Choose your topics

How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Third-Party Risk Management, GRC

Navigating the Challenges of Third-party Risk Management

Navigating the Challenges of Third-party Risk Management
Written by

Matthew Davies

Published on

10 Aug 2022

Navigating the Challenges of Third-party Risk Management


Third-party risk management should be integral to modern organizational practices. From software to consulting services and hosting, businesses are increasingly turning to third-party providers. This trend spans every area of their operations, resulting in a more intricate technology landscape and expanded supplier network. According to Gartner, 60% of organizations are now working with more than 1,000 third parties. Despite the added complexities, these relationships are critical to business success. They deliver affordable, responsive and scalable solutions that can help organizations to grow and adapt according to their customer’s needs. 


But as reliance on third parties grows, so too does the exposure to additional risk. Effective third-party oversight is more important than ever. So how can you ensure that your third-party risk management (TPRM) processes are ready to face the challenges of our ever-evolving commercial landscape?

Third-party risk is more than a checkbox exercise

Often, organizations start thinking about TPRM as a result of compliance drivers. They are facing a wide range  of regulatory requirements around data privacy, change management, and data hosting. Whatever the motivation, all too often, we see this kind of activity treated as little more than checking a box. 


Reducing this kind of risk management to an exercise in compliance doesn’t ensure that you address the root causes underlying complex risks. In fact, by simply viewing TPRM as a set of minimum requirements, it’s easy to overlook potential risks that could become issues for your organization. It’s particularly true when vendors are viewed in isolation. This can mean that activities aren’t standardized and aligned across an entire organization, creating chinks in your risk management armor. 


Instead, your organization should take a holistic approach. Integrating TPRM with your wider Governance and Risk Compliance (GRC) can have huge benefits. By embedding your assessment program as part of your wider compliance landscape, you won’t just be conducting a one-time vendor audit; you’ll be proactively assessing third-party risks and continuously improving operations, efficiencies and processes to enhance the security of every aspect of your supplier network. You will be able to pass information throughout the business, ensuring that risks are identified and treated on an ongoing basis. 


As reliance on third parties grows, so too does their exposure to additional risk.

Determining the scope of your assessment is vital

Many organizations simply don’t have the resources to conduct assessments of all of their third-party providers at a granular level. So, your very first step should be to take an inventory of all of your third-parties, considering who your vendors are and what business functions they support. Then, armed with this information, you can prioritize your analysis. 


There are three key considerations to provide a structure for your assessment:


  • Cost – This is a sensible starting point for most organizations and often the easiest way to structure your assessment. By looking at the contractual value of each vendor, you can then tier them accordingly. 


  • Risk type – Another way of categorizing your vendors is by considering the type of risk they expose your organization to. Consider factors such as geography, technology, and financial risk, then organize your risks based on how likely they are to occur. 


  • Criticality – This is the most sophisticated approach and ranks each vendor by assessing which of your critical assets, systems and processes they impact, and what the repercussions of those risks would be to your organization. 


Sometimes, there are other factors that might impact whether or not a third-party is included within the scope of your assessment. You may find, for example, that your vendor will not allow you to assess them. That’s often the case if you’re working with big companies like Google, Amazon or Microsoft, who may well be critical to your business success, but who are unlikely to give you bespoke information for your audit. 


Alternatively, external factors might dictate the scope of your assessment. Whether it’s a global pandemic like COVID-19 or a major geopolitical event such as the Russian war in Ukraine, organizations will often conduct tactical assessments in order to analyze the impact of their expanded risk profiles. 


It’s about getting as much information as you can by asking as few questions as possible.

Creating a Question Set for TPRM

When it comes to crafting your TPRM Question Sets, less is most definitely more. You may be tempted to put together hundreds of questions covering every topic under the sun. But is this going to give you the information you need? And, more importantly, is your busy vendor even going to answer all of your questions? 


Another important consideration is to decide just how specific to make your Question Sets. Make them too generic and you may not be able to capture the data you need. But make them too specific to your business and your vendor is going to find it incredibly difficult to provide answers in the detail you are looking for. 


At the end of the day, it’s a balancing act – one that means you should keep your Question Sets as targeted as possible. So, rather than sending 200 questions, send 20, but make sure they are well thought through to ensure that they gather the information you need for your risk program. This is where it might be helpful to leverage existing Question Sets such as SCF, SIG and Cyber Risk Institute. Whether they have been provided by consultants or they’re part of an industry standard, this approach will help to ensure you get the data you need.


The more effort you put into making your Question Set as rigorous as it can be, the better the quality of information you will ultimately receive back.

Putting your TPRM to work

In today’s interconnected world, third parties play an important role in your organization’s success, but they can also be its weakest link in terms of risk management.  


If we are going to reap the rewards of third-party relationships, then we must also identify, manage and mitigate the risks. A rigorous TPRM program is key to achieving just that. However, it cannot be viewed as a standalone process or a checkbox for compliance. Instead, in order to successfully navigate the challenges of third-party risk management, you have to view it as an ongoing function. It should be a process that can be rolled into your existing GRC infrastructure to help monitor and prevent exposure in real time, and not simply reacting to issues as they arise. 


Find out more about third-party risk management and how it impacts your organization. Listen to this podcast episode, where Yang Zheng, Nick Rafferty, and I discuss Common Third-Party Risk Management Challenges for Organizations or watch the podcast video here.


You can listen to other SureCloud’s Capability-Centric GRC & Cyber Security Podcast episodes here.