Understanding your organization's third-party risk management lifecycle is crucial to identifying and remediating vendor and supplier risks. However, it’s a common mistake to view third-party risk management (TPRM) as a one-time risk assessment and remediation initiative.
The fact is, your organization encounters distinct risks at each step of the vendor relationship, so it’s important to develop a TPRM program that can address the entire third-party lifecycle. A programmatic process is the fastest path to stopping the pain of third-party risk management, making informed risk-based decisions, and adapting and growing your program over time. This post covers the key stages of the third-party lifecycle and shares best practices for mitigating risk at each stage.
Vendor risk management starts with vendor selection, often involving multiple teams with varied priorities. For example, engineering prioritizes a vendor's technical capabilities, procurement focuses on business stability, security evaluates data protection controls, and compliance checks for reporting and auditing.
In addition, vendors often provide inconsistent and/or contradictory answers on vendor risk assessment questionnaires. This can make it extremely difficult to accurately gauge the risk they pose to your organization. These issues can become particularly acute when organizations lack a single source of truth for vendor information.
Use a Vendor Risk Management Database
Many organizations are still stuck using spreadsheets to correlate vendor risk assessment questionnaire answers with security controls, compliance, and other requirements. Consider using a vendor risk management database or a third-party risk management platform to speed selection, improve vendor risk identification, and maintain a single source of truth for vendor data.
Base Standardized Questionnaires on Profiled Risk
Each vendor has a different degree of profiled risk (i.e., risk related to the service they perform for your organization). A vendor dealing with personal identifiable information (PII) or protected health information (PHI) will have a dramatically higher risk profile than a plumbing company. Create standardized questionnaires for different vendor tiers based on profiled risk. For companies with low profiled risk, a simple questionnaire may suffice, while companies that interact with your IT environment or sensitive data may need a more comprehensive questionnaire.
Incorporate ESG Into Your Vendor Selection Process
Environmental, social, and governance (ESG) risk is becoming increasingly important for companies around the world. Both investors and consumers are beginning to expect that companies carefully consider the environmental, ethical, and social costs associated with their third parties. Incorporating ESG risk from the beginning of the vendor risk management lifecycle alongside evaluations of security and data privacy controls can help you avoid companies with questionable track records regarding environmental destruction, modern slavery, and other ethically problematic business practices.
The process for onboarding vendors typically involves a manual or bulk upload of profile information. Connecting a pre-configured spreadsheet or API to an existing vendor management or procurement solution is a more efficient way to create a central repository of vendors. Leverage role-based access to enable different teams to populate vendor data and invite other employees to contribute.
Create a Formal Approval Process
There should be a documented, formal approval process for onboarding new vendors. Consider including standard templates for payment terms, invoicing, and information security standards as part of the supplier onboarding process.
Set and Communicate Realistic Onboarding Timeframes
Onboarding can be a long process. You need to provide vendors with credentials to access facilities or systems; ensure that they are able to perform their roles; and iron out payment terms and other processes. Make sure to set realistic onboarding timeframes and communicate them to both your vendors and internal departments.
Keep Compliance in Focus
Many organizations rely on their initial assessment of third-party compliance to maintain compliance throughout the vendor lifecycle. However, it's crucial to continuously consider compliance requirements as the contract evolves. Scope creep often occurs, leading to vendors gaining access to sensitive data and systems not initially considered during the sourcing and selection phases. Ensure you fully understand the location of your data and the extent of your vendors' access during the onboarding phase. Regularly review and adjust the vendors' access and the necessary security controls as needed.
Automate Where Possible
Onboarding new vendors can be time-consuming. Time constraints can become particularly acute when simultaneously onboarding multiple vendors. That’s why automation is key to a scalable third-party risk management program. For instance, you can automate the distribution of questionnaires and make it easy for team members to share intake forms.
Inherent risk scoring is a key part of the third-party risk management lifecycle. Not every vendor requires the same scrutiny. For example, an office supply vendor presents lower organizational risk than one providing critical parts or legal services. An organization located in a politically volatile location, with a history of breaches, or with a poor credit history presents more risk and warrants increased due diligence.
To properly understand the risk posed by a vendor, you must be able to calculate inherent risk. This is the vendor’s risk level before accounting for any specific controls required by your organization. Gaining a comprehensive view of inherent risks sets a baseline and guides your decisions on the necessary due diligence. After establishing this baseline for inherent risk, calculating the residual risk—the risk remaining after applying controls—becomes much simpler.
Inherent risk also plays a crucial role in decisions regarding vendor profiling, tiering, and categorization. By aligning vendor assessments with the risks and standards most relevant to a business, its customers, and regulatory bodies, this approach speeds up risk assessments.
Map Your Vendor Risk Assessment to Compliance Requirements
Questionnaires should reflect any compliance requirements that your organization falls under. If your vendor has access to sensitive information such as PII, PHI or financial information, you need to ensure that you map your organization's compliance requirements to your vendor risk questionnaires. Below are some questions that should come up during the risk assessment:
Don’t Go It Alone
Using a TPRM platform can dramatically speed up vendor risk assessments and allow you to quickly map questionnaire responses to compliance requirements. In addition, dedicated third-party risk management solutions like Prevalent offer built-in, customizable inherent risk questionnaires that can make it easy to seamlessly identify vendor risk.
Utilize Scoring to Normalize Results and Provide Actionable Insights
It’s important to understand the potential ramifications of a supplier’s failure to deliver products or services to your organization. Accordingly, you should leverage a scoring system to determine each supplier’s tier. This could include the following criteria:
Once you define supplier tiers, it should be easy to understand which suppliers are most critical. For example, you should be able to run a report on all suppliers that are US-based, handle personal data, and are top-tier.
Having vetted information earlier in the process and in an easily accessible location enables you to “right-size” due diligence initiatives, focus on vendors with the highest risk, and speed the overall process.
Navigating the Vendor Risk Lifecycle: Keys to Success
This complimentary guide details best practices for successfully managing risk throughout the vendor lifecycle. See what we've learned in our 15+ years of experience working with hundreds of customers.
The level of risk posed by different third parties will vary according to their criticality to your business and other factors. Likewise, the criteria for each tier of third parties will also vary. For instance, the criteria for a parts vendor will be different from those used for evaluating cloud hosting services.
Organizations with immature TPRM programs may address different vendor tiers by creating individual, spreadsheet-based surveys for each new project; constantly “reinventing the wheel.” Responses to these surveys can differ in the level of detail and completeness, making it difficult to evaluate overall risk and required controls. Tracking open items that require remediation and ensuring that remediation controls are consistent and adequate can be difficult, putting unnecessary demands on scarce security, risk, and compliance resources.
Leverage a Shared Library
Third-party risk management processes can be taxing for under-resourced teams. Data collection processes and vendor back-and-forth communications account for the largest share of time needed to reduce risk and complete assessment assurance. Compounding this issue is the ever-shifting regulatory landscape, which requires expertise to interpret compliance reporting obligations. Achieving compliance and meeting vendor risk management requirements while maximizing your team’s skill sets is a balancing act, for sure.
To accommodate resource constraints, many organizations – especially those with a solid vendor tiering plan – choose to leverage completed content already submitted and shared within an industry exchange. These vendor exchanges are self-fulfilling prophecies – the more vendors participate, the greater the overlap with other enterprises. This speeds the risk identification and mitigation processes and minimizes the time spent collecting data.
Ensure Questionnaire Flexibility
Vendor risk questionnaires aren’t “one size fits all.” Utilizing a third-party risk management platform that has multiple options for questionnaires, as well as the ability to generate custom questionnaires, can make vendor assessments far simpler. Using a dedicated platform can reduce the manual labor behind vendor survey and response management by 50% and ensure that assessment questionnaires are appropriately matched to each vendor’s profiled risk.
Save Time with Built-In Remediation Guidance
Sometimes vendor assessments reveal concerning facts. It may be that the vendor in question has experienced a data breach, isn’t compliant with data privacy regulations, or lacks a formal cybersecurity program. Platforms that deliver built-in remediation guidance can provide straightforward templates for remediation requests, plus workflow and task management capabilities to facilitate and streamline the entire process.
Compliance Reporting Matters
In many cases, you need to consider information security and data privacy compliance when working with vendors. When you are identifying your third-party risk management strategy, consider how different platforms handle compliance reporting. Utilizing a TPRM platform that includes automated compliance reporting for an array of national and international compliance requirements can dramatically simplify audits and reduce the risk of non-compliance.
Scale Reporting with AI Capabilities
Be sure to consider the value that AI introduces to risk analysis and reporting. Although artificial intelligence isn’t a new concept, the recent mainstream introduction of generative AI technologies enables organizations to solve business problems at an unprecedented scale. Conversational AIs trained on billions of events and years of experience can deliver expert risk management insights in the context of industry guidelines such as NIST, ISO, SOC 2, and others.
Although periodic assessments are essential to understanding how vendors govern their information security and data privacy programs, a typical risk assessment can only provide a snapshot of your organization’s risk profile at a single point in time. This profile can rapidly change as threats evolve, new breaches occur, and business challenges emerge.
Constant monitoring of a third party’s cybersecurity practices is important. So too is gaining visibility into other types of business changes such as financial, reputational, compliance, and supply chain issues that can create business risk.
Unfortunately, organizations rarely have access to this data in a way that enables security and risk teams to be quickly notified, and it often remains unincorporated into a central register for decision-making. Instead, many organizations rely on manual processes, disparate tools, vendor notifications, and news reports.
Don’t Forget Fourth and Nth Parties
It can be tempting to diligently monitor your third parties while forgetting about their third parties and Nth parties. If your vendor relies on other companies to fulfill contracts and run their business, these other parties' security exposures or operational issues may ultimately affect your organization.
Therefore, during the risk assessment process, you should identify any fourth parties critical to your third party's success. Based on their risk to your third party, consider implementing a scaled-back cyber and financial monitoring process for these fourth parties.
Consider Multiple Types of Cyber Risk
Identifying vulnerabilities in a vendor’s public-facing IT systems is only part of the continuous monitoring equation. It’s important to go beyond vulnerability scanning to reveal other indicators of cyber risk, including:
Don’t Stop at Cyber Risk
Many companies focus on cyber risk because it is usually easily quantifiable and straightforward to address. However, cyber risk monitoring should be complemented by operational, financial, and reputational monitoring. When building out your third-party monitoring program, be sure to account for these other types of risk. Some questions to consider:
Free TPRM Maturity Assessment
Work with Prevalent experts to get in-depth report on the state of your current TPRM program, plus practical recommendations for how to bring it to the next level.
Managing risk is a continuous process. Even reliable partners can experience disruptions, and incentives to implement promised controls can wane once an agreement is signed. This changing risk environment requires not only continuous external risk monitoring, but also ongoing visibility into vendor performance obligations.
Some vendors may require scrutiny to ensure remediation commitments are met, and all should be measured against their service level agreements (SLAs). Trying to manage this with spreadsheets or other manual methods can increase the likelihood of missed SLAs and associated business disruptions.
Regularly Assess Vendor Performance
It can be tempting to take a one-and-done approach to assessing vendors. However, this can lead to bad work outcomes and failed business relationships. Performing periodic assessments to ensure that vendors meet their SLAs and other contractual obligations can help catch any issues early.
Define the Right KPIs and KRIs
Defining the right key performance indicators and key risk indicators is critical to effectively evaluating vendor performance. KPIs help ensure that contractual obligations are fulfilled and business objectives are met throughout the contract lifecycle. KRIs can inform your understanding of risks posed by vendors from onboarding to offboarding.
Risk can persist after vendor relationships end. An offboarded vendor holding sensitive data must return and/or securely destroy that data; access to internal systems needs to be terminated; and support obligations may outlive a purchase agreement. However, Prevalent research found that 39 percent of companies neither track nor remediate third-party risks during offboarding. This presents ongoing business, security, and IP risks.
Don’t Assume Data Has Been Deleted
It’s common to assume that third parties will delete sensitive customer data and other information upon termination of their contracts. However, this is not always the case. Take the time to reach out to your third parties and ensure that any sensitive information has been erased. It is worth getting this in writing to ensure that there is an audit trail in the case of future incidents.
Confirm that Access to Physical and IT Infrastructure Is Revoked
Once you offboard a vendor, ensure your IT and facilities teams have correctly de-provisioned contractor employees. Confirm that they have revoked all building access and removed all permissions from cloud and IT environments. If a vendor accidentally retains access, your company could be exposed to a future breach. Implementing workflow-based checklists in a central TPRM platform can help ensure a secure offboarding process.
Perform a Thorough Contract Review
Once a vendor completes their work for your organization, review the contract thoroughly to ensure they have met all deliverables. Do not assume they have achieved all milestones and KPIs.
It’s no secret that vendor responsibilities and access can change throughout the vendor lifecycle. Take the time to thoroughly review what systems and data your vendor has accessed. Consider the following questions:
Asking these questions can help ensure that you maintain compliance with applicable requirements. It can also provide valuable insight into how you can more effectively manage vendor compliance.
Third-party risk management can be difficult. There are dozens of moving parts across multiple departments, and it can be challenging to coordinate third-party risk assessments, ensure compliance requirements are met, and satisfy different siloed departments. The Prevalent Third-Party Risk Management Platform makes navigating the vendor lifecycle dramatically easier. Learn more about our approach by reading our best practices guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage, or request a demo today.
2025 promises to be a consequential year for third-party risk management. Read our top TPRM predictions...
12/12/2024
Learn how a third-party risk management (TPRM) policy can protect your organization from vendor-related risks.
11/08/2024
Follow these 7 steps for more secure and efficient offboarding when third-party relationships are terminated.
10/17/2024