Third Party Risk Management

Third Party Risk Management

Maintain High Levels Of Operating Efficiency

Companies are increasingly outsourcing critical tasks to their vendors. This practice comes with both benefits and risks. While working with a third party can save you money and help you operate more efficiently, it also creates vulnerabilities. Recent events, such as the  Covid-19 pandemic, SolarWinds cyberattack, the Colonial Pipeline attack, and other ransomware breaches have made vendor-related risks abundantly clear. These events have impacted millions of businesses and their third parties – regardless of industry, company size, or country.

Outsourcing is a necessary component of running a modern business. It not only saves a business money, but it’s a simple way to take advantage of the expertise that an organisation might not currently have in-house. The downside is that if a proper third party management program is not in place, relying on third parties can leave your business vulnerable.

Third Party Risk Management Solutions

Companies are increasingly outsourcing critical tasks to their vendors. This practice comes with both benefits and risks. While working with a third party can save you money and help you operate more efficiently, it also creates vulnerabilities. Recent events, such as the Covid-19 pandemic, SolarWinds cyberattack, the Colonial Pipeline attack, and other ransomware breaches have made vendor-related risks abundantly clear. These events have impacted millions of businesses and their third parties – regardless of industry, company size, or country.

Outsourcing is a necessary component of running a modern business. It not only saves a business money, but it’s a simple way to take advantage of the expertise that an organisation might not currently have in-house. The downside is that if a proper third party risk management program is not in place, relying on third parties can leave your business vulnerable.

Effective Third Party Risk Management Programs

An effective TPRM program can reduce the impact of disruptive events and reduce a company’s overall risk exposure. However, TPRM offers far more benefits than just reducing risks. For example, businesses that have implemented a third party risk management program can evaluate and onboard new vendors more efficiently, getting the right tools into the right peoples’ hands – faster. Additionally, a third party risk program can give organisations the ability to monitor their third party relationships over time, identifying new risks as they arise, as well as measuring third party performance. There are numerous other reasons why third party risk management is important, including the ability to: 

  • Hold vendors accountable to contracts 
  • Reduce spend by identifying redundant third parties 
  • Comply with global regulations and industry requirements 
  • Understand how data flows and who has access 
  • Track security controls and manage risk mitigation efforts 
  • Offboard vendors and maintain records for compliance

Managing Third Party Risk

There is no one-size-fits-all approach to managing third party risk. Every company is different. Still, there are common measures that every business with a strong TPRM program must take. These measures include:

  • Defining your risk appetite by developing a risk appetite statement 
  • Managing risks down to the individual product or service offered by a third party
  • Choosing your control framework and  assessment standard
  • Identifying therisk types that are most important to your organisation 
  • Creating a third party inventory and tracking critical attributes defined by your business 
  • Classifying your vendors based on the criticality

Third Party Risk Management In 8 Steps

Implementation of a TPRM program is highly dependent on the size of your organisation and scale of your third party management program. With that said, many program implementations follow a common methodology. The Data Privacy Group’s Third Party Risk Management experts have created an 8-step approach to implement a Third Party Risk Management program:

1

Build Your Inventory

2

Classify Your Vendors

3

Choose Your Assessment Framework

4

Develop Your Assessment Methodology

5

Define Your Risk Methodology and Control Framework

6

Create Automation Workflows & Triggers

7

Build Your Reports & Dashboards

8

Refine Your Program Over Time

Step 1

Build Your Third Party Inventory

We will import your existing third party list (if you have one) and configure the attributes you’d like to track for each third party. If you don’t have an existing third party list, there are a few methods we can use to identify and  onboard third parties, such as conducting third party discovery assessments or leveraging a self-service portal for business users.

Step 2

Classify Your Third Parties

With dozens, hundreds, or even thousands of third parties, it’s difficult to know which matter most. We solve this problem by classifying vendors into different tiers: 

  • Tier 1 third parties: High risk, high criticality 
  • Tier 2 third parties: Medium risk, medium criticality 
  • Tier 3 third parties: Low risk, low criticality 
Step 3

Choose Your Assessment Framework

There are manyassessment standards or frameworks to choose from. There is no “right” assessment that works for everyone. However, there is likely a “right” assessment framework that works for your company and industry.

We’ll explore these standards and frameworks with you to ensure we land on the “right” framework for your company.

Common industry assessment standards:
Standards for specific industries:
Step 4

Develop Your Assessment Methodology

We will develop your assessment processes ensuring we consider the following questions:

How do we know when a new third party assessment is required? 

Who should have the ability to launch a third party assessment? 

How much effort do you want to put into validating assessment answers? 

Who reviews the assessments? 

Which assessment questions generate risks? 

How are flagged risks aggregated and reported on? 

Are follow-up assessments needed based on initial assessment responses? 

How often do you need to reassess your vendors? 

Will you conduct assessments yourself, or would an assessment exchange work for you? 

For low-risk vendors: We suggest a third party self-attestation approach in which the third party “attests” to the accuracy of their answers. 

For medium- to high-risk vendors: We suggest taking a more intensive validation approach, such as a remote audit or potentially an onsite audit. 

Step 5

Define Your Risk Methodology and Control Framework

Every TPRM program needs a way to calculate risks. Your risk methodology, along with your chosen control framework, must be defined internally by your organisation. Our Third Party Risk Management experts will work with you to choose a risk strategy appropriate to your needs.

Step 6

Create Automation Workflows & Triggers

As we build your different TPRM workflows, we will consider where we can apply automation to save time. We will look to add automation when:

  • Adding andonboarding new third parties
  • Measuringinherent risk and tiering vendors. 
  • Assigning risk owners and delegating required mitigation actions. 
  • Triggering third party performance or renewal reviews. 
  • Triggering yearly third party reassessments. 
  • Sending notifications to key stakeholders. 
  • Scheduling, running, and sharing reports. 

Every business has unique third party risk management workflows. To streamline these workflows, we will focus on identifying the most repeatable processes and tasks. Then, begin configuring automation for these specific aspects of your workflows. As each smaller automation is added, efficiency will compound, and your team will reap the time-saving rewards. 

Step 7

Build Your Reports & Dashboards

Our Third Party Risk Management experts will work with you to define your reporting requirements and what information would be helpful to display in a dashboard.

The most straightforward metrics we often track include: 

  • Total number of vendors 
  • Vendors by risk score or level 
  • Status on all third party risk assessments 
  • Number of expiring or expired third party contracts 
  • Risks grouped by level (high, medium, low) 
  • Risks by stage within the risk remediation workflow 
  • Risks to your parent organisation and risks to your subsidiaries 
  • Risk history over time 
Step 8

Refine Your Program Over Time

Third party risk management is not a static discipline. New threats and requirements are constantly emerging, which is why it’s so important to take a step back from time to time to determine if your program is still hitting the mark. We will work with you periodically to re-assess the program and fix any issues.

Speak to our Third Party Risk Management Experts today

Speak to our Third Party Risk Management Experts today

With The Data Privacy Group, you'll always get...

Fast-track to compliance

Scalable processes

Round the clock support

Instant expert help

No nasty surprises

Reduce your time to value