Latest Report: The Gartner® Market Guide for IT Vendor Risk Management Solutions
In today’s highly connected and globalized world, your organization likely relies on a multitude of third, fourth, and Nth parties. Each company in your vendor ecosystem or supply chain, as well as each of their vendors and partners, may pose a certain level of business and/or cyber risk to your organization.
Third-party risk management tools can enable your organization to better understand its supply chain, speed vendor due diligence processes, continuously evaluate and analyze risk, and efficiently manage remediation and mitigation.
This article reviews four categories of third-party risk management tools, uncovering the pros and cons of each.
Third-party risk management (TPRM) has evolved from a once-a-year checklist exercise to a vital everyday practice. As technology enabled unprecedented data sharing and distribution of work, many organizations relinquished control of data and the management of their systems and processes to third-party vendors in return for increased efficiency, cost savings and scale. More recently, this loss of control accelerated with the widespread availability and adoption of cloud-based software solutions.
With the expansion of the information economy, actors ranging from lone criminals to nation states have an immense attack surface providing several pathways to their chosen targets. As has been shown in recent supply chain attacks, like those leveraging flaws in technology from SolarWinds, Kaseya, and Microsoft Exchange, the path of least resistance is often through a company’s vendors and suppliers.
However, vendor risk doesn’t stop with data and privacy. Financial and market problems can lead to operational disruptions. Shortfalls in environmental, social and governance (ESG) policies can result in lawsuits and reputational damage. And violations of anti-bribery and corruption (ABAC) and modern slavery laws could lead to liability for your organization.
So, the more complex your supply chain and the more vendors you work with, the more third-party exposures you may encounter. That’s why identifying, understanding, and handling third-party risks is critical to ensuring business resilience.
While some organizations with small, low-risk vendor communities may be able to get by using spreadsheets as their go-to third-party risk management tools, purpose-built third-party risk management solutions are essential for companies operating in certain fields, including:
Finance, healthcare, insurance, legal, retail and other companies handling sensitive customer or patient data
Critical services and infrastructure, like energy and utilities
Industries with complex supply chains, like auto and other manufacturing companies
Government contractors, pharmaceutical companies, and other organizations handling high-value intellectual property
If you work in one of the above industries, or otherwise rely on a large third-party ecosystem, then using TPRM tools can help you identify and profile your vendors; gather and manage risk information; analyze risk implications for your organization; and efficiently manage remediation and mitigation.
Historically, third-party risk management processes were highly manual, usually relying on a combination of questionnaires emailed to vendors, with responses tracked in spreadsheets. The most commonly used tools for TPRM were standard email and office productivity solutions, like Microsoft Office.
While these tools facilitated vendor outreach and basic organization of risk survey responses, they left all analysis, prioritization, validation, and remediation management with individual risk or IT team members, or required the programming of macros and formulas in spreadsheets. So, a vendor simply attesting to having a specific security control in place was often enough to satisfy risk managers. In today’s environment of rapidly evolving cybersecurity risks, one-time attestations no longer cut it with auditors and regulators.
In some cases, larger organizations would also leverage highly customized database solutions built on technologies like Oracle, MySQL and DB2. But these were costly to build and maintain. They also proved unwieldy to use and were quickly outpaced as supply chains increased in complexity and threats gained in sophistication and frequency.
A core tenet of TPRM is understanding your organization's potential risks and accounting for vendor/supplier security and data privacy controls against those risks. That starts with conducting questionnaire-based risk assessments to gather information from third parties and identify any potential shortfalls that could jeopardize your business.
Rather than creating vendor risk questionnaires from scratch, most organizations base their assessments on established risk management guidelines or frameworks. For the purpose of this article, we will consider risk management frameworks to be the second category of TPRM tools.
The most prominent risk management frameworks are those published by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). Your broader governance risk and compliance (GRC) processes may already align with one of these industry standards -- and either can provide your organization and its vendors with a common language for discussing risk.
The NIST and ISO risk management frameworks prescribe standardized approaches to identifying, quantifying, and reporting on risk metrics and risk scoring. In addition, their use of common risk profiles to quantify both internal risk and third-party risk can yield consistent scores for prioritizing remediation initiatives.
Starting with NIST or ISO provides your program with a framework for success, while establishing the definitions necessary to produce accurate and replicable results. Given that, it’s important to note that NIST and ISO are just two sources of risk assessment guidance. Other examples include:
Industry-standard questionnaires (e.g., the Standard Information Gathering (SIG) questionnaire, the H-ISAC questionnaire for healthcare organizations, or the Prevalent Compliance Framework (PCF) questionnaire) provide accepted pools of content that your vendors are likely already familiar with.
Compliance-specific questionnaires for GDPR, CCPA, CMMC, or other mandates calling for third-party risk assessments. Check our compliance section for specific assessment requirements for 20+ regulations.
Proprietary questionnaires that you develop internally to address specific business needs or meet unique reporting requirements.
To learn about the pros and cons of each option, we recommend reading How to Select a Vendor Risk Assessment Questionnaire.
NIST, ISO or another risk management framework can provide a solid foundation for your TPRM program. However, if you’re not using your chosen framework in concert with a specialized third-party risk management solution, then you will require experienced practitioners to implement any recommended procedures in an effective and scalable way.
And even with a well-documented process, it can quickly become overwhelming for small risk management teams to design, send, follow-up, correlate, and make third-party risk decisions with any consistency or regularity.
Start-Up Guide: 10 Steps to Building a Successful TPRM Program
This 13-page guide will help you navigate key decisions when starting (or fixing) your TPRM program.
Risk assessments enable you to gather information on security, data privacy and compliance controls directly from your vendors. However, even when based on a standard framework, they only provide limited visibility into third-party risk, because:
Questionnaires rely on self-reporting by the entities being assessed, leaving room for error, misinterpretations, and omissions
Completed assessments deliver a partial view of risk that is limited to the scope of the questionnaire
An assessment result provides a point-in-time snapshot of a risk environment that is constantly evolving
It can be difficult to get responses to vendor risk assessments
External vendor risk monitoring tools can help you bridge the gap between periodic assessments and validate assessment responses against real-world events. After all, a vendor may fulfill all of your security control requirements and still suffer a data breach.
In addition, assessments are often focused on IT security or privacy controls and provide no insight into business risks like bankruptcies, compliance violations, lawsuits, strikes, and other events that could disrupt your supply chain.
One way to find vendor and supplier risk information is via Open-Source Intelligence (OSINT), which is information gathered from publicly available sources. While OSINT can include information obtained through methods like the U.S. Freedom of Information Act or a visit to the library, the most obvious form is what is found through internet and social media searches.
A simple internet search on a prospective vendor might turn up financial, legal, ethics or other business risks that might not otherwise come up during the sourcing and selection process. Many organizations fail to even perform this most basic level of OSINT-based due diligence.
While conducting internet research on prospective partners and setting up Google Alerts for vendor-related news is a start, keep in mind that the vast majority of information available on the World Wide Web is not indexed by Google, Edge, Safari, Firefox and other major browsers (i.e., the “surface web”).
The primary reason this “deep web” of sites, files and databases isn’t indexed is because it sits behind either registration forms or paywalls. For instance, Prevalent offers white papers, research reports and on-demand webinars that require registration to access. While it's still available to the general public, all of this gated content is part of the deep web.
Malicious actors also commonly leverage OSINT to identify and perform reconnaissance on potential targets. Attackers use not only the surface and the (legal) deep web to gather risk information, but also the dark web.
The dark web is a part of the deep web where criminal activity is conducted. Forums on the dark web provide access to stolen credentials, vulnerability and exploit data, hacking tools, and other information that can be used in third-party attacks. So, it’s clear that staying on top of OSINT related to your company and its third parties is essential to staying a step ahead of cybercriminals.
Leveraging OSINT is a critical way to supplement your vendor risk assessment practices with externally observable risk intelligence. However, even if your OSINT collection is limited to browser searches and alerts, manual labor and information overload present major obstacles. A single event affecting one of your third parties may spawn hundreds of alerts. Managing this data overload without an automated monitoring tool can be overwhelming and unsustainable.
There are several free and inexpensive OSINT tools that can help you go beyond the surface web to identify cyber risks, but most of these require technical expertise and additional analysis to deliver any data that is useful to risk managers.
Another, more accessible, option for obtaining OSINT-based risk monitoring data is using a security ratings solution. These automated solutions can aggregate and correlate OSINT data on specific companies and assign risk scores, which may prompt further investigation and otherwise help to prioritize your risk management efforts.
While risk monitoring tools can provide you with useful intelligence on current and prospective vendors and suppliers, they only deliver an external, outside-in view of third-party risk. For a more complete picture of risk, it’s important to use continuous monitoring in conjunction with periodic risk assessments. Unifying monitoring and assessment enables you to not only identify external threats to your third parties, but also determine their ability to mitigate those threats -- before they affect your organization.
You can find more sources of vendor and supplier risk information in our article, 7 Critical Sources of Third-Party Risk Intelligence.
Free TPRM Maturity Assessment
Work with Prevalent experts to get in-depth report on the state of your current TPRM program, plus practical recommendations for how to bring it to the next level.
Most organizations with more than a few dozen vendors will eventually need to enlist a unified, automated solution to maintain an effective, consistent and scalable program for third-party risk management and compliance.
Because of the extensive breadth and depth of capabilities they offer, third-party risk management platform providers may wince if you use the word “tool” to describe these solutions. Nonetheless, the TPRM platform is the fourth type of third-party risk management tool that you should consider using.
Third-party risk management platforms unify and automate the assessment and monitoring processes. At a basic level, they enable you to holistically identify vendor risks, report on risk vis-à-vis business and compliance requirements, and streamline the remediation process.
TPRM platform tools like that offered by Prevalent deliver assessment and monitoring capabilities in the context of the broader vendor lifecycle:
Sourcing & Selection
Intake & Onboarding
Inherent Risk Scoring
Vendor Risk Assessment
Vendor Risk Monitoring
SLA & Performance Management
Offboarding & Termination
A TPRM platform offers the combined capabilities of the other third-party risk management tools referenced in this article. A platform can automate the vendor onboarding and assessment process, continuously monitor public and private sources of risk intelligence, and then deliver correlated risk reports mapped to any risk management framework, government regulation, industry standard, and/or internal requirement.
A third-party risk management platform provides internal teams and external third parties with a centralized, collaborative environment for identifying, understanding and reducing risk. TPRM platform benefits include:
Reduced cost and risk during third-party selection
Fast and secure vendor and supplier onboarding
Improved visibility into vendor profiles and inherent risks
Increased efficiency with unified risk identification and remediation
Continuous visibility into public and private sources of risk intelligence
Time savings with central compliance, SLA and residual risk reporting
Assurance when winding down business relationships
If you are just getting started with third-party risk management and/or don’t require a platform-based tool, one alternative to consider is joining a third-party risk network. These subscription-based services provide on-demand access to libraries of standardized vendor risk reports based on completed risk assessments and/or continuous monitoring data. While standalone risk networks don’t offer full vendor lifecycle management, they provide quick access to vetted risk reports to assist with vendor due diligence.
If you have more specific requirements but don’t have internal TPRM expertise or resources, then consider outsourcing the work to vendor risk assessment services. With this managed service approach, you partner with a team of experts who manage the vendor lifecycle on your behalf (e.g., onboarding vendors, collecting evidence, reviewing assessments, identifying risks, providing remediation guidance, etc).
Your organization has several options when it comes to third-party risk management tools. Whether you need on-demand vendor risk reports, a team of experts to manage the assessment process, or an enterprise TPRM platform solution, Prevalent is here to help. We’ll even help you identify the right TPRM tools and processes to meet your specific requirements. Get started with a free TPRM Maturity Assessment or request a demo today.
If vendor threats and regulations are leaving your team feeling overwhelmed, then consider these benefits of...
Follow these 7 steps for more secure and efficient offboarding when third-party relationships are terminated.
Learn strategies for mitigating risks stemming from cyberattacks against your IT vendors.