For many organizations, managing third-party risk starts out as an easy proposition. However, as they mature, this same endeavor becomes unwieldy.
With one or two third parties in your supply chain, you can leverage spreadsheets to identify and manage third-party risk. But as your organization grows, your needs will become more complex, and spreadsheets will often lead to disorganization and chaos.
In this post, we share five strategies for helping you manage your third-party risk.
How Are You Managing Third-Party Risk?
In a recent survey on vendor risk management, Reciprocity discovered that over 40% of organizations tracked third-party risk with emails and spreadsheets. In comparison, another 21% confessed they weren’t managing third-party risk at all. Only 14% use a GRC tool for managing third-party risk.
Managing third-party risk through documents, spreadsheets, and emails adds unnecessary complexity into the system and significantly increases the cost of third-party risk management.
Furthermore, for today’s organizations, there are a lot of regulatory pressures related to third-party management. Then there are various pieces of anti-crime and corruption legislation, such as the US Foreign Corrupt Practices Act (FCPA) that must be observed.
These pressures extend from information security and privacy into social accountability, environment, health, safety, and international labor standards. Organizations must be able to manage all these complexities.
Considering that modern organizations operate in such a complex business, technical, and legal environment, they need a way to manage third-party vendor risks. Documents, spreadsheets, and emails do not cut the mustard anymore. A robust third-party risk management (TPRM) program is essential.
What is a Third Party, Third-Party Risk, and Third-Party Risk Management?
The modern business landscape consists of an interconnected mesh of business relationships and dependencies. On average, over half of an organization’s “insiders” are third parties, such as:
- Outsourcing firms
- Service providers
- Temporary workers
These third parties introduce risks that can potentially impact the organization’s business continuity, financial position, and market reputation. These include:
- Cybersecurity risk
- Compliance risk
- Legal risk
- Financial risk
- Strategic risk
- Operational risk
- Reputational risk
A TPRM program can help organizations understand, manage, and mitigate these risks. With TPRM, organizations can categorize their third parties and how they use them, perform due diligence, and document what safeguards these third parties have in place to minimize risk to the organization.
Companies with a large third-party ecosystem can simplify vendor management, create a safe information environment, and enforce a stronger cybersecurity stance.
As the regulatory environment evolves, businesses need an organized system of records to ensure that audits provide “the who, what, where, when, and why” of compliance actions. TPRM provides such a system to streamline and achieve compliance.
Why Is Third-Party Risk Management Important?
Third parties are essential to your business since they enable you to achieve economies of scale, tap into expertise you may not have in-house, and save costs.
However, without TPRM, your organization remains vulnerable to the many risks these third parties bring. TPRM provides the required tools and processes for third-party risk assessment, prioritization, mitigation, and remediation.
TPRM is essential for any organization that maintains third-party relationships. It is especially critical in the post-pandemic environment. COVID-19 disrupted supply chains and affected businesses all over the world. In addition, cyber-attacks and data breaches have seen a sharp uptick since the pandemic hit.
Moreover, 44% of companies have suffered a data breach caused by a third party in the recent past. Companies that had a strong TPRM program were better able to cope with these new realities.
Essential Qualities of a Strong Third-Party Risk Management Program
To be effective, the third-party risk management strategy must be fluid to account for organizations’ evolving needs, vendors, and processes. Furthermore, creating a responsive strategy requires a lot of effort, a clear charter, and close collaboration among groups within the organization, including:
- Corporate compliance and ethics
- Risk management
- IT security
- Senior management
Breaking down information silos in an organization results in a collaborative effort that further improves third-party risk management.
Risk assessment is the key to solid TPRM. To appropriately evaluate third-party relationships in terms of both value and risk, you need to categorize the overall exposure of your organization to these relationships and monitor changes. This must be done as part of the onboarding process for every third party and throughout the duration of the relationship.
As security practices change, vendors must respond quickly to ensure that they don’t increase the risk to the organization. It’s your responsibility to ensure that these relationships do not cross the risk boundaries you have identified and put in place.
10 Questions to Ask During Risk Evaluation
Here are ten questions that organizations should ask when evaluating risk:
- What is the scope of the third-party risk management program?
- Is the program focused only on IT security, or does it also include other aspects that impact third parties, e.g., international labor standards, health, safety, conflict minerals, etc.?
- What are the program’s scope and focus?
- Who is our audience?
- Are there different types of third parties?
- How do we categorize them? By geographic region and regulatory landscape? Could this create risk by geographic location?
- Do we categorize risk by type of data and information that the third parties are accessing?
- Is it a small relationship that impacts just one office, or is it a broad and massive relationship that can significantly impact the entire organization?
- What resources are needed to manage these third parties?
- How do we make things accessible to them?
To effectively address these aspects, a software as a service (SaaS) solution is ideal. SaaS GRC solutions organize the risk assessment question and answer process, enabling those on the ground to better manage and monitor the program while easing the broad oversight required in some industries, like financial services.
Five Process-focused Strategies For Managing Third-Party Risk
Third-party risk management is dependent on the people who own the relationships. Vendors, contractors, and partners will be accessing your systems, reading your policies, and taking your assessments.
You need an intuitive technology platform that supports this lifecycle to control the flow of information and ensure they all meet your risk standards.
Team members from procurement, legal, contracting, corporate compliance and ethics, risk management, and audit should all be involved in managing third-party risk. Moreover, to coordinate all these moving parts, you need a solution that shows both the minutiae and the big picture.
Any operational process involves specific tasks and notifications to control workflows and sustain the process over the long term. This approach can be beneficial for managing third-party risk as well. Here are three questions to help you operationalize TPRM:
- How do we integrate third-party systems with other GRC systems?
- How do we understand our third-party risks in the context of enterprise and operational risks?
- How can we integrate our third-party systems with our supplier systems or our procurement systems?
Content and Intelligence
Before hiring a third party to work with your organization, research them properly. If someone will have access to your data or customer information, make double-sure that they’re trustworthy. Here are several questions to guide the vendor screening process:
- Has the vendor received negative reviews or been featured in negative news? Are they having issues that are publicly known?
- How do their financials look?
- Can we look at their Dun & Bradstreet data or other public resources to learn more about them?
- Can we integrate this information with some security rating systems to see the overall scoring and use this information to guide our decisions?
Managing third-party risk isn’t a sedentary process. Wherever appropriate, physically visit third parties, use mobile devices and cameras to conduct inspections, gather evidence, and document information.
At the same time, address how “Bring Your Own Device” policies interact with third-party risk and impact organizational security.
Process-Based Questions for Managing Third-Party Risk
Understanding the process-based strategies to manage third-party risk requires asking the right questions to get the right information. With this in mind, here are six key questions that every organization must ask to manage and mitigate third party risk:
- Who owns this third-party relationship?
- Who needs to be notified when there are issues or when something needs to be addressed?
- What policies govern this relationship?
- Are there regulatory obligations that govern this relationship?
- Where in the organization does this relationship fit and intersect?
The Value of Technology to Manage Third-Party Risk
The right TPRM technology provides a system of records and audit trails to show what was assessed, when that assessment occurred, and the results. Take the case of Morgan Stanley and the Foreign Corrupt Practices Act (FCPA) for example.
In 1977, the federal government passed the FCPA to protect US organizations from foreign corruption. In 2012, Morgan Stanley was the first company with corruption in its ranks. Still, they were not prosecuted because the company had effectively documented the steps it had taken to guard against corruption.
Even though Morgan Stanley failed to prevent corruption, the fact that it had properly documented its anti-corruption policies saved it from prosecution. The Department of Justice website praises Morgan Stanley’s compliance program, including the third-party management aspect.
This case demonstrates why such a system of records is critical for third-party risk management.
Should you Also use a Risk Management Framework?
A risk management framework may help with risk management in general, but it’s not strictly necessary. You need a focused strategy and supporting technology to show how third parties intersect with your risk areas to successfully manage third-party risk.
4 Tools-Focused Strategies to Facilitate Process-Based Strategies
Policies to manage third-party risk work only when they’re supported by the right processes and tools. These tools should strengthen third-party risk management processes. Here are several characteristics of the right tools necessary for these processes.
Facilitate Stakeholder Communication
While collaboration is important, the most critical stakeholders often determine the most appropriate tools. Consider the primary business group that is working with the third party. These individuals often get left out of the process, affecting TPRM adoption and ultimately weakening the organization’s risk posture.
Meaningful Metrics Matter
Key performance indicators (KPIs) assist with business decision-making. When looking at metrics, remember that the information must be meaningful. Find the right tools to provide appropriate measures that match your business processes and risk profile.
Automate the Small Stuff
Some interaction points may have multiple stakeholders, so your TPRM tools must be flexible. They must also eradicate information silos by gathering or expanding requirements that automate these interactions.
If you have to follow up via email or dive into a network share to find the most recent information, that’s not a good use of your time, and it’s not providing you with direct, actionable intelligence for third-party risk management.
For example, automating workflows, task management, and revision control can eliminate unnecessary complexities.
Find Risk Management Integrations
Emails, word documents, and spreadsheets lead to information sprawl, contamination, and loss. Integrating risk management means working with not just stakeholders but also with reports and information.
For example, in one organization, Reciprocity uncovered a risk to availability (part of the CIA information security triad). We mined an accounts receivable system to detect non-performance SLA payments being made by vendors.
If they continually had to pay credits for not hitting their SLA targets, it indicated a higher risk that they could not provide consistent and reliable service. This was a key metric we tracked to ensure availability.
Important information may be hidden within an area not directly connected to your third-party risk management. A secure risk information management program helps you document and manage these connections and relationships.
How long does it take to get a basic third-party risk management program up and running?
It depends on the organization’s size, the number of third parties, and other factors. Some providers that Gartner and Forrester love offer bespoke build-outs, but they take a lot of time to implement. We have seen implementations take six months to over a year, while some newer providers have nimble SaaS solutions that can be rolled out within a month or two.
How do you come up with a third-party risk score?
You can deep dive into a lot of math here. We consider basic factors, such as the results of audits and SLA performance. We also look at specific attributes of the vendors themselves. Do they have a dedicated security professional and security resources? We add all of that up and multiply weights for some factors.
The on-site assessments are weighted a little higher because we are physically reviewing things. We simply turn that into a percentage score to compare different vendors.
Where’s a good place to start to launch a third-party risk program?
It always starts with collaboration among many groups, like procurement, legal, compliance, and ethics. It’s all about building that collaboration and forming a committee of all the people who have a vested interest in third-party risk management.
We always start by getting a handle on what exactly you’re trying to manage and figuring out what percentage of your business is handled by third parties. That will drive a lot of decisions about how robust the process and tools need to be.
If you have only one or two vendors, things can probably be a little bit more informal. In contrast, if you have 1,200 vendors contributing to multiple aspects of your business, you’re going to need a much more robust tool and obviously much more robust processes.
Manage Third-Party Risks with ZenGRC
ZenGRC is a single, integrated platform that reveals third-party risk across your entire organization. Don’t waste your time with cumbersome spreadsheets when ZenGRC provides a single source of truth to streamline evidence and audit management for all your compliance frameworks.
Operationalize risk management and ensure ongoing monitoring with tasks, automated workflows, and dashboards. The ZenConnect feature enables integration with popular tools, such as Jira, ServiceNow, and Slack, ensuring seamless adoption across your enterprise.
If you want to see where third parties create risk, understand how this risk is changing, and manage these risks to mitigate business exposure, consider ZenGRC for your third-party risk management system.