Are you ready for what's next? The 2022 TPRM Preparedness Toolkit will take your program to the next level!

The Third-Party Vendor Risk Management Lifecycle: A Definitive Guide

Your organization encounters distinct risks at each step of the vendor relationship, so it’s important to develop a TPRM program that can address the entire third-party lifecycle.
By:
Prevalent
September 29, 2021
Share:
Blog tprm lifecycle 0921

Understanding your organization's third-party risk management lifecycle is crucial to identifying and remediating vendor and supplier risks. However, it’s a common mistake to view third-party risk management (TPRM) as a one-time risk assessment and remediation initiative.

The fact is, your organization encounters distinct risks at each step of the vendor relationship, so it’s important to develop a TPRM program that can address the entire third-party lifecycle. This post covers the key stages of the third-party lifecycle and shares best practices for mitigating risk at each stage.

1. Vendor Sourcing and Selection

Vendor risk management starts with vendor selection. In many cases, multiple teams are involved in the vendor selection process – each with different priorities. For instance, engineering may focus on prospective vendor’s ability to meet specifications; procurement on their business viability; security on their controls for protecting sensitive systems and data; and compliance on reporting and audits.

In addition, vendors often provide inconsistent and/or contradictory answers on vendor risk assessment questionnaires. This can make it extremely difficult to accurately gauge the risk they pose to your organization. These issues can become particularly acute when organizations lack a single source of truth for vendor information.

Vendor Sourcing and Selection Best Practices

Use a Vendor Risk Management Database

Many organizations are still stuck using spreadsheets to correlate vendor risk assessment questionnaire answers with security controls, compliance, and other requirements. Consider using a vendor risk management database or a third-party risk management platform to speed selection, improve vendor risk identification, and maintain a single source of truth for vendor data.

Base Standardized Questionnaires on Profiled Risk

Each vendor has a different degree of profiled risk (i.e., risk related to the service they perform for your organization). A vendor dealing with personal identifiable information (PII) or protected health information (PHI) will have a dramatically higher risk profile than a plumbing company. Create standardized questionnaires for different vender tiers based on profiled risk. For companies with low profiled risk, a simple questionnaire may suffice, while companies that interact with your IT environment or sensitive data may need a more comprehensive questionnaire.

Incorporate ESG Into Your Vendor Selection Process

Environmental, social and governance (ESG) risk is becoming increasingly important for companies around the world. Both investors and consumers are beginning to expect that companies carefully consider the environmental, ethical and social costs associated with their third parties. Incorporating ESG risk from the beginning of the vendor risk management lifecycle alongside evaluations of security and data privacy controls can help you avoid companies with questionable track records regarding environmental destruction, modern slavery, and other ethically problematic business practices.

The Third-Party Risk Management Lifecycle

2. Intake and Onboarding

The process for onboarding vendors typically involves a manual or bulk upload of profile information. Connecting a pre-configured spreadsheet or API to an existing vendor management or procurement solution is a more efficient way to create a central repository of vendors. Leverage role-based access to enable different teams to populate vendor data and invite other employees to contribute.

Vendor Intake and Onboarding Best Practices

Create a Formal Approval Process

There should be a documented, formal approval process for onboarding new vendors. Consider including standard templates for payment terms, invoicing, and information security standards as part of the supplier onboarding process.

Set and Communicate Realistic Onboarding Timeframes

Onboarding can be a long process. You need to provide vendors with credentials to access facilities or systems; ensure that they are able to perform their roles; and iron out payment terms and other processes. Make sure to set and realistic onboarding timeframes and clearly communicate them to both your vendors and internal departments.

Keep Compliance in Focus

Many organizations count on their initial third-party compliance assessment to ensure they are compliant throughout the vendor lifecycle. However, be sure to keep compliance requirements in mind as the contract matures. Scope creep is common, and vendors can sometimes be granted access to sensitive data and systems that weren’t accounted for in the early stages of the sourcing and selection process. Make sure that you fully understand where your data lives, and what your vendors have access to as part of the onboarding phase, and be sure to regularly review the vendor's access and adjust required security controls accordingly.

Automate Where Possible

Onboarding new vendors can be time consuming. Time constraints can become particularly acute when simultaneously onboarding multiple vendors. That’s why automation is key to a scalable third-party risk management program. For instance, you can automate questionnaire distribution and enable intake forms to be easily shared between team members.

3. Scoring Inherent Risk

Inherent risk scoring is a key part of the third-party risk management lifecycle. Not every vendor requires the same scrutiny. For example, an office supply vendor presents lower organizational risk than one providing critical parts or legal services. An organization located in a politically volatile location, with a history of breaches, or with poor credit history presents more risk and warrants increased due diligence.

To properly understand the risk posed by a vendor, you must be able to calculate inherent risk. This is the vendor’s risk level before accounting for any specific controls required by your organization. A comprehensive view of inherent risks provides a baseline and helps you decide what type of further due diligence is required. Once inherent risk is baselined, it is much more straightforward to calculate residual risk, or the risk level remaining after controls are applied.

Inherent risk can also inform vendor profiling, tiering, and categorization decisions. This accelerates risk assessments by ensuring vendors are assessed against the risks and standards that matter most to a business, its customers, and regulators or standards bodies.

Risk Scoring Best Practices

Map Your Vendor Risk Assessment to Compliance Requirements

Questionnaires should reflect any compliance requirements that your organization falls under. If your vendor has access to sensitive information such as PII, PHI or financial information, you need to ensure that you map your organization's compliance requirements to your vendor risk questionnaires. Below are some questions that should come up during the risk assessment:

  • Is the organization certified to any third-party information security standards or frameworks? (e.g., SOC2, NIST 800-53, NIST CSF, CMMC)
  • Does the organization fall under cybersecurity or information security compliance requirements? If so, which ones?
  • What policies and processes are in place for sharing customer data with third and fourth parties?

Don’t Go It Alone

Using a TPRM platform can dramatically speed up vendor risk assessments and allow you to quickly map questionnaire responses to compliance requirements. In addition, dedicated third-party risk management solutions like Prevalent offer built-in, customizable inherent risk questionnaires that can make it easy to seamlessly identify vendor risk.

Utilize Scoring to Normalize Results and Provide Actionable Insights

It’s important to understand the potential ramifications of a supplier’s failure to deliver products or services to your organization. Accordingly, you should leverage a scoring system to determine each supplier’s tier. This could include the following criteria:

  • Operational or client-facing processes
  • Interaction with protected data
  • Financial status and implications
  • Legal and regulatory obligations
  • Reputation
  • Geography (e.g., concentration risk)

Once you define supplier tiers, it should be easy to understand which suppliers are most critical. For example, you should be able to run a report on all suppliers that are US-based, handle personal data, and are top-tier.

Having vetted information earlier in the process and in an easily accessible location enables you to “right-size” due diligence initiatives, focus on vendors with the highest risk, and speed the overall process.

Navigating the Vendor Risk Lifecycle: Keys to Success

This complimentary guide details best practices for successfully managing risk throughout the vendor lifecycle. See what we've learned in our 15+ years of experience working with hundreds of customers.

Read Now
Feature navigating vendor risk lifecycle

4. Assessing Vendors & Remediating Risks

The level of risk posed by different third parties will vary according to their criticality to your business and other factors. Likewise, the criteria for each tier of third parties will also vary. For instance, the criteria for a parts vendor will be different from those used for evaluating cloud hosting services.

Organizations with immature TPRM programs may address different vendor tiers by creating individual, spreadsheet-based surveys for each new project; constantly “reinventing the wheel.” Responses to these surveys can differ in the level of detail and completeness, making it difficult to evaluate overall risk and required controls. Tracking open items that require remediation and ensuring that remediation controls are consistent and adequate can be difficult, putting unnecessary demands on scarce security, risk, and compliance resources.

Vendor Assessment & Remediation Best Practices

Leverage a Shared Library

Third-party risk management processes can be taxing for under-resourced teams. Data collection processes and vendor back-and-forth communications account for the largest share of time needed to reduce risk and complete assessment assurance. Compounding this issue is the ever-shifting regulatory landscape, which requires expertise to interpret compliance reporting obligations. Achieving compliance and meeting vendor risk management requirements while maximizing your team’s skill sets is a balancing act, for sure.

To accommodate resource constraints, many organizations – especially those with a solid vendor tiering plan – choose to leverage completed content already submitted and shared within an industry exchange. These vendor exchanges are self-fulfilling prophecies – the more vendors participate, the greater the overlap with other enterprises. This speeds the risk identification and mitigation processes and minimizes the time spent collecting data.

Ensure Questionnaire Flexibility

Vendor risk questionnaires aren’t “one size fits all.” Utilizing a third-party risk management platform that has multiple options for questionnaires, as well as the ability to generate custom questionnaires, can make vendor assessments far simpler. Using a dedicated platform can reduce the manual labor behind vendor survey and response management by 50% and ensure that assessment questionnaires are appropriately matched to each vendor’s profiled risk.

Save Time with Built-In Remediation Guidance

Sometimes vendor assessments reveal concerning facts. It may be that the vendor in question has experienced a data breach, isn’t compliant with data privacy regulations, or lacks a formal cybersecurity program. Platforms that deliver built-in remediation guidance can provide straightforward templates for remediation requests, plus workflow and task management capabilities to facilitate and streamline the entire process.

Compliance Reporting Matters

In many cases you need to consider information security and data privacy compliance when working with vendors. When you are identifying your third-party risk management strategy, consider how different platforms handle compliance reporting. Utilizing a TPRM platform that includes automated compliance reporting for an array of national and international compliance requirements can dramatically simplify audits and reduce the risk of non-compliance.

5. Continuous Monitoring

Although periodic assessments are essential to understanding how vendors govern their information security and data privacy programs, a typical risk assessment can only provide a snapshot of your organization’s risk profile at a single point in time. This profile can change overnight as threats evolve, new breaches and business challenges are disclosed, or other adverse conditions arise. Constant monitoring of a third party’s cybersecurity practices is important. So too is gaining visibility into other types of business changes such as financial, reputational, compliance, and supply chain issues that can create business risk.

Unfortunately, this data is rarely available in a way that enables security and risk teams to be quickly notified, and it is often not integrated into a central register for decision making. Instead, many organizations rely on manual processes, disparate tools, vendor notifications, and news reports.

Third-Party Monitoring Best Practices

Don’t Forget Fourth and Nth Parties

It can be tempting to diligently monitor your third parties while forgetting about their third parties and Nth parties. If your vendor relies on other companies to fulfill contracts and run their business, then your organization may ultimately be impacted by any security exposures or operational issues affecting these other parties. During the risk assessment process, you should therefore identify any fourth parties that are critical to your third party’s success. Consider a scaled-back cyber and financial monitoring process for fourth parties based on their risk to your third party.

Consider Multiple Types of Cyber Risk

Identifying vulnerabilities in a vendor’s public-facing IT systems is only part of the continuous monitoring equation. It’s important to go beyond vulnerability scanning to reveal other indicators of cyber risk, including:

  • Dark web chatter – Recent, frequent mentions of a company on the Dark Web often correlate with more threat activity against the company, increasing the likelihood of attack. Attention on dark web markets may indicate the illicit sale of company assets or accounts, or fraud schemes.
  • Domain abuse/typosquatting – New domain registrations with typosquatting-style similarity to existing corporate domains are potential indications of domain abuse (such as phishing), defensive registration to prevent or mitigate domain abuse, or both.
  • Email security – Sender policy framework (SPF) policy configurations; domain keys identified mail (DKIM); and domain-based message authentication, reporting and conformance (DMARC).
  • Leaked credentials – Exposed credentials and emails indicate potential password or corporate email address reuse by company employees, raising the risk of credential stuffing attacks and targeting by threat actors.
  • Incidents – Security breach disclosures and validated cyber-attack reports signal when a company has likely experienced a recent cyber-attack, breach, or event that jeopardized the company’s information assets.
  • Infrastructure exposures – These include IT policy violations, abuse of company infrastructure, infections in company infrastructure, malware, misconfigurations, vulnerabilities, infected hosts, and unsupported software.
  • Web application security – SSL/TLS certificates and configurations.

Don’t Stop at Cyber Risk

Many companies focus on cyber risk because it is usually easily quantifiable and straightforward to address. However, cyber risk monitoring should be complemented by business, financial, and reputational monitoring. When building out your third-party monitoring program, be sure to account for these other types of risk. Some questions to consider:

  • Is this vendor financially healthy? Do they have a significant possibility of going bankrupt or experiencing other financial disruptions in the foreseeable future?
  • Does this vendor engage in ethical business practices?
  • Does this vendor abide by applicable laws and regulations?

Free Business & Financial Risk Monitoring for 20 Vendors

Get complimentary access to business and financial risk intelligence on 20 vendors with Prevalent Vendor Threat Monitor (VTM). This is a free product with no time limit and no credit card required!

Get Started
Feature vtm business risk monitoring 4

6. Managing Ongoing Performance and SLAs

Managing risk is a continuous process. Even reliable partners can experience disruptions, and incentives to implement promised controls can wane once an agreement is signed. This changing risk environment requires not only continuous external risk monitoring, but also ongoing visibility into vendor performance obligations.

Some vendors may require scrutiny to ensure remediation commitments are met, and all should be measured against their service level agreements (SLAs). Trying to manage this with spreadsheets or other manual methods can increase the likelihood of missed SLAs and associated business disruptions.

Vendor Management Best Practices

Regularly Assess Vendor Performance

It can be tempting to take a one-and-done approach to assessing vendors. However, this can lead to bad work outcomes and failed business relationships. Performing periodic assessments to ensure that vendors meet their SLAs and other contractual obligations can help catch any issues early.

Define the Right KPIs and KRIs

Defining the right key performance indicators and key risk indicators is critical to effectively evaluating vendor performance. KPIs can help you ensure that contractual obligations are fulfilled and business objectives are met throughout the contract lifecycle. KRIs can inform your understanding risks posed by vendors from onboarding to offboarding.

7. Termination and Offboarding

Risk can persist after vendor relationships end. An offboarded vendor holding sensitive data must return and/or securely destroy that data; access to internal systems needs to be terminated; and support obligations may outlive a purchase agreement. However, in a recent study, Prevalent found that 60 percent of companies are not actively assessing third-party risks during onboarding. This presents business, security, and IP exposures that are often overlooked.

Vendor Offboarding Best Practices

Don’t Assume Data Has Been Deleted

It’s common to assume that third parties will delete sensitive customer data and other information upon termination of their contracts. However, this is not always the case. Take the time to reach out to your third parties and ensure that any sensitive information has been erased. It is worth getting this in writing to ensure that there is an audit trail in the case of future incidents.

Confirm that Access to Physical and IT Infrastructure Is Revoked

Once you’ve offboarded a vendor, it’s important to validate that your IT and facilities teams correctly deprovision contractor employees. Take the time to confirm that all access to buildings has been revoked and that all cloud and IT environment permissions are removed. Even if your vendor accidentally retains access, a future breach can result in your company being exposed as well. Implementing workflow-based checklists in a central TPRM platform can help ensure a secure offboarding process.

Perform a Thorough Contract Review

Once a vendor completes their work for your organization, thoroughly review the contract and ensure that all deliverables have been met. Don’t just assume that all milestones and KPIs have been met.

Run a Final Compliance Report

It’s no secret that vendor responsibilities and access can change throughout the vendor lifecycle. Take the time to thoroughly review what systems and data your vendor has accessed. Consider the following questions:

  • Were the vendor's cybersecurity controls adequate to meet your compliance requirements throughout the vendor lifecycle?
  • Was the vendor ever granted elevated permissions or access that were unnecessary to perform their job during the contract?
  • Was the vendor responsible for any security incidents during the contract?
  • Did the vendor put you at risk of being found non-compliant with one or more regulations during the contract?

Asking these questions can help ensure that you maintained compliance with applicable requirements. It can also provide valuable insight into how you can more effectively manage vendor compliance.

Next Steps for Navigating the Vendor Lifecycle

Third-party risk management can be difficult. There are dozens of moving parts across multiple departments, and it can be challenging to coordinate third-party risk assessments, ensure compliance requirements are met, and satisfy different siloed departments. The Prevalent Third-Party Risk Management Platform makes navigating the vendor lifecycle dramatically easier. Learn more about our approach by reading our best-practices guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage, or request a demo today.

Tags:
Prevalent
Prevalent takes the pain out of third-party risk management (TPRM). Companies use our software and services to eliminate the security and compliance exposures that come from working with vendors, suppliers and other third parties. Our customers benefit from a flexible, hybrid approach to TPRM, working closely with each customer to tailor a solution that not only fits their unique needs, but also delivers a rapid return on investment. Regardless of where they start, we help our customers stop the pain, make informed decisions, and adapt and mature their TPRM programs over time.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo