Third-Party Risk Management: Heavy on Regulations, Light on Results

Third-party risk management efforts can deliver results. Make incremental progress toward improving third-party governance by taking these steps.
May 11, 2023
Logo supply demand chain executive

Editor's Note: This article, authored by Prevalent COO and CSO Brad Hibbert, was originally published on www.sdcexec.com.

Every day, news feeds are loaded with examples of third-party data breaches with serious financial impacts to companies and consumers alike. Inevitably, those breaches will catch the attention of government regulators, each offering up their own version of mandated best practices and controls to keep a breach like that from happening again (or at least, to minimize its impact).

Yet, despite the frequency of third-party breaches and all the regulatory “help” you could ever want, organizations still struggle to get control of third-party risk. Let’s examine why and how organizations can address third-party risk with meaningful results.

No shortage of regulations

Here are some of the most active industry, regional and non-IT regulatory regimes with specific provisions aimed at improving a company’s governance over third-party relationships.

Industry-level

The financial services and banking industry is a leader in requiring organizations to exercise governance over third-party relationships. Examples include regulations from the Office of the Comptroller of the Currency (OCC), Federal Financial Institutions Examination Council (FFIEC), UK Prudential Regulation Authority and Financial Conduct Authority (FCA) and the EU Baking Authority. There are even emerging requirements in this mature space aimed at harmonizing requirements; Interagency Guidance is an example of that.

Regional

Another layer of regulation is regional. Specific to organizations that do business in these geographies, the UK has the National Cyber Security Center (NCSC) third-party requirements. The EU has GDPR to govern third-party data governance. Singapore has the Monetary Authority and the Personal Data Protection Act (PDPA).

Non-IT

Despite third-party breaches dominating the headlines, regulators are taking aim at important issues such as how a company’s supply chain ecosystem impacts climate change, if they are susceptible to bribery and corruption and if they employ child labor. The UK Modern Slavery Act, German Supply Chain Due Diligence Act and EU Corporate Social Responsibility Directive (CSRD) all contain important provisions requiring regular such reporting and attestation.

5 reasons why organizations continue to struggle

Despite all the scrutiny, why do organizations struggle to get a handle on third-party risk? It comes down to 5 reasons.

1) It’s an organizational hot potato

Data from Prevalent’s 2022 TPRM Study showed that in 50% of organizations, IT security owns TPRM, whereas 22% of procurement teams own it. If there is no clear owner, how do you ensure all the risks are assessed and addressed?

2) Spreadsheets

The majority of organizations still use spreadsheets to assess their third parties – and that number continues to grow. How do you keep track of all those vendors in a spreadsheet, ask the right questions, record the answers and score them that way?

3) Every vendor is a snowflake

A one-size-fits-all approach rarely works with all vendors since they typically interact with different systems or sets of data, or supply services different in scope than others. Assessing vendors creates a burden on whoever owns TPRM. Without some standardization (for example against an industry-standard set of best practices principles), chaos reigns.

4) TPRM ebbs and flows in resourcing and priority, and it’s hard to measure results

Because TPRM is as much about process and people as it is about technology it’s hard to justify the budget to prioritize it. If you have a few vendor managers at least assessing the high priority vendors you’ve checked the box, right?

5) Remediations are rarely enforced

It’s hard enough to get vendors to complete a questionnaire and submit evidence, let alone do something about it. But here’s the catch… unless the vendor does something about their security or compliance gaps, that gap will be exposed to exploitation. Which leaves your organization open to exploit.

What to do about it

Here are four things to start doing immediately to make the process of third-party risk regulatory reporting more manageable:

  1. Start by baking third-party risk reviews, assessments and right-to-audit into your vendor contracts. Set SLAs for response and specific guidelines for evidence, attestation and reporting, otherwise you’ll be chasing your tail as the regulators breathe down your neck.
  2. Implement a single system that brings your internal teams together under one version of the truth, a single third-party database. This will enable you to centrally profile and tier third parties and set long-term risk reduction goals for your program.
  3. Create a standard assessment and continuous monitoring process to enable efficient comparison across vendors. Engage stakeholders such as procurement and legal to define the scope and cadence of assessments. A byproduct of this process will be a better response framework if your organization (or a third party) experiences a breach or other disruption.
  4. Get help on remediation. With an understanding of the scope of third-party risk and defined program volumes and goals, research technology providers and/or managed services to help meet your timelines and stated goals. Solutions like these can help get your TPRM efforts across the finish line and tie off any loose ends from a regulatory point of view.

Third-party risk management efforts can deliver results. Make incremental progress toward improving third-party governance by taking these steps. Your team will thank you, and the regulators will, well, they’ll still be regulators.