In a world with increasingly interconnected companies, vendors, suppliers, logistics partners and cloud services providers, Third-Party Risk Management (TPRM) has advanced from being an annual checklist exercise to a critical daily function. When an incident on the other side of the world can cause disruptions in your client service, it is critical to understand and manage those risks effectively and efficiently. Aside from the necessity of TPRM, the practice has advanced significantly from being an exchange of emails 10 years ago to a continuous monitoring process that incorporates traditional due diligence with high degrees of automation. Our goal in this article is to explain what TPRM is, what drives the implementation of TPRM, identify the basic lifecycle of TPRM programs, and finally outline tips for success and traps to avoid at all costs as you implement your program.
Third-Party Risk Management in 90 Seconds
Third-Party Risk Management, or TPRM, is a critical daily function for many organizations. Learn about third-party vendor risks, and what to do about them, with this quick overview.
The coronavirus pandemic coupled with geopolitical crises and increasing cybersecurity threats has caused organizations to rapidly implement TPRM programs to manage the risks posed by third parties. In a recent survey conducted by KPMG, 85% of participating third-party risk management executives identified TPRM as a strategic priority for their organizations. According to the KPMG white paper, the TPRM executives were focused on using their TPRM programs to manage cyber security risks, enable data governance, and manage privacy requirements while improving cost efficiency.
Additionally, organizations that are able to rapidly mature their TPRM capabilities are realizing significant competitive advantages. Organizations with mature TPRM programs have a much lower chance of negatively impacting their reputations and customers while managing global, regional, and organizational disruptions. Preventing mistakes or misconfigurations in your extended supply chain from impacting your ability to serve customers is likely a critical function for your organization. A TPRM program enables your organization to effectively identify, mitigate, and/or accept those risks. In short, a properly configured TPRM program that uses effective processes can prevent unwanted surprises that negatively impact your organization.
TPRM involves a comprehensive analysis of the risks arising from relationships with third-party providers such as vendors, suppliers, contractors and other business partners. By conducting due diligence on the risks posed third parties, your organization can proactively reduce risks that could disrupt its ability to serve its customers and other stakeholders. In today's complex business environment, risks can be multi-dimensional and go beyond simple buyer-seller relationships to include a broad spectrum of risks such as the financial situation of a company, cybersecurity challenges, disruptions in critical supply items, labor disruptions, political instability, and regional conflicts. All of these risks (and others) may have financial, legal and operational impacts on your organization. The critical function that TPRM provides for your organization is it allows you the luxury of planning your response rather than simply trying to react on an emergent basis.
The value of TPRM begins with the process of identifying risks and extends throughout the entire lifecycle of the relationships between your organization and your vendors. The TPRM lifecycle includes:
When planning your TPRM approach, keep in mind that the circumstances of the parties may change at any point during the engagement. Detecting and managing those changes is critical to the success of your organization. Vendors may have a change in business operations, their supply chain for key materials may be disrupted, or regional bodies may change import/export requirements. For example, laws regarding data privacy are changing rapidly all over the world. All of these conditions are happening today and those companies that effectively implemented a TPRM process are thriving, while others are falling behind.
Given the rapid pace of change, there is a corollary need for organizations to monitor and perform an initial analysis of the available information in near real-time in order to identify and manage their risk. This requirement mandates that some of the processes automate the collection and dissemination of information about third-party vendors. The use of effective automation enables your TPRM office to identify risks and drive remediation before your organization suffers reputational risks.
A number of regulatory and compliance requirements mandate the management of third-party risk and can provide an effective framework for mitigating vendor risk. Regulatory requirements that drive TPRM programs cover a broad spectrum of markets, vendors, and data and are often driven by the type of organization (e.g., regulations and guidelines from CMMC, EBA, FCA, FFIEC, HIPAA, NERC, NIST, NYDFS, OCC and others), the location of your organization (e.g., privacy, state charter requirements), or your customers’ location (e.g., GDPR, CCPA). The key point to understand regarding these requirements is to ensure that your program accounts for what data your organization is liable to protect, where your customers typically reside, and standard requirements that your vendors must meet to deliver their services. These requirements must be included in your agreements that are extended to your vendors that work with the covered data.
Implementation of TPRM programs by organizations is driven by:
Regardless of your organization's specific driver for establishing a TPRM program, it is critical to identify and work with all of the internal stakeholders such as executives, boards, procurement, internal audit, finance, IT, information security, legal, and compliance in establishing your workflows.
When considering the implementation of a TPRM program, it is critical to ensure that all of the impacted internal and external stakeholders are included in establishing the program. Inclusion of the stakeholders ensures that all of the people, processes, and technologies are aligned to produce an effective program. At a minimum, consider the following as internal stakeholders:
There may be other internal stakeholders depending upon the type, function, and operations of your organization.
External stakeholders form another critical constituency for consideration in the development of your program. External stakeholders at a minimum include:
Since TPRM programs seldom start at the inception of a company, it is important to consider the existing agreements/programs that are already in force with the external vendors and ensure that they are thoroughly analyzed against the proposed TPRM program. Ensure that any discrepancies are recorded and that a plan to address any unmitigated risks is created and tracked to completion.
Regulatory standards are a primary driver for TPRM programs. Regulatory programs are specific to:
All of these require the implementation of a full lifecycle process for TPRM. These requirements are typically driven by the type of sensitive data collected in the standard course of business.
A primary example of this kind of regulatory-driven risk management is an important part of the industry-standard PCI-DSS which defines third-party providers and requires that providers do not transmit cardholders "data on behalf of customers or organizations to providers that may compromise the security of their data and environment.” This means that while companies are obliged to work on the required cybersecurity program for themselves, they are still required to monitor vendors' cybersecurity programs with access to sensitive data, even if they keep the risk below a certain threshold.
Another example is federal programs and contracting that require strict security management of all vendors with access to the information. This process goes far beyond simple questionnaires and exchanging documentation but may also include scanning of internal environments and legal representations by executives regarding the data protection in place. The complexity of the third parties involved, the potential for conflicts of interest, and financial losses are driving companies to continuously improve their risk management practices and risk mitigation strategies.
Traditionally, TPRM was executed by internal personnel or by outsourcing to consultants who followed a thoroughly scripted process to gather, analyze, and report on the information. Specifically, organizations that have previously used personnel to help with the assessment process may need to rethink their approach as the current pandemic has limited travel and significantly limited real-time information gathering. This prevents on-the-spot assessment from being a viable option and completely upends the traditional approach to third-party risk assessment, which typically leverages in-person visits to monitor the results provided by questionnaires. Coupling current conditions with rapidly increasing risk complexity and reach of supply chains today, this simply isn’t feasible to accomplish using traditionally successful processes. Success at TPRM requires increasing use of automation and tools designed to perform the collection and initial analysis of the data coming from vendors.
As supply chains spread around the world, the potential risks increase far beyond performing simple security assessments to clearly identify the security posture when onboarding new vendors. This may cause difficulty assessing your actual exposure to third-party disruptions due to large-scale “macro events” such as COVID, wars and geopolitical unrest, fuel prices, natural disasters, and other regional disasters. As the industry has learned through the current pandemic, it has never been more important for companies to streamline the processes used to collect cybersecurity data from their providers. When it comes to third- and fourth-party networks, where visibility and control are reduced, risk factors within those organizations are often more difficult to monitor, evaluate, and mitigate as part of a TPRM.
A core piece of your third-party risk management process goes far beyond simply assigning security ratings to your service providers. A successful TPRM management solution grants you visibility into your third-party ecosystem and is organized around the following questions:
Ultimately, strengthening your organization, addressing gaps (understanding where the gaps are, implementing processes and protocols), and resolving third-party risk management issues will make your business stronger, helping you to sustain and grow.
Once you have decided to implement a TPRM program you have a number of important questions that will form the basis of your program. These questions include:
In order to effectively implement a third-party risk management program, organizations must focus on bringing together the right people, processes, and technologies. Understanding the balance and the requirements of each of these functions is critical to the successful operation of your program.
On-Demand Webinar: A Third-Party Risk Management Action Plan
Learn how to prepare your third-party risk management (TPRM) program and improve your business resilience.
To address risk exposures in TPRM environments, you should enable organizational standards and language in the following areas:
It is important to note that in building relationships with both internal and external stakeholders, not all of the incentives have to be punitive or restrictive. Establishing requirements in the contract or service level agreement should include minimum performance standards but can also include “rewards” for compliance with critical risk management functions. Additionally, performing an analysis of the vendor’s requirements versus those of your organization can provide enormous dividends for both parties. By leveraging areas of existing compliance, it is possible to lower the costs for both parties to their mutual benefit.
The value of an effectively implemented TPRM solution is in achieving a critical risk management program that provides early warning and drives effective risk mitigation. Understanding the value of TPRM is only the first step in deciding to implement the program. The choices, resources, integration with existing business processes, and relationships require the support of the organization and the onboarding of existing third-party ecosystems. While it is a complex undertaking, the use of questionnaires, templates, tools, standards for SLAs, and automation can be invaluable to rapidly maturing your TPRM program.
Navigating the Vendor Risk Lifecycle: Keys to Success
This complimentary guide details best practices for successfully managing risk throughout the vendor lifecycle. See what we've learned in our 15+ years of experience working with hundreds of customers.
Wondering how to get started? Check out our free best practices guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage. Want to benchmark your existing TPRM practices and get a roadmap to program maturity? Request a free TPRM Program Maturity Assessment. Interested in whether our third-party risk management solutions and services may be a fit for your organization? Request a demo.