The extent to which businesses depend on third parties has skyrocketed in recent years, particularly with the evolution of digital transformation. As businesses find it easier to connect and scale their operations across various geographies, third-party dependencies are becoming increasingly common. They’re also harder to track and monitor, making it difficult for businesses to ensure third parties are fully meeting their requirements. On top of this, organizations need to also consider addressing their third parties’ vendors, too, as fourth-party risk can also leave businesses exposed.
The answer to these problems is an effective Third-Party Risk Management program that can grow and scale as your organization develops. A structured Third-Party Risk Management (TPRM) process allows businesses to be proactive instead of reactive, identifying, assessing, and managing third-party risk throughout the vendor lifecycle. No business is an island, and a solid supplier assurance program will help businesses feel confident in their risk position.
While most businesses have established some form of third party risk program, they still aren’t able to assess all of the vendors that matter, with ‘two-thirds of respondents indicating that their TPRM programs are in the earlier stages of maturity’ (Compliance Weekly). Many still struggle with simple elements of TPRM, such as identifying and documenting vendors, conducting initial due diligence, assessing and reassessing vendors when needed, and consistent reporting of third-party risks. This is often due to organizations trying to ‘run before they can walk’, stretching resources and technology across what is quickly becoming a complex and dynamic process of managing the third party risk.
To resolve this, businesses need to start viewing TPRM as a journey rather than something that can be fixed overnight. It’s a constantly evolving process designed to help businesses stay resilient in a fast-moving environment with ever-changing suppliers. To progress a Third-Party Risk Management program, organizations view the journey in key steps instead of taking the ‘nuclear’ approach and attempting everything at once.
Businesses need to think carefully about the level of resources they have and what they can achieve within their resource limits. As your team begins to grow and develop, so will your third party risk processes. As these formalize, you will need to ensure they are documented and aligned to your TPRM program objectives.
Businesses should have a list of third-party vendors, then move onto vendor tiering to determine how much attention each vendor should be given and how closely they’ll need to be assessed and monitored. Once this process has been established, these vendor tiers can be used as templates for onboarding and categorizing future vendors.
To understand the approach you will take for your tiering, you need to understand your key stakeholders’ focus i.e. a financial focus vs op risk.
Then it’s time to move onto risk profiling. Risk profiles can be built up through the use of assessment questionnaires to determine whether or not a vendor has sufficient security controls in place. It’s a good idea to have targeted question categories based on what vendors provide to the business.
This is where things can get difficult, simply because there is no one-size-fits-all approach. An organization should be asking questions that are tailored to its own business and the relationship it has with particular vendors, even referencing any contractual requirements and regulations where appropriate.
It’s a good idea to separate questions out into categories such as Physical Security, ABC, Governance, Access Control, etc., which will allow third parties to be ‘ranked’ in areas in which they’re strong and also areas in which they may fall short. It’s important to note at this stage that most organizations will want to work with vendors to fill in any security gaps. With the right approach and attitude, it can be a mutually beneficial process. Assessments can even become more targeted for vendors with a particularly big role to play.
As a business and its list of vendors grows, it will eventually hit a tipping point where the Third-Party Risk Management process will need to be leveled up. For example, a smaller business may be able to manage this process manually using Excel spreadsheets, but that will quickly become unsustainable as a way of tracking who has answered what. Instead, businesses will eventually need a dedicated software solution that is scalable from the outset, leveraging the resources that become available as the business itself evolves. It’s crucial to only begin looking into a tool once your TPRM program has mastered the steps above. In other words, you must walk before you can run.