Navigating the Challenges of Third-party Risk Management
Third-party risk management should be integral to modern organizational practices. From software to consulting services and hosting, businesses are increasingly turning to third-party providers. This trend spans every area of their operations, resulting in a more intricate technology landscape and expanded supplier network. According to Gartner, 60% of organizations are now working with more than 1,000 third parties. Despite the added complexities, these relationships are critical to business success. They deliver affordable, responsive and scalable solutions that can help organizations to grow and adapt according to their customer’s needs.
But as reliance on third parties grows, so too does the exposure to additional risk. Effective third-party oversight is more important than ever. So how can you ensure that your third-party risk management (TPRM) processes are ready to face the challenges of our ever-evolving commercial landscape?
Third-party risk is more than a checkbox exercise
Often, organizations start thinking about TPRM as a result of compliance drivers. They are facing a wide range of regulatory requirements around data privacy, change management, and data hosting. Whatever the motivation, all too often, we see this kind of activity treated as little more than checking a box.
Reducing this kind of risk management to an exercise in compliance doesn’t ensure that you address the root causes underlying complex risks. In fact, by simply viewing TPRM as a set of minimum requirements, it’s easy to overlook potential risks that could become issues for your organization. It’s particularly true when vendors are viewed in isolation. This can mean that activities aren’t standardized and aligned across an entire organization, creating chinks in your risk management armor.
Instead, your organization should take a holistic approach. Integrating TPRM with your wider Governance and Risk Compliance (GRC) can have huge benefits. By embedding your assessment program as part of your wider compliance landscape, you won’t just be conducting a one-time vendor audit; you’ll be proactively assessing third-party risks and continuously improving operations, efficiencies and processes to enhance the security of every aspect of your supplier network. You will be able to pass information throughout the business, ensuring that risks are identified and treated on an ongoing basis.
As reliance on third parties grows, so too does their exposure to additional risk.
Determining the scope of your assessment is vital
Many organizations simply don’t have the resources to conduct assessments of all of their third-party providers at a granular level. So, your very first step should be to take an inventory of all of your third-parties, considering who your vendors are and what business functions they support. Then, armed with this information, you can prioritize your analysis.
There are three key considerations to provide a structure for your assessment:
- Cost – This is a sensible starting point for most organizations and often the easiest way to structure your assessment. By looking at the contractual value of each vendor, you can then tier them accordingly.
- Risk type – Another way of categorizing your vendors is by considering the type of risk they expose your organization to. Consider factors such as geography, technology, and financial risk, then organize your risks based on how likely they are to occur.
- Criticality – This is the most sophisticated approach and ranks each vendor by assessing which of your critical assets, systems and processes they impact, and what the repercussions of those risks would be to your organization.
Sometimes, there are other factors that might impact whether or not a third-party is included within the scope of your assessment. You may find, for example, that your vendor will not allow you to assess them. That’s often the case if you’re working with big companies like Google, Amazon or Microsoft, who may well be critical to your business success, but who are unlikely to give you bespoke information for your audit.
Alternatively, external factors might dictate the scope of your assessment. Whether it’s a global pandemic like COVID-19 or a major geopolitical event such as the Russian war in Ukraine, organizations will often conduct tactical assessments in order to analyze the impact of their expanded risk profiles.
It’s about getting as much information as you can by asking as few questions as possible.
Creating a Question Set for TPRM
When it comes to crafting your TPRM Question Sets, less is most definitely more. You may be tempted to put together hundreds of questions covering every topic under the sun. But is this going to give you the information you need? And, more importantly, is your busy vendor even going to answer all of your questions?
Another important consideration is to decide just how specific to make your Question Sets. Make them too generic and you may not be able to capture the data you need. But make them too specific to your business and your vendor is going to find it incredibly difficult to provide answers in the detail you are looking for.
At the end of the day, it’s a balancing act – one that means you should keep your Question Sets as targeted as possible. So, rather than sending 200 questions, send 20, but make sure they are well thought through to ensure that they gather the information you need for your risk program. This is where it might be helpful to leverage existing Question Sets such as SCF, SIG and Cyber Risk Institute. Whether they have been provided by consultants or they’re part of an industry standard, this approach will help to ensure you get the data you need.
The more effort you put into making your Question Set as rigorous as it can be, the better the quality of information you will ultimately receive back.
Putting your TPRM to work
In today’s interconnected world, third parties play an important role in your organization’s success, but they can also be its weakest link in terms of risk management.
If we are going to reap the rewards of third-party relationships, then we must also identify, manage and mitigate the risks. A rigorous TPRM program is key to achieving just that. However, it cannot be viewed as a standalone process or a checkbox for compliance. Instead, in order to successfully navigate the challenges of third-party risk management, you have to view it as an ongoing function. It should be a process that can be rolled into your existing GRC infrastructure to help monitor and prevent exposure in real time, and not simply reacting to issues as they arise.
Find out more about third-party risk management and how it impacts your organization. Listen to this podcast episode, where Yang Zheng, Nick Rafferty, and I discuss Common Third-Party Risk Management Challenges for Organizations or watch the podcast video here.
You can listen to other SureCloud’s Capability-Centric GRC & Cyber Security Podcast episodes here.