Third-party risk management (TPRM) is essential not only to comply with regulations but to also to protect your brand from an adverse event. An organization must document, control, and protect information throughout its lifecycle, making a TPRM program a high priority for organizations.
The process of standing up or enhancing a TPRM program requires the creation of comprehensive workflows, assessment techniques, risk mitigation guidelines, and input from a broad range of stakeholders. Each phase of a TPRM program (onboarding, assessment, risk monitoring, and offboarding) requires tailoring best practices to the realities of your organization.
If you are looking for ways to improve your third-party risk management (TPRM) program or tips for developing a new program, we have identified four important points that are often overlooked. These points can help reduce friction with TPRM stakeholders, streamline the efforts of TPRM practitioners, and ultimately deliver greater value through actionable results.
1 – Define Your TPRM Lifecycle
Regardless of where you are in the TPRM program implementation process, there are several benefits to clearly defining stages or phases of your TPRM lifecycle. These phases should capture the lifecycle from initial review and onboarding, all the way through offboarding activities. Regardless of how you define these various stages, having a vendor progress through them allows you to adequately track and report on the metrics of your TPRM program. This allows for more accurate reporting on how quickly, or slowly, vendors progress through the various phases of the lifecycle and will identify any bottlenecks. Also, a clearly defined lifecycle will make the selection and implementation of a supporting TPRM technology much more efficient. This would include the implementation of automated workflows that help ensure stakeholders are engaged at the appropriate stages throughout the lifecycle. Lastly, the TPRM lifecycle should be formalized in your policies and procedures to avoid misunderstandings by your stakeholders.
2 – Engage Third-Party Relationship Managers Early and Often
The ultimate goal of any TPRM program should be to identify and mitigate the risks that a service provider introduces to your organization. TPRM often becomes an exercise performed by a dedicated security team that executes assessments in a vacuum without the proper support from the business. However, business unit owners, as the owners of the third-party relationships, should therefore have a significant stake in reducing these risks.
While the independence of the team performing the assessments is key, buy-in from the business owner is a must for ensuring support with the assessment activities. If business stakeholders are viewed as partners in this process, they can assist by establishing expectations with the third party and give you the information needed to complete the assessment (see point #3 below). Preserving a timely kickoff and completion allows for new third party reviews to be streamlined and removes bottlenecks in the overall vendor approval and onboarding processes. When the contract owner is reinforcing the importance of the assessment activities, and helping to drive risk remediation efforts, third parties are much more likely to accommodate the burden that these reviews can cause.
Periodic checkpoints increase the accountability on the TPRM team in delivering an acceptable level of service to their business stakeholders. With an engaged business owner, any issue impacting the assessment completion can be discussed with a stakeholder who is primed with the necessary background information and can determine appropriate next steps. Simply escalating an unresponsive third party to a business contact is not enough. By that time, assessment timelines are likely already missed and overall TPRM program operations delayed. Forging a strong relationship also pays dividends during remediation discussions and increases the likelihood you can demonstrate the business value of TPRM.
3 – Spend Time Scoping the Third-Party Services Prior to Performing a Risk Assessment
Without a proper upfront scoping of the products and services a third party provides your organization, there is a risk that assessments may be too broad or too narrow. The results of your assessments may yield irrelevant data, or not adequately identify relevant risks. Larger service providers tend to offer a broad array of services and products. Many large cloud service providers may offer several individual products and services to your organization. However, these products and services may only operate within a fraction of their overall environment and be hosted in a particular geography that wouldn’t apply to the services they provide to other customers. The TPRM assessment kickoff should include a clear scope of the products and services covered by the assessment. This will ensure that the vendor provides an accurate description of the security practices that impact your organization, while leaving out the extraneous details.
Without this clarity, certain risks may be identified and considered, and additional discussions will be had regarding risks that do not even apply to your environment. While a vendor should be aware of the scope of services they provide to you, they are most likely fielding countless such requests from other customers, and may be overly broad in their responses since your objectives are not clear to them. This is another area where the engagement of the business owner is critical to gathering the necessary information about the services a vendor provides. A business owner can articulate exactly how your organization uses this vendor in a way that simply reviewing a contract cannot. A hidden benefit may also be the identification of redundant third parties that your business users had not identified through the course or normal operations.
4 – Translate Third-Party Risk to Business Risk
Typical TPRM assessment questionnaires or techniques are very good at identifying gaps in security and privacy practices, but special care should be taken to translate these risks into business terms so that your stakeholders can understand what it means to them and make informed decisions. For example, discovering that a service provider encrypts data but fails to properly secure encryption keys may sound like a foreign language to your business team. Informing them, however, that a failure to protect these keys could render the encryption protections useless, thereby revealing sensitive data to a malicious actor, is more likely to alarm decision makers that may want to consider other vendors that take steps to properly protect your valuable data assets. Further expanding on the impacts of such an event could be helpful – e.g., breach reporting for incidents involving personal information (to comply with HIPAA, the GDPR, etc.), brand or reputational damage, or financial impact from compromised intellectual property or trade secrets.
It is important to remember that the consumers of TPRM information are not always risk or security professionals. It can be helpful to relate a particular risk back to the fundamental concepts of the CIA triad – confidentiality, integrity, and availability. Using these basic concepts can help a non-practitioner connect a vulnerability to how it may impact their business unit.
Conclusion
Assessing and managing third party risk can be a large-scale effort, but more organizations than ever are working to evaluate and improve their current TPRM practices. As your TPRM program continues to mature, risk and security practitioners will continue to be tasked with finding ways to refine and deliver more measurable improvements to your existing practices. The act of engaging third-party relationship owners, scoping third-party services, and translating security risk to business risk, may only represent minor enhancements to your existing program, but we have seen that these small changes can yield sizable results when looking to streamline your TPRM activities and deliver greater value to your stakeholders.
Are you looking for assistance building, managing, or optimizing your TPRM program? Get in touch with us.