Contributors: Priyanka Munipalle, Senior Manager, Information Assurance & Cybersecurity Services
Third-Party Risk Management (TPRM) is critical for organizations to effectively manage risk. The challenge is that effective TPRM requires coordination of executive leadership, legal, compliance and risk management teams across the organization.
Teams often find themselves allocating time and effort to certain aspects of TPRM, potentially overlooking more impactful strategies for managing vendor risks. Shared challenges organizations face when it comes to managing third-party risk include:
- Immature vendor acceptance and risk management strategies
- Incomplete vendor inventories
- Inadequate understanding of data sharing and cybersecurity responsibilities on the part of the company and the vendor
- Lack of technical skills to provide a clear view of potential vendor risk
- Lack of risk-based vendor classification/stratification
- Volume of vendors to be onboarded and/or assessed exceeds the capabilities of the team
- Existing vendors that don’t match established risk tolerances, creating risk gaps
- Inability of the TPRM program to scale with the business
Today’s organizations are increasingly relying on third parties to assist business operations. These third parties, including IT and cloud service providers, payment processors, logistics and transportation providers, and more, introduce varying degrees of risk. These risks could range from data breaches and security vulnerabilities to regulatory non-compliance and reputational damage, all of which could harm the security and integrity of a business.
As the U.S. Securities and Exchange Commission (SEC) has made known through its This underscores the potential risks and legal implications of not having an effective TPRM program in place, making it a crucial component for any business, especially those that serve public companies.
By “right-sizing” resources and focusing on meaningful strategies, organizations can enhance their third-party risk management practices and effectively mitigate potential risks.
Utilize Data-Driven Due Diligence When Selecting Vendors
Before engaging with any third-party vendor, contractor, business partner or supplier, it is essential to conduct thorough due diligence. This often includes background checks and research into a third party’s financial stability, reputation, and security controls, as well as (typically lengthy) due diligence questionnaires to create a comprehensive risk profile.
And yet, an overwhelming majority of third-party risks are identified after the due diligence process. According to Gartner, 73% of risk identification efforts are allocated to due diligence and recertification, while only 27% of effort is allocated to ongoing monitoring.
Have a Defined TPRM Program Focused on Identifying, Monitoring and Managing Vendor Risk
Once a third-party vendor is engaged, the vendor should be part of the company’s third-party vendor ecosystem and subject to ongoing review and monitoring. The depth and extent of the ongoing review and monitoring are dependent on the extent, depth, and nature of how the company integrates the vendor into its business processes.
At a minimum, all companies should have a TPRM program as defined by policies, procedures and standards. TPRM programs are never “one-size fits all” because every organization has different risk impacts and tolerances. TPRM programs require effective alignment of risk, technology, process and the people executing the program. The TPRM “living” program must be implemented properly, constantly maintained and refined on a regular basis.
Key questions that this program should address:
- How are we providing guidance and support on managing vendor risk during the vendor onboarding process?
- How does our program monitor vendor risk?
- How does our program measure vendor risk?
- How does our program respond to vendor risk?
- How and who do we report vendor risk within the organization?
Vendor Segmentation and Stratification Is Key to TPRM Success
According to a survey by the CyberRisk Alliance, the average organization engages with 88 third-party organizations. It also found that the number of engaged third parties increases as the size of the organization does. When working with many third parties, it can be hard to keep track of each one of them, especially if the organization does not have a dedicated third-party risk management office.
To help keep track of their third-party relationships, organizations should segment these providers into a hierarchy. This means categorizing third parties based on their risk profiles, such as their potential impact on the organization’s operations, their level of access to sensitive data, and their compliance with relevant regulations. This practice offers organizations the opportunity to prioritize their risk management efforts, allocating time and resources where they are needed most — with the highest-risk segmented third parties. Lower-risk segments may only require periodic checks, especially if triggers and internal controls are in place. This process helps the organization to maximize the value generated from suppliers, optimize resources, leverage innovation and prioritize critical third parties to provide an enhanced service model to their customers.
Implement a Process To Monitor, Measure, and Respond to Vendor Risk
An ongoing continuous monitoring program should be implemented that includes a variety of techniques, such as the completion of vendor risk assessments (VRAs), audits, and special information requests, with the goal that the third party is meeting the company’s security and compliance standards.
Keep in mind that the vendor segmentation/stratification process should drive the extent and scope of the individual vendor risk assessment process. Vendors may not require the completion of a VRA, whereas some vendors may require a thorough VRA. Some vendors may require a site audit to be performed above and beyond the VRA.
By spending more time monitoring the third-party relationship through VRA and audits, organizations can better identify and address emerging risks before they become major issues. An effective VRA process creates a wealth of data that can be utilized on an ongoing basis and identifies new and emerging risks in its vendor portfolio by providing period-to-period comparative data.
Existing data can be used to determine the critical due diligence questions that need to be asked based on relevant laws and regulations, as well as identify which questions have been the most effective in indicating potential risk. In addition, by utilizing existing technology to analyze third-party risk, organizations can make informed decisions and enhance their risk management strategies by identifying and evaluating potential risks associated with a vendor’s operations and their potential impact on the organization.
Without using intelligence, VRAs often become a “one size fits all,” potentially missing critical risks important for the organization to understand before engaging with the third party. This may result in oversight of financial, reputational and cyber risks that are critical for the organization.
Implement Internal Triggers and Controls To Monitor Vendor Risk
It may seem impossible to continuously monitor third-party relationships, especially if a team is managing multiple third-party vendors. However, teams can more easily and effectively monitor their third-party network through triggers to signal for any potential changes or threats to the relationship.
Using business intelligence reporting, organizations can build automated trigger reports to identify emerging risks based on metrics that were established through the due diligence process. These triggers can be set to monitor various aspects of the third-party relationship, such as financial stability, security controls, and compliance with contractual obligations. When metrics are not being met or have the potential to not be met, a report can be triggered for legal and compliance to review, mitigating the risk in real time.
When engaging a third party, organizations will most likely have access to sensitive information and/or data. Unfortunately, most data breaches occur because a third party was granted too much access, access that was granted to appropriate personnel was misused, or the third party was unknowingly accessing sensitive data. It is important to implement access controls to manage third parties and improve the organization’s ongoing monitoring practices. With internal controls in place, an organization can control what the third party can access, when, and to what extent.
In a Zero Trust security model, every user and device, whether inside or outside the organization’s network, is treated as a potential threat. Identity and Access Management (IAM) is a key component of this model, used to control access to sensitive data and to enforce security protocols. IAM can also monitor activity and detect emerging risks that could indicate a security threat. By implementing a Zero Trust security model and using IAM, organizations can verify the identity of users and devices before granting them access to certain data, applications, and systems, thereby enhancing their third-party risk management practices.
Leverage Automation To Avoid Cross-Functional Miscommunication
Several organizations still rely on manually intensive processes and overworked staff to manage third-party risk. Using automation can help save time and free up resource capacity by automating processes such as data collection, risk assessments, performance and compliance monitoring/triggers, contract management, and vendor onboarding.
While legal and compliance teams are typically the owners of third-party risk management, there are several others within the organization who have a stake in improving risk management and associated business outcomes. By utilizing automation, risk management functions across departments can be better unified, reducing miscommunication, manual data entry and errors, and overall, creating a more strategic third-party risk management plan.
Collaborate With an External Auditor
Managing the success of third-party relationships can be a daunting task, especially for organizations that are not internally set up to employ access controls or leverage automation tools. In such cases, the support and expertise of an external auditor can be invaluable in building an effective third-party risk management program, providing a sense of reassurance and support.
How Cherry Bekaert Can Help
Third-party risk management is a critical component of any cyber and risk management program. Cherry Bekaert’s Information Assurance & Cybersecurity and Risk Advisory practices can guide organizations through comprehensive TPRM programs, risk assessments, internal controls evaluations, cyber, and incident response plans to enhance their third-party management program and mitigate risks sustainably and effectively.
Related Insights
- Article: Cracking the Code Behind Assessing Your Third-Party Risk Management Exposure
- Article: Raising Your Risk Management Profile to Protect Your Assets
- Podcast: Third-Party Risk Management and How It Can Add Value and Drive Success Within Your Organization
- Webinar: 2022 Professional Services Series: Third Party Risk Management (TPRM)
