRC strategy fails to address these TPRM best practices, act now. Download our best-practice guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage, for a full review of the required capabilities to account for third-party risks in your GRC program.

Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo