Third-Party Risk Management Roles: Expanding Beyond Information Security

With the persistent threats of third-party cyber intrusions and continued pandemic-driven supply chain failures looming large, as well as increasing regulatory scrutiny over third-party relationships, many organizations are increasing their focus on vendor risk management. However, data from Prevalent’s annual third-party risk management best practices study shows that – aside from the typical IT and security teams – few business teams have a seat at the TPRM table. Without organizational buy-in on TPRM practices, companies will see increased assessment costs, unnecessary complexity, and missed risks that could lead to business disruptions.

It’s clear that organizations need to expand their TPRM initiatives to include teams beyond IT and security. This post identifies roles from across the enterprise that IT and security teams should engage in TPRM decisions. This list is by no means exhaustive, but includes some of the primary stakeholders in TPRM program success.

Third-Party Risk Management Roles

Procurement & Sourcing

Few teams in an enterprise have as pivotal a role in third-party risk management as the Procurement team does. After all, this team is likely responsible for handling vendor sourcing and associated evaluations; negotiating contract rates and renewals (and measuring adherence to contract delivery terms); conducting onboarding tasks; terminating contracts; and much more.

A critical TPRM success factor for the Procurement team is maintaining access to consistent supplier data – from performance metrics and contract SLAs, to financial and reputational measures. Additionally, Procurement teams will require a central repository for contracts and other documentation that simplifies the management of the vendor relationship, with integration to their existing procurement tools.

The bottom line for many Procurement professionals is time: trimming time throughout the procure-to-pay (P2P) lifecycle so they don’t slow the business down – whether in evaluating new vendors or determining renewal risks. Engage the procurement team early in project development to ensure their needs are met from the beginning.

Risk Management

Risk Management teams interact with multiple departments in an enterprise as their role brings together risks from around the business to determine acceptable levels. To achieve this goal, risk management teams must assess multiple types of risks across the organization – including from third parties.

A common frustration for Risk Management teams is siloes are created when each department treats risk differently. Without a function to bring it all together, risk management practices can be inconsistent and leave security gaps.

Because of their central risk function, Risk Management teams utilize governance, risk and compliance (GRC) tools to manage risks throughout the business. These teams should therefore be kept aware of risks beyond cybersecurity that could impact a third party’s ability to deliver. For example, Risk Management teams will want to know how suppliers score in environmental, social and governance (ESG), anti-bribery and corruption (ABAC), modern slavery and financial measures – as well as what processes vendors have in place for managing their own enterprise resilience to avoid disruptions.

As with Procurement teams, Risk Management should be engaged early in a TPRM project (assuming they are not the originators of the project) so that they can define risk parameters that align with overall enterprise risk management efforts.