Setting up a third-party risk management program is a complex process that involves managing hundreds, or even thousands, of vendors across multiple continents and legal jurisdictions. For every vendor a company takes on, they must consider dozens of third-party risks, including financial risks, cyber security exposures, legal actions, and performance failures that could ultimately disrupt their organization. Building a comprehensive TPRM program is increasingly important as organizations outsource more significant portions of their workloads to third-party suppliers.
There is no single approach to TPRM, but some commonly used frameworks serve as a solid starting point. These include frameworks provided by organizations such as the National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO). Third-party risk management policies guide organizations on building, applying, managing, and implementing best practices. When implementing a third-party risk management framework, companies must examine the nature of the risk involved and deal with the changing business, regulatory and legal environments – and their potential impact on the organization’s operation. Effectively utilizing TPRM frameworks will reduce risks to both your organization and your customers.
Third-party risk management (TPRM) frameworks provide organizations with a roadmap to build their TPRM programs based on industry-standard best practices. Frameworks can be used as a foundation for building a TPRM program and as a source of baseline control requirements for third-party vendors and suppliers.
Third-party risk management frameworks fall into two categories. There are frameworks specific to designing a TPRM or supply chain risk management (SCRM) program, such as Shared Assessments TPRM Framework and NIST 800-161. Then there are ancillary information security frameworks that can supplement a TPRM program or help design vendor risk assessment questionnaires, such as NIST CSF v1.1, ISO 27001, and ISO 27036.
Both ISO 27001 and the NIST CSF v1.1 can prove invaluable in building a third-party risk management program. These standards are focused on providing an outline for how organizations can build an effective information security program, and both include controls related to effectively managing third-party risk. For example, NIST CSF v1.1 includes provisions requiring that organizations have:
a well-defined risk management policy
security controls selected for third-party suppliers
a policy codified in supplier agreements where appropriate
suppliers managed and audited to the requirements and controls
This clearly isn’t enough to build a TPRM program on, but NIST CSF v1.1 can provide far more value than that to your program. NIST CSF is widely considered to be the gold standard for building a competent information security program. Many organizations choose to build their vendor risk management and vendor risk assessment processes on a framework such as NIST in order to ensure suppliers are incorporating industry-standard best practices in their risk management program.
Third-party risk is an increasingly relevant part of any enterprise risk management strategy. Companies today are reliant on a dizzying array of suppliers and vendors located throughout the world. For that reason, organizations are also susceptible to business disruptions ranging from mild to severe, based on adverse events impacting third parties such as bankruptcies, geopolitical events, and data breaches.
Third-party risk management and information security frameworks provide valuable controls and information for organizations looking to mitigate their level of risk from third-party relationships. For example, the Shared Assessments TPRM framework consists of 4 fundamentals and 8 processes critical for a successful TPRM program and encompasses the entire vendor risk management lifecycle. Using a third-party risk management framework can help ensure that you have a fully fleshed out and comprehensive program.
Frameworks such as NIST 800-161, ISO 27036, and Shared Assessments can help provide a basis for developing a TPRM program. Information security-specific frameworks like ISO 27001, NIST CSF, and NIST 800-37 can be used to guide the vendor risk assessment process and to create vendor assessment questionnaires that accurately assess a company's cybersecurity maturity.
No single framework is likely to provide your organization with every control to comprehensively meet regulatory, risk management and due diligence goals. Many organizations choose to work exclusively with NIST or ISO, and draw from multiple frameworks and guidance documents from that organization when developing their program. For example, an organization may choose to base their supply chain risk management program on NIST 800-161, and draw on elements of NIST 800-53, NIST CSF v1.1 and NIST 800-37 RMF to more fully develop their program and develop their vendor assessment approach.
The following considerations and how they impact your organization are critical to understand as you select a TPRM framework. Understanding the organizational risks is the first step in choosing the proper framework for your company. These risk categories include (but may not be limited to):
Legal and Regulatory
Cybersecurity and Data Privacy Risks
One of the most frequent complaints about the assessment process is that it is time-consuming for vendors to complete without outstanding business value to their organization. TPRM isn’t just about ensuring that a partnership does not expose your organization to intolerable risk potential; it is also about rewarding vendors that reduce your organization's risks through their practices. That’s why it’s important to select the correct TPRM framework and understand its impact on your ecosystem of external vendors. When you are selecting the frameworks to help build your TPRM program, consider the following:
Does the framework enable automation for data gathering?
How does the framework integrate with your existing workflows?
Does the framework have or publish available benchmarks?
What TPRM frameworks do your customers use and require you to respond to?
Are there standard remediation processes in the literature associated with the TPRM framework?
Are there specific regulatory requirements that need to be considered? (such as for financial institutions or healthcare providers)
How broadly is the TPRM adopted? i.e., can it be used to address fourth-party risk concerns?
Once you have considered which specific business problems you need a framework to help you address, it’s worth examining some individual information security and supply chain risk management frameworks. Shared Assessments, NIST 800-161, and ISO 27036 can provide specific examples of important SCRM and TPRM controls, while information security frameworks such as NIST CSF can help drive your third-party risk management processes.
On-Demand Webinar: Sustainable Third-Party Risk Management - Designing a Framework
Bob Wilkinson, CEO of Cyber Marathon Solutions and former CISO for Citi, discusses how to select a framework for your third-party risk management program.
Shared Assessments has published a comprehensive set of TPRM best practices. This framework is designed to help organizations establish, monitor, optimize and mature their TPRM program using a standardized set of controls. The framework is divided into two sections: fundamentals and processes. Fundamentals include four sections; introduction, basics, buy-in, and governance. Processes include 8 families ranging from outsourcing analysis and due diligence to ongoing monitoring.
Shared Assessments is one of the few frameworks that is focused solely on third-party risk rather than on broader topics such as supply chain risk management or organizational information security. However, it does have the drawback that accessing the framework requires a membership fee, which can price some organizations out of using it.
Shared Assessments also publishes a standardized information gathering questionnaire that can enable organizations to easily employ a standardized third-party risk assessment that is pre-mapped to other standards such as ISO, HIPAA, NIST, GDPR and PCI DSS. It also includes a management tool that can enable you to draw from a predefined set of questions, an implementation checklist, and guidance on what documentation to request from third-party vendors. SIG can be particularly useful for organizations that are just beginning their TPRM program.
NIST 800-161 is supplemental guidance to NIST 800-53 Rev 5 specifically focused on helping federal entities manage supply chain risks. Although geared towards federal entities, NIST SCRM can also prove extremely useful for designing a TPRM or SCRM program for private sector organizations. NIST 800-161 divides the supply chain risk management process into four phases: frame, assess, respond, and recover. It includes 19 control families ranging from awareness training to system and service acquisition.
While supply chain risk management and third-party risk management are not precisely the same, there is a great deal of overlap. Taking guidance from NIST 800-161 could provide an excellent basis for building a competent TPRM program. NIST 800-161 might prove particularly useful for large, multinational organizations with complex supply chains and advanced SCRM needs.
NIST has also released a comprehensive risk management framework that enables companies in all sectors to integrate third-party risk management and information security management seamlessly. NIST 800-37 provides a solid foundation for managing risk across the enterprise, including those related to third and fourth parties. Section 2.8 of the NIST RMF is worth paying particular attention to when considering issues around supply chain risk. NIST 800-37 can be particularly useful when considering risk mitigation strategies for onboarding new third-party vendors.
When designing vendor questionnaires, the best practices outlined in the NIST Cybersecurity Framework can prove invaluable. This library of best practices provides a set of standards that gives all participants the same reference model when discussing problems. The NIST CSF is widely considered the gold standard for building a cybersecurity program and can help you accurately measure a potential vendor's cyber risk profile as part of the assessment process. Building your vendor risk questionnaire based on controls found in NIST CSF can be particularly useful for organizations that have strong data privacy or regulatory compliance concerns.
The ISO 27001, 27002, and 27018 standards set requirements for establishing, implementing, maintaining, and continually improving an information security management system. ISO requirements are much broader than purely third-party risk but do include a significant section on how to manage supplier risk as part of a broader information security program. When designing your TPRM program, it is worth considering not only the ISO provisions that relate to third-party risk, but also the broader information security controls that could be applied to your vendor risk assessment process.
If your organization has third-party vendors and customers internationally, it may also be fitting to leverage the International Standards Organization processes specific to TPRM and information security. The ISO 27036 series has undergone multiple revisions and is currently under revision for alignment with other ISO standards. The ISO 27036 series is focused on information risks regarding the acquisition of goods and services from suppliers. The standard includes professional physical risks such as security guards, cleaners, delivery services, and equipment servicing, and more standard processes regarding the use of cloud services, data domiciles, shared compliance processes, and requirements. It can also be integrated with ISO 27036 processes to provide a more holistic cybersecurity standard.
ISO 27036 is designed to manage the entire business relationship lifecycle to include:
Initiation - scoping, business case/cost-benefit analysis, comparison of insourcing versus outsource options as well as a variant or hybrid approaches such as co-sourcing
Definition of requirements including the information security requirements
Procurement including selecting, evaluating, and contracting with supplier/s
Transition to or implementation of the supply arrangements, with enhanced risks around the implementation period
Operation including aspects such as routine relationship management, compliance, incident and change management, monitoring
Refresh - an optional stage to renew the contract, perhaps reviewing the terms and conditions, performance, issues, working processes
Termination and exit
Navigate the TPRM Compliance Landscape
The Third-Party Risk Management Compliance Handbook reveals TPRM requirements in key regulations and industry frameworks, so you can achieve compliance while mitigating vendor risk.
Taking guidance from NIST, ISO, Shared Assessments, and other framework providers can help cut out much of the manual labor of designing your TPRM program. Frameworks such as NIST 800-161 and ISO 27036 can provide valuable information for commonly adopted controls in TPRM and SCRM programs. Other frameworks such as NIST CSF, ISO 27001, and NIST 800-37 can be extremely helpful in designing your vendor risk assessment process.
Prevalent’s third-party risk management software makes it easy to build an effective and streamlined TPRM program. With Prevalent, you can easily gather and correlate intelligence on a wide range of vendor controls, including IT security, compliance, performance, contract adherence, business continuity, financial position, reputation, ethics, anti-bribery & corruption, ESG, diversity and more. The Prevalent TPRM platform is a cloud-based solution that offers automated, standardized vendor risk assessments from many of the frameworks and regulations mentioned in this post, combined with vendor risk monitoring and remediation management across the entire vendor life cycle. Prevalent’s TPRM platform offers pre-built workflows and questionnaires mapped to industry standards, making establishing and managing your TPRM program dramatically faster and less expensive than trying to do it yourself. The platform is complemented by vendor intelligence networks offering on-demand access to completed, standardized risk reports on thousands of companies. Our solutions are backed by expert professional services and managed services to help you optimize and mature your TPRM program.
Wondering how to evolve your TPRM program? Start with a free Third-Party Risk Program Maturity Assessment. It's built on Prevalent’s proven model with more than 15 years of experience serving hundreds of customers. After completing a 45-question survey, you'll have a one-hour consulting session with Prevalent experts and walk away with an in-depth report on the state of your current TPRM program, plus practical recommendations for how to bring it to the next level.