With the persistent threats of third-party cyber intrusions and continued pandemic-driven supply chain failures looming large, as well as increasing regulatory scrutiny over third-party relationships, many organizations are increasing their focus on vendor risk management. However, data from Prevalent’s annual third-party risk management best practices study shows that – aside from the typical IT and security teams – few business teams have a seat at the TPRM table. Without organizational buy-in on TPRM practices, companies will see increased assessment costs, unnecessary complexity, and missed risks that could lead to business disruptions.
It’s clear that organizations need to expand their TPRM initiatives to include teams beyond IT and security. This post identifies roles from across the enterprise that IT and security teams should engage in TPRM decisions. This list is by no means exhaustive, but includes some of the primary stakeholders in TPRM program success.
Few teams in an enterprise have as pivotal a role in third-party risk management as the Procurement team does. After all, this team is likely responsible for handling vendor sourcing and associated evaluations; negotiating contract rates and renewals (and measuring adherence to contract delivery terms); conducting onboarding tasks; terminating contracts; and much more.
A critical TPRM success factor for the Procurement team is maintaining access to consistent supplier data – from performance metrics and contract SLAs, to financial and reputational measures. Additionally, Procurement teams will require a central repository for contracts and other documentation that simplifies the management of the vendor relationship, with integration to their existing procurement tools.
The bottom line for many Procurement professionals is time: trimming time throughout the procure-to-pay (P2P) lifecycle so they don’t slow the business down – whether in evaluating new vendors or determining renewal risks. Engage the procurement team early in project development to ensure their needs are met from the beginning.
Risk Management teams interact with multiple departments in an enterprise as their role brings together risks from around the business to determine acceptable levels. To achieve this goal, risk management teams must assess multiple types of risks across the organization – including from third parties.
A common frustration for Risk Management teams is siloes are created when each department treats risk differently. Without a function to bring it all together, risk management practices can be inconsistent and leave security gaps.
Because of their central risk function, Risk Management teams utilize governance, risk and compliance (GRC) tools to manage risks throughout the business. These teams should therefore be kept aware of risks beyond cybersecurity that could impact a third party’s ability to deliver. For example, Risk Management teams will want to know how suppliers score in environmental, social and governance (ESG), anti-bribery and corruption (ABAC), modern slavery and financial measures – as well as what processes vendors have in place for managing their own enterprise resilience to avoid disruptions.
As with Procurement teams, Risk Management should be engaged early in a TPRM project (assuming they are not the originators of the project) so that they can define risk parameters that align with overall enterprise risk management efforts.
Start-Up Guide: 10 Steps to Building a Successful TPRM Program
This 13-page guide will help you navigate key decisions when starting (or fixing) your TPRM program.
Data is the lifeblood of most businesses, and methods of protecting access to data are the IT controls du jour. Without proper data protection controls, third parties can become unwitting participants in breaches targeting their customers’ personally identifiable information (PII). In fact, Kaseya, Colonial Pipeline and the Microsoft Exchange breaches were ransomware-driven or had ransomware elements intended to block access to systems and data.
Regulators know this, and have developed measures and baselines to ensure that the most basic data protection controls are in place (think GDPR or CCPA). Data Privacy teams need an accurate view of how third parties are interacting with a company’s data to mitigate the risk of unwanted access. Mapping flows of information between third, 4th and Nth parties is a key driver for Data Privacy teams, as is internal data discovery and ownership. Compliance reporting and internal controls assessing data protection measures are paramount.
Be sure to engage Data Privacy teams when constructing your third-party risk assessment strategy to ensure you’re asking questions that clarify the vendor’s data protection controls.
Government regulations and industry frameworks around the world require companies to demonstrate controls related to third-party access to systems and data. However, most Audit and Compliance teams are trying to wrangle meaningful controls reporting from a multitude of different tools (e.g., spreadsheets) around the organization.
As with the Data Privacy team, Audit and Compliance will require simple reporting and controls mapping templates that get the right data into the hands of the right stakeholders, enabling them to demonstrate compliance or articulate a path to remediation. Be sure to engage with the Audit and Compliance team up front to understand which regulations require what type of reporting, and if it they be satisfied by aligning with an industry control framework such as NIST or ISO.
Prevalent unifies procurement, sourcing, risk management, data privacy, auditing and IT security teams with a single solution that assesses multiple supplier risk types; delivers centralized reporting and analytics; and provides a programmatic process for managing third parties and remediating risk throughout the vendor lifecycle.
For more tips on how to engage key stakeholders as you build out your TPRM program, download the white paper, 10 Steps to Building a Successful Third-Party Risk Management Program, or contact us for a strategy session today.