Third-party risk management (TPRM), also known as “vendor risk management,” manages risks introduced to your business by your organization’s vendors, suppliers, contractors, and service providers. Any outside party that plays a significant role in your company’s ecosystem or supply chain is considered a third-party vendor.
For example, say you work closely with a shipping agent that has access to all your customer information. By giving that agent access to your customer data you may have streamlined your logistics, but you also introduced potential risks stemming from this third-party relationship (such as the agent accidentally leaking your customer data online). Let’s look at how you can best monitor and remediate this risk.
Why Do You Need Vendor Risk Management?
Vendor risk management (VRM) is necessary because vendors introduce security risks to your organization, and your organization is responsible for handling those risks. If you don’t address those risks and your valuable data (including customer or employee data) is lost, your business can still suffer all sorts of consequences – everything from lawsuits, to monetary penalties from regulators, to a tarnished corporate reputation, to lost business opportunities, and more.
VRM programs track and manage those risks introduced by your vendors. Having a VRM program demonstrates that your business takes its risks seriously, which is a message your stakeholders want to see. Moreover, numerous regulations require a company to manage its third-party risks, so a VRM program also keeps you in compliance with regulatory obligations.
A successful vendor risk management strategy helps to:
- Address future dangers with more efficiently;
- Incorporate new third-party providers into your business ecosystem;
- Drive more accountability for risk, both for you and your vendors;
- Maintain quality of services;
- Keep costs low;
- Keep efficiency up.
What Are the Risks of Third-Party Relationships?
One of the primary goals of third-party risk management is to identify the risks in your third-party relationships – and third parties can pose all sorts of risks. Usually they will fall into one of the categories below.
This category can describe internal and external control failures. For example, a vendor can be an operational risk if its goods or services are vital to keep your operations going.
A vendor can be a financial risk if a third-party arrangement has the potential to damage the financial projections of your company – say, the vendor passes along a swift increase in costs to you that your budgets had not anticipated.
A third-party vendor’s conduct can reflect poorly on you. For example, an outsourced customer service center might deliver poor service to your customers, who then complain about your company on social media even though you don’t operate that service center. The reality is that when customers have a bad experience, they’re prone to hold the parent company responsible rather than a vendor working on that company’s behalf.
In most cases, a company is legally responsible for the conduct of third parties working on its behalf. So if one of your overseas distributors violates U.S. law by, say, bribing foreign government officials to win a business contract – then U.S. prosecutors will look to hold your company accountable for that legal violation.
If you entrust your data to a vendor, then its poor cybersecurity practices become your problem. When that vendor suffers a breach that affects your data, you could be liable for lawsuits from unhappy customers or face regulatory enforcement from privacy regulators.
How to Conduct a Third-Party Risk Assessment
To keep third-party risks in check, you must perform a risk assessment for the third parties you use. Once you identify those risks, you can decide whether the benefits of the relationship outweigh the dangers. That choice will be based on your company’s policies, practices, mission, goals, and needs.
Vendor risk assessments can be time-consuming and onerous, but the consequences of not performing a good risk assessment can be painfully high. So follow the below steps to perform those assessments smartly.
Step 1: Understand Your Vendor Risks
Begin by understanding all the ways third-party relationships might bring risk to your business; not all the categories we outlined above will apply to every third-party relationship you have. Understanding all the hazards that might affect you helps you evaluate providers more comprehensively.
Step 2: Determine Risk Criteria
Having identified every potential risk category, you must now create risk standards for third-party evaluations. These will vary depending on the business the vendor and your company undertake. Create or use a vendor risk assessment framework (one that has a predetermined structure and grading standards) and apply it to each evaluation.
Step 3: Evaluate Every Good and Service
A third-party risk assessment should answer two questions. How does this vendor run its business overall, and how does it handle the specific service or item you want to purchase?
For the company overall, ask questions such as: How might doing business with this party affect your company’s reputation? Does the party follow legal, ethical business practices? How prompt and reliable is its customer service? How financially stable is the business?
A product-level examination reveals the risk associated with a given product. For instance, in addition to evaluating the business, you may inquire the following if you want to purchase case management software:
- Is the program safe?
- How much time will our staff need to gain proficiency with it?
- What is the price?
- Does the product adhere to applicable laws regarding data privacy, reporting, and the like?
You can get a complete picture of possible risks by analyzing the business and product. This helps you determine whether to begin or maintain commercial contact with them.
Step 4: Consult With Professionals
You’ll need a high degree of knowledge to understand all the circumstances and risks that might come with a third party. When necessary, ask for help from those in other departments at your enterprise or from companies entirely. Get advice from compliance, finance, security, IT, and law authorities.
Even better, you could form a team for risk assessment with a designated representative from each contributing department. This guarantees accurate and speedy estimates.
Step 5: Evaluate Each Vendor
Assessments of third parties’ risks are used in more than just supply chains and vendor risk management software. Before you form a partnership with a vendor, regardless of how tiny they are or what kind of goods or services they offer, you should analyze them.
Even if you don’t perform a formal risk assessment, consider cleaning services, paper shredders, landscapers, landlords, and caterers. They might bring risk to your business if they access your documents, data, and physical space.
Step 6: Organize Vendors by Risk Level
You can make decisions about potential vendors more quickly and expedite the risk management planning process if you classify vendors into different risk categories.
First, rate the vendor (according to your risk criteria) as high, medium, or low risk. Next, assign a “business effect rating” to the vendor. In other words, how significant is the vendor’s offering and service to your business?
Make a final decision about the extent of due diligence you will perform on vendors for each risk level. By streamlining the procedure, bias is eliminated, while efficiency and consistency are improved.
Step 7: Create a Risk Management Plan
Once you’ve decided to deal with a vendor and have assessed its degree of risk, create a customized risk management strategy.
Plan how your company will handle or reduce each potential danger the third party may bring. Then, when the threat strikes, you can act promptly to minimize damage. Risk scenarios and particular reaction duties, together with the name or function of the individual in charge of each, should be included in the plan.
Step 8: Keep Current with Regulations
Your business needs to be informed about new and revised rules and regulations. These rules include, but are not restricted to:
- Privacy regulations
- Restrictions on the environment
- Labor and employment legislation
- Tax laws
Assess all of your vendors to make sure they can maintain compliance as you update your own policies and procedures to stay current with changing regulatory demands. Cut ties with any vendor reluctant to modernize its processes, since you can be held liable for that vendor’s failure to comply with regulations.
Step 9: Complete Annual Evaluations
Vendors develop and adapt just as your business does. As a result, their practices might fall out of alignment with your needs or expectations. For instance, a supplier can be acquired by a different corporation whose operations don’t align with yours. Or the vendor might change a product or begin using a new one that doesn’t comply with the rules set out by your business.
You can evaluate a vendor regularly or annually, depending on its level of risk. Continuous oversight and due diligence guarantee that your business connections are secure and profitable for all parties.
How to Establish a Third-Party Risk Management Program: a Step-By-Step Guide
Third-party risk management is similar to enterprise risk management: it begins with a risk assessment, followed by risk analysis and response. Then, it establishes continuous monitoring procedures and a remediation plan. Vendor risk management is integral to every information security risk management program.
Here are some points to get you started:
- Get buy-in from all departments, from senior management to the front desk staff. Focus primarily on finance, HR, and legal departments where the exposure is significant, and the cost of a data breach can be substantial. Analyze and agree on a risk level that’s acceptable to everyone.
- Look closely at each link in your supply chain. Establish which ones are third-party relationships and which come with a high level of cybersecurity risk.
- Establish onboarding protocols and organize contractors by the level of security clearance needed. For example, the caterer for the summer party does not require the same level of approval as the financial institution managing payroll.
- Fill out a risk profile questionnaire for each contractor within your third-party ecosystem. Keep the profiles accurate by updating them regularly.
- Carefully work compliance requirements into the onboarding processes and make sure your third-party risk management program examines the third parties’ use of their own contractors, also known as “fourth parties.”
A word on compliance: Third- and fourth parties with regulatory compliance issues may also affect your business. Not only will non-compliance affect your workflow; it can also result in fines and other penalties for your business.
Get to Know your Contractors and Solidify Your Third-Party Relationships
Before onboarding a vendor or service provider, it’s essential to perform due diligence. You can start by having the vendor fill out a cybersecurity questionnaire for vendors that assesses the security of the vendor’s systems, networks, and processes.
When third-party risk assessment is undertaken in collaboration with the service provider (rather than a game of gotcha), it can strengthen the relationship and help streamline work processes.
Review your contracts carefully and make sure they assign responsibility in the event of a data breach and require third-party contractors to comply with the same regulations and industry standards your organization must meet. It’s also reasonable to insist that a third party inform you if it has been compromised.
Ongoing Real-Time Monitoring is Vital
Effective third-party risk management requires ongoing monitoring of third-party risks, since vendor circumstances change throughout the lifecycle of the third-party relationship. Vendor risk management automation can help here. Some software solutions automate these tasks and keep you updated on any compliance issues that may arise along the way.
Which Frameworks and Regulators Require Third-Party Risk Management?
Several regulatory and compliance requirements affect third-party vendors and may function as frameworks for assessing vendor risk.
- The Health Insurance Portability and Accountability Act (HIPAA). Third-party risk management is addressed explicitly in this federal law. Under HIPAA, the electronic Protected Health Information (ePHI) that an organization creates, receives, maintains, or transmits must be protected against cyber threats, hazards, and unauthorized use or disclosure. Under HIPAA, vendor contracts must contain privacy and security assurances.
- System and Organization Controls for Service Organizations 2 (SOC 2). Third-party assurance of adequate risk and security controls is increasingly required by contracting organizations in the form of SOC 2 certification.
- The Payment Card Industry Data Security Standard (PCI DSS). Third-party risk management is integral to this industry standard. PCI DSS demands compliance from “third-party service providers,” defined as any vendor that stores, processes, or transmits credit card data on behalf of a client organization and any vendor that could affect the security of the cardholder data environment.
- The Federal Risk and Authorization Management Program (FedRAMP). Third-party assessments are included in this federal program that spells out security standards for cloud-based technology providers bidding on government contracts.
- The General Data Protection Regulation (GDPR). Third-party risk management is required under this European Union law that applies to all entities that collect, process, store, sell, or share data belonging to EU residents. It states that organizations must take necessary steps to protect citizens’ data, including information shared with third parties (known as data processors). Third parties must also save that data and comply with all aspects of the GDPR.
- Control Objectives for Information and Related Technologies (COBIT). Vendor risk management using COBIT 5 is spelled out in the Align, Plan, and Organize (APO) domain, from identification to monitoring and measuring. Control objectives include managing relationships, managing service agreements, and managing suppliers.
- The Committee of Sponsoring Organizations (COSO) internal control framework. Many organizations use COSO to mitigate third-party risk. The framework helps organizations minimize risk overall with processes and improved controls, and it addresses third-party risk throughout the document.
In addition, the U.S. Office of the Comptroller of the Currency (OCC) provides guidance for financial institutions in its Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance.
Manage Third-Party Risk Management With Reciprocity ZenRisk
At Reciprocity, a team of cybersecurity professionals is always looking out for you and your assets, assuring that you get the best and most up-to-date risk management tools. ZenRisk works with governance, risk management, and ever-changing compliance demands to keep your business safe.
ZenRisk’s compliance, risk, and workflow management software is an intuitive, easy-to-understand platform that keeps track of your workflow and lets you find areas of high risk before that risk becomes a real threat.
Worry-free compliance management is the Zen way. Schedule a demo for more information on how ZenRisk can help your organization.