4 Practical Steps to Improve your Third-party Risk Management (TPRM) Program

Steps to Improve your TPRM Program

As the way we work continues to evolve rapidly, so too does the complex web of an organization’s list of third-party vendors, and with that comes increased risk and opportunity. 

We recently looked at the challenges of managing third-party risk and some key considerations for implementing an effective third-party risk management (TPRM) program. But what are the practical steps you can take to improve it? A combination of enhanced processes, improved understanding, and vendor risk management software.

Research conducted by KPMG International found that third-party risk management is a strategic priority for 85% of businesses, up from 77% prior to the outbreak of the COVID-19 pandemic.

There are four key actions to consider: 

Understand what’s going well, and what’s not – Conduct a self-assessment of your organization’s TPRM capability and ask key questions such as:

                ► What are our strengths?
                ► Where are our weaknesses?
It’s a good idea to ensure that part or all of the assessment is carried out by an external party as they will deliver impartial feedback and highlight potential areas for improvement. 

Understand your target state – If you have a vendor-first strategy that leads to a large amount of outsourcing, it’s crucial that you understand your target state for third-party due diligence. Have a roadmap that sets out realistic aims and objectives and how you intend to achieve them. Looking to do too much too soon with your program can cause issues, slow down the progression and can be counterintuitive.
 
Build partnerships with vendors – Establishing a close relationship with critical vendors is central to the success of any TPRM program. Without partnerships, it becomes increasingly difficult to work toward common goals. Technology can help with monitoring and assessments, but having the ability to pick up the phone and openly discuss and address issues to mitigate any risks. 
 
Simplify risk assessments – Become the customer with which vendors want to do business. Keep vendor risk assessments simple and tailor questions to a particular vendor’s products or services. By being pragmatic in your approach to problem-solving, you’ll gather quality data that produces better results. Our TPRM questionnaire blog series will help you build a questionnaire from scratch.

Not all vendors pose equal risk

Another vital step to consider in your TPRM program is ranking vendors in order of importance to your business. For example, if a vendor is managing critical tasks that are central to your operations, you’ll need to know more about them, how they operate and any risks they present. 

However, in comparison, if a vendor supplies your organization with office furniture, then there’s no need to present them with a detailed information security risk assessment containing 200 questions that they won’t know how to answer. Any data gathered will be of little value.  

It’s also important to consider a vendor’s position in the broader market. You are unlikely to get a response from a big vendor like Microsoft. Instead, you’ll probably be directed to a terms and conditions page. Microsoft will also likely be on most businesses’ supplier lists, but in terms of criticality, do they need to be there if you’re only using applications such as Microsoft Office or Outlook? If either of these products were to go down, it would impact businesses globally, not just yours. Other products, on the other hand, such as Microsoft CRM dynamics, would need to be ranked as high risk as they can be tailored to your individual needs and business processes.

The importance of technology and quality data 

Once you have ranked your vendors, data needs to be collected to understand the risks each one presents. Data sits at the heart of every organization, but with TPRM, it is about quality, not quantity. For example, you can gather large amounts of data from extensive vendor risk assessment questionnaires, but if you don’t have the skills or systems in place to use it effectively, it becomes more of a hindrance than a help.

By understanding the why, you can unlock the true value of the data that has been collected 

 

Many organizations see technology and external solutions as the silver bullet that will fix everything.

Yes, they can be helpful, but any tools you choose must be used within the context of your business. Without building a data aggregator that allows you to look at things in a joined-up way, it’s almost impossible to see how the data is working for you. 

The biggest challenge organizations have is how to determine the practical impact data has on their operations. It’s easy to make the mistake of asking what technology, such as vendor risk management software, can do rather than why we need it.