For many organizations, managing third-party risk starts out as a relatively easy proposition because the company doesn’t have too many third-party relationships. As those companies mature, however, the endeavor soon becomes unwieldy.
With only a few third parties in your supply chain, you can use spreadsheets to identify and manage third-party risk. But as your organization grows and your needs become more complex, spreadsheets will lead to disorganization and chaos.
In this post, we share five strategies to manage your third-party risk.
How Are You Managing Third-Party Risk?
In a recent survey on vendor risk management, Reciprocity discovered that more than 40 percent of organizations tracked third-party risk with emails and spreadsheets; another 21 percent weren’t managing third-party risk at all. Only 14 percent used a GRC tool for managing third-party risk.
Managing third-party risk through documents, spreadsheets, and emails adds unnecessary complexity to the system and significantly increases the cost of third-party risk management.
Moreover, today’s organizations face many regulatory pressures for third-party management- everything from privacy and information security, to anti-corruption and health, safety, and labor standards. Organizations must be able to manage all these complexities (and more), across all their third parties.
Given those demands, businesses need a way to manage third-party vendor relationship risks. Documents, spreadsheets, and emails won’t pass muster. A robust third-party risk management (TPRM) program is essential.
What is a Third Party, Third-Party Risk, and Third-Party Risk Management?
The modern business landscape is an interconnected mesh of business relationships and dependencies. On average, more than half of an organization’s “insiders” are third parties, such as:
- Outsourcing firms
- Service providers
- Temporary workers
These third parties introduce risks that can potentially harm the organization’s business continuity, financial position, and market reputation. These include:
- Cybersecurity risk
- Compliance risk
- Legal risk
- Financial risk
- Strategic risk
- Operational risk
- Reputational risk
A third-party risk management (TPRM) program can help organizations understand, manage, and mitigate these risks. With TPRM, organizations can categorize their third parties and how they use them, perform due diligence, and document what safeguards these third parties have in place to minimize risk to the organization.
Companies with a large third-party ecosystem can simplify vendor management, create a safe information environment, and enforce a stronger cybersecurity stance.
As the regulatory environment evolves, businesses need an organized system of records to assure that audits provide the “who, what, where, when, and why” of compliance actions. TPRM provides such a system to streamline and achieve compliance.
Why Is Third-Party Risk Management Important?
Third parties are essential to your business since they enable you to achieve economies of scale, tap into expertise you may not have in-house, and save costs. Without TPRM, however, your organization remains vulnerable to the many risks these third parties bring. TPRM provides the required tools and processes for third-party risk assessment, prioritization, mitigation, and remediation.
TPRM is essential for any organization that maintains third-party relationships, and is especially critical in the post-pandemic environment. Covid-19 disrupted supply chains and affected businesses all over the world. In addition, cyber-attacks and data breaches have risen sharply since the pandemic hit.
Meanwhile, 54 percent of companies have suffered a data breach caused by a third party in the recent past. Companies that had a strong TPRM program were better able to cope with these new realities.
Essential Qualities of a Strong Third-Party Risk Management Program
To be effective, the third-party risk management strategy must account for organizations’ evolving needs, vendors, and processes. Creating a responsive strategy requires a lot of effort, a clear charter, and close collaboration among groups within the organization, including:
- Corporate compliance and ethics
- Risk management
- IT security
- Senior management
Risk assessment is the key to solid TPRM. To evaluate third-party relationships appropriately, for both their value and their risks, you need to categorize the overall exposure of your organization to these relationships and to monitor changes. This must be done as part of the onboarding process for every third party and throughout the duration of the relationship.
As security practices change, vendors must respond quickly to ensure that they don’t increase the risk to the organization. It’s your responsibility to see that these relationships do not cross the risk boundaries you have identified and put in place.
10 Questions to Ask During Risk Evaluation
Here are 10 questions that every business should ask when evaluating risk:
- What is the scope of the third-party risk management program?
- Does the program only focus on IT security, or does it also include other third-party risks: international labor standards, health, safety, conflict minerals, and so forth?
- What are the program’s scope and focus?
- Who is our audience?
- Are there different types of third parties?
- How do we categorize our third parties? By geographic region and regulatory landscape? Could this create risk by geographic location?
- Do we categorize risk by the type of data and information that the third parties are accessing?
- Is the relationship a small one that affects just one office, or is a broad one that can reach the entire organization?
- What resources are needed to manage these third parties?
- How do we make things accessible to them?
To effectively address these aspects, a software as a service (SaaS) solution is ideal. SaaS GRC solutions organize the risk assessment question and answer process, enabling those on the ground to better manage and monitor the program while easing the broad oversight required in some industries, like financial services.
Third-Party Risk Profiling and Risk Assessment
Third-party risk assessments (or “risk profiling”) is the process of evaluating potential risks associated with working with third-party vendors, contractors, or suppliers. With this evaluation, you can accurately determine the level of risk posed by partnering with the third party and understand its impact on your organization’s reputation, finances, and operations.
The assessment process itself can be quite elaborate. You first have to gather and analyze data about the third party, including finding complete information on its financial stability, compliance history, and overall business practices.
Then you’ll use the information to assess the potential risks associated with working with those parties, and develop a risk management plan to mitigate those risks. This may include implementing additional controls, renegotiating contract terms, or conducting regular risk assessments.
Five Process-focused Strategies For Managing Third-Party Risk
Third-party risk management depends upon the people who own the relationships. Vendors, contractors, and partners will be accessing your systems, reading your policies, and taking your assessments. You need a technology platform that supports this lifecycle – that engages with employees and third parties “where they are,” so to speak – to control the flow of information and assure that all your third parties meet your risk standards.
Team members from procurement, legal, contracting, corporate compliance and ethics, risk management, and audit should all be involved in managing third-party risk. To coordinate all these moving parts, you need a solution that shows both the minutiae and the big picture, and shows both of those perspectives to all parties involved in TPRM.
Any operational process involves specific tasks and notifications to control workflows and sustain the process over the long term. This approach works for managing third-party risk just as well. Here are three questions to help you operationalize TPRM:
- How do we integrate third-party systems with other GRC systems?
- How do we understand our third-party risks in the context of enterprise and operational risks?
- How can we integrate our TPRM systems with our supplier systems or our procurement systems?
Content and Intelligence
Before hiring a third party to work with your organization, research it thoroughly. If someone will have access to your data or customer information, be sure that the person is trustworthy. Here are several questions to guide the vendor screening process:
- Has the vendor received bad reviews or been featured in negative news? Does the vendor have issues that are publicly known?
- How do the vendor’s finances look?
- Can you look at the vendor’s Dun & Bradstreet data or other public resources to learn more about them?
- Can you integrate this information with some security rating systems to see the overall scoring, and use this information to guide our decisions?
Managing third-party risk isn’t a sedentary process. Wherever appropriate, physically visit third parties, use mobile devices and cameras to conduct inspections, gather evidence, and document information.
Process-Based Questions for Managing Third-Party Risk
Understanding the process-based strategies to manage third-party risk requires asking the right questions to get the right information. With this in mind, here are six questions that every organization must ask to manage and mitigate third party risk:
- Who owns this third-party relationship?
- Who needs to be notified when there are issues or when something needs to be addressed?
- What policies govern this relationship?
- Are there regulatory obligations that govern this relationship?
- Where in the organization does this relationship fit and intersect?
Should you Also use a Risk Management Framework?
A risk management framework isn’t necessary, but it can help enormously with the tasks of risk management. You need a focused strategy and supporting technology to show how third parties intersect with your risk areas to manage third-party risk successfully. Frameworks help you do that.
4 Tools-Focused Strategies to Facilitate Process-Based Strategies
Policies to manage third-party risk only work when they’re supported by the right processes and tools. Here are several characteristics of the right tools necessary for these processes.
Facilitate Stakeholder Communication
While collaboration is important, the most critical stakeholders often determine the most appropriate tools. Consider the primary business group that works with the third party. Assure that these people aren’t omitted from the process, which can harm TPRM adoption and ultimately weaken the organization’s risk posture.
Meaningful Metrics Matter
Key performance indicators (KPIs) assist with business decision-making. When looking at metrics, remember that the information must be meaningful. Find the right tools to provide appropriate measures that match your business processes and risk profile.
Automate the Small Stuff
Some interactions may have multiple stakeholders, so your TPRM tools must be flexible. The tools must also overcome information silos by automating these interactions.
For example, if you have to follow up via email or dive into a shared network to find the most recent information, that’s not a good use of your time, and it’s not providing you with direct, actionable intelligence for third-party risk management. Automating workflows, task management, and revision control can eliminate unnecessary complexities.
Find Risk Management Integrations
Emails, Word documents, and spreadsheets lead to information sprawl, contamination, and loss. Integrating risk management means working not just with stakeholders, but also with reports and information.
For example, in one organization, Reciprocity uncovered a risk to availability (part of the CIA information security triad). We mined an accounts receivable system to detect non-performance payments being made by vendors who missed their service level agreements (SLAs). If the vendors repeatedly had to pay credits for missing their SLA targets, it indicated a higher risk that they could not provide consistent and reliable service. This was a key metric we tracked to assure availability.
Important information may be hidden within an area not directly connected to your third-party risk management. A secure risk information management program helps you document and manage these connections and relationships.
How long does it take to get a basic third-party risk management program up and running?
It depends on the organization’s size, the number of third parties, and other factors. Some providers offer bespoke build-outs, but those take a lot of time to implement. We have seen implementations take six months to more than a year, while some newer providers have nimble SaaS solutions that can be rolled out within a month or two.
How do you come up with a third-party risk score?
You can wade into a lot of math here. We consider basic factors, such as the results of audits and SLA performance. We also look at specific attributes of the vendors themselves. For example, do the vendors have dedicated security professionals and security resources? We add all of that up and multiply weights for some factors.
The on-site assessments are weighted a little higher because we are physically reviewing things. We turn that into a percentage score to compare different vendors.
Where’s a good place to start to launch a third-party risk program?
It always starts with collaboration among many groups, such as procurement, legal, compliance, and ethics. Form a committee of all the people who have an interest in third-party risk management. We always start by getting a handle on what exactly you’re trying to manage and figuring out what percentage of your business is handled by third parties. That will drive a lot of decisions about how robust the process and tools need to be.
If you have only one or two vendors, things can probably be a little bit more informal. In contrast, when you have 1,200 vendors contributing to multiple aspects of your business, you’re going to need a much more robust tool and obviously much more robust processes.
Manage Third-Party Risks with ROAR
The Reciprocity® ROAR Platform is an integrated cybersecurity risk management solution that provides actionable insights to help you identify, assess, and mitigate IT and cyber risk.
Not only does ROAR provide real-time risk monitoring to help you stay ahead of threats; it also automates risk scoring and workflows to save time. The fact that you can prioritize investments and make informed business decisions to optimize security is another advantage of implementing Reciprocity ROAR.
Schedule a demo to see where third parties create risk, understand how this risk is changing, and how to manage these risks and mitigate business exposure with ROAR.