Third-Party Risk Management: The Definitive Guide

The coronavirus pandemic coupled with geopolitical crises and increasing cybersecurity threats has caused organizations to rapidly implement TPRM programs to manage the risks posed by third parties. In a recent survey conducted by KPMG, 85% of participating third-party risk management executives identified TPRM as a strategic priority for their organizations. According to the KPMG white paper, the TPRM executives were focused on using their TPRM programs to manage cyber security risks, enable data governance, and manage privacy requirements while improving cost efficiency.

Additionally, organizations that are able to rapidly mature their TPRM capabilities are realizing significant competitive advantages. Organizations with mature TPRM programs have a much lower chance of negatively impacting their reputations and customers while managing global, regional, and organizational disruptions. Preventing mistakes or misconfigurations in your extended supply chain from impacting your ability to serve customers is likely a critical function for your organization. A TPRM program enables your organization to effectively identify, mitigate, and/or accept those risks. In short, a properly configured TPRM program that uses effective processes can prevent unwanted surprises that negatively impact your organization.

Definition of Third-Party Risk Management

TPRM involves a comprehensive analysis of the risks arising from relationships with third-party providers such as vendors, suppliers, contractors and other business partners. By conducting due diligence on the risks posed third parties, your organization can proactively reduce risks that could disrupt its ability to serve its customers and other stakeholders. In today's complex business environment, risks can be multi-dimensional and go beyond simple buyer-seller relationships to include a broad spectrum of risks such as the financial situation of a company, cybersecurity challenges, disruptions in critical supply items, labor disruptions, political instability, and regional conflicts. All of these risks (and others) may have financial, legal and operational impacts on your organization. The critical function that TPRM provides for your organization is it allows you the luxury of planning your response rather than simply trying to react on an emergent basis.

The value of TPRM begins with the process of identifying risks and extends throughout the entire lifecycle of the relationships between your organization and your vendors. The TPRM lifecycle includes:

1. Sourcing and Selection - This phase includes evaluations of each potential vendor's ability to meet service or solution requirements, as well as scoring of baseline security, privacy, reputational, and financial risks. This can be accomplished by conducting questionnaire-based assessments, accessing vendor intelligence databases, or a combination of both.
2. Intake and Onboarding - Once vendors are selected, they are onboarded into a central repository via manual or bulk upload. This can be accomplished through intake forms completed by internal stakeholders, by spreadsheet imports, or through an API to an existing vendor management or procurement solution.
3. Inherent Risk Scoring - Inherent risk is a vendor's risk level before accounting for any specific controls required by your organization. It is best practice to score a vendor's inherent risk with a simple assessment before giving them access to your systems and data. This also enables you to determine the level of due diligence they require and the frequency and scope of subsequent risk assessments.
4. Internal Controls Assessment - Controls assessments can be used both during initial due diligence and periodically to satisfy audit requirements. Risks identified during the assessment process are usually scored according to impact, likelihood, and other factors. Results can also be mapped to key requirements in other compliance and security frameworks, such as ISO, NIST, or SOC 2.
5. External Risk Monitoring - By tapping into external sources of continuous third-party intelligence, you can cover gaps between periodic assessments and validate assessment responses against external observations. Risk monitoring can include cyber intelligence, business updates, financial reports, media screening, global sanctions lists, state-owner enterprise screening, politically-exposed persons screening, breach event notifications, and more.
6. SLA and Performance Management - Assessments and monitoring can be used to determine whether vendors are meeting their obligations throughout the business relationship. For instance, this can include evaluations of their ability to deliver against SLAs, apply remediations, or meet compliance requirements.
7. Offboarding and Termination - During this phase, assessments are used to ensure that all final obligations have been met. This can include contract reviews, settling outstanding invoices, removing access to systems and data, revoke building access, and reviewing privacy and security compliance.

When planning your TPRM approach, keep in mind that the circumstances of the parties may change at any point during the engagement. Detecting and managing those changes is critical to the success of your organization. Vendors may have a change in business operations, their supply chain for key materials may be disrupted, or regional bodies may change import/export requirements. For example, laws regarding data privacy are changing rapidly all over the world. All of these conditions are happening today and those companies that effectively implemented a TPRM process are thriving, while others are falling behind.

Given the rapid pace of change, there is a corollary need for organizations to monitor and perform an initial analysis of the available information in near real-time in order to identify and manage their risk. This requirement mandates that some of the processes automate the collection and dissemination of information about third-party vendors. The use of effective automation enables your TPRM office to identify risks and drive remediation before your organization suffers reputational risks.

Third-Party Risk Management Program Drivers

A number of regulatory and compliance requirements mandate the management of third-party risk and can provide an effective framework for mitigating vendor risk. Regulatory requirements that drive TPRM programs cover a broad spectrum of markets, vendors, and data and are often driven by the type of organization (e.g., regulations and guidelines from CMMC, EBA, FCA, FFIEC, HIPAA, NERC, NIST, NYDFS, OCC and others), the location of your organization (e.g., privacy, state charter requirements), or your customers’ location (e.g., GDPR, CCPA). The key point to understand regarding these requirements is to ensure that your program accounts for what data your organization is liable to protect, where your customers typically reside, and standard requirements that your vendors must meet to deliver their services. These requirements must be included in your agreements that are extended to your vendors that work with the covered data.

Implementation of TPRM programs by organizations is driven by:

• Compliance with regulatory requirements
• Cybersecurity risk
• Competitive advantages of an effective TPRM program
• Internal purchasing/efficiency drivers
• Managing internal financial and operational risk
• Meeting customer requirements

Regardless of your organization's specific driver for establishing a TPRM program, it is critical to identify and work with all of the internal stakeholders such as executives, boards, procurement, internal audit, finance, IT, information security, legal, and compliance in establishing your workflows.

When considering the implementation of a TPRM program, it is critical to ensure that all of the impacted internal and external stakeholders are included in establishing the program. Inclusion of the stakeholders ensures that all of the people, processes, and technologies are aligned to produce an effective program. At a minimum, consider the following as internal stakeholders:

• Executives (CEO, CFO, CIO, COO, CISO, etc.)
• General counsel
• Board members
• Internal auditors

There may be other internal stakeholders depending upon the type, function, and operations of your organization.

External stakeholders form another critical constituency for consideration in the development of your program. External stakeholders at a minimum include:

• Vendors
• Regulators
• Customers

Since TPRM programs seldom start at the inception of a company, it is important to consider the existing agreements/programs that are already in force with the external vendors and ensure that they are thoroughly analyzed against the proposed TPRM program. Ensure that any discrepancies are recorded and that a plan to address any unmitigated risks is created and tracked to completion.

Regulatory TPRM Risk Management Drivers

Regulatory standards are a primary driver for TPRM programs. Regulatory programs are specific to:

• Healthcare
• Contracting for the federal government
• Credit card acceptance
• Financial services
• Banking
• Manufacturing

All of these require the implementation of a full lifecycle process for TPRM. These requirements are typically driven by the type of sensitive data collected in the standard course of business.

A primary example of this kind of regulatory-driven risk management is an important part of the industry-standard PCI-DSS which defines third-party providers and requires that providers do not transmit cardholders "data on behalf of customers or organizations to providers that may compromise the security of their data and environment.” This means that while companies are obliged to work on the required cybersecurity program for themselves, they are still required to monitor vendors' cybersecurity programs with access to sensitive data, even if they keep the risk below a certain threshold.

Another example is federal programs and contracting that require strict security management of all vendors with access to the information. This process goes far beyond simple questionnaires and exchanging documentation but may also include scanning of internal environments and legal representations by executives regarding the data protection in place. The complexity of the third parties involved, the potential for conflicts of interest, and financial losses are driving companies to continuously improve their risk management practices and risk mitigation strategies.

Traditionally, TPRM was executed by internal personnel or by outsourcing to consultants who followed a thoroughly scripted process to gather, analyze, and report on the information. Specifically, organizations that have previously used personnel to help with the assessment process may need to rethink their approach as the current pandemic has limited travel and significantly limited real-time information gathering. This prevents on-the-spot assessment from being a viable option and completely upends the traditional approach to third-party risk assessment, which typically leverages in-person visits to monitor the results provided by questionnaires. Coupling current conditions with rapidly increasing risk complexity and reach of supply chains today, this simply isn’t feasible to accomplish using traditionally successful processes. Success at TPRM requires increasing use of automation and tools designed to perform the collection and initial analysis of the data coming from vendors.

What Is the Value of TPRM?

As supply chains spread around the world, the potential risks increase far beyond performing simple security assessments to clearly identify the security posture when onboarding new vendors. This may cause difficulty assessing your actual exposure to third-party disruptions due to large-scale “macro events” such as COVID, wars and geopolitical unrest, fuel prices, natural disasters, and other regional disasters. As the industry has learned through the current pandemic, it has never been more important for companies to streamline the processes used to collect cybersecurity data from their providers. When it comes to third- and fourth-party networks, where visibility and control are reduced, risk factors within those organizations are often more difficult to monitor, evaluate, and mitigate as part of a TPRM.

A core piece of your third-party risk management process goes far beyond simply assigning security ratings to your service providers. A successful TPRM management solution grants you visibility into your third-party ecosystem and is organized around the following questions:

• Can you identify who could be affected and what services the third party provides to keep your data secure?
• Can you ascertain which third parties provide services to the organization and keep their data secure?

Ultimately, strengthening your organization, addressing gaps (understanding where the gaps are, implementing processes and protocols), and resolving third-party risk management issues will make your business stronger, helping you to sustain and grow.

Implementing Your TPRM Program

Once you have decided to implement a TPRM program you have a number of important questions that will form the basis of your program. These questions include:

• Do you hire a partner to help you start and implement the program?
• How do you manage the expectations of your internal stakeholders?
• Do you need to assign responsibilities in the event of a data breach?
• What are the exact requirements third parties have to meet in order to do business?
• Do the external stakeholders understand the requirements and have the ability to implement them?
• Will the imposition of these requirements change the financial relationship with the vendors?
• How do you roll this program out into existing relationships?

In order to effectively implement a third-party risk management program, organizations must focus on bringing together the right people, processes, and technologies. Understanding the balance and the requirements of each of these functions is critical to the successful operation of your program.

To address risk exposures in TPRM environments, you should enable organizational standards and language in the following areas:

• Set up requirements in the contract and service level agreements to address risk-related commitments
• Analyze the vendor risk profile with the risk profile of the engagement or the service provided
• Enable a reporting process that is driven by dynamic monitoring and risk assessment based on events
• Mix the use of periodic risk assessments (self-reported) and continuous risk monitoring (externally reported) approaches for holistic risk identification
• Implement technology solutions to integrate procurement, performance, and risk management on a unified platform that provides stakeholders updated information on demand to meet their specific needs.

It is important to note that in building relationships with both internal and external stakeholders, not all of the incentives have to be punitive or restrictive. Establishing requirements in the contract or service level agreement should include minimum performance standards but can also include “rewards” for compliance with critical risk management functions. Additionally, performing an analysis of the vendor’s requirements versus those of your organization can provide enormous dividends for both parties. By leveraging areas of existing compliance, it is possible to lower the costs for both parties to their mutual benefit.

The value of an effectively implemented TPRM solution is in achieving a critical risk management program that provides early warning and drives effective risk mitigation. Understanding the value of TPRM is only the first step in deciding to implement the program. The choices, resources, integration with existing business processes, and relationships require the support of the organization and the onboarding of existing third-party ecosystems. While it is a complex undertaking, the use of questionnaires, templates, tools, standards for SLAs, and automation can be invaluable to rapidly maturing your TPRM program.

Next Steps

Wondering how to get started? Check out our free best practices guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage. Want to benchmark your existing TPRM practices and get a roadmap to program maturity? Request a free TPRM Program Maturity Assessment. Interested in whether our third-party risk management solutions and services may be a fit for your organization? Request a demo.