60% of organizations work with over 1,000 third-parties. That number is expected to skyrocket in a short amount of time–and TPRM risk initiatives aren’t keeping pace.
AuditBoard and RSM’s new ebook, Third-Party Risk Management: Trends and Strategies to Help You Stay Ahead of the Curve, translates current TPRM trends and lessons learned into actionable ideas to help your organization identify, reduce, and monitor third-party risk. Download the full guide here, and continue reading below for actionable strategies to help your company stay ahead of third-party risks looming on the horizon and beyond.
1. Increase Executive- and Board-Level Involvement
Recent trends reflect the reality that increased executive-level involvement and sponsorship is central to the success of any TPRM initiative. The elevated focus from C-suite executives, boards, and audit committees requires management to be ready to provide enhanced TPRM insights, including:
- Identifying key risks in business processes supported or owned by third parties (i.e., identifying key vendors critical to operations, resiliency around critical processes).
- Providing third-party relationship insight that can be utilized during contract negotiation/renewal (e.g., dollars spent, adherence to SLAs, performance to budget).
- Providing clear, relevant, forward-looking executive-level TPRM metrics and reporting (e.g., # of vendors, volume of data stored or processed by vendors, critical business processes dependent on key vendors, # of key control gaps identified, frequency of review, other KPIs built around TPRM processes) supported by processes and technologies that enable continuous monitoring.
- Providing information that helps the organization to react to and comply with changes in reporting requirements (e.g., cybersecurity and climate disclosure requirements).
- Gaining assurance on the operating effectiveness of the TPRM program (e.g., are controls working as designed; are policies and processes being adhered to) through internal audit risk and compliance assessments designed to test effectiveness.
2. Prioritize TPRM Initiatives Based on Risk
As new risk areas emerge (e.g., banking disruptions, ESG, new regulations, etc.), our risk teams aren’t typically expanding at the same pace to handle the increasing depth and breadth of exposure. A key way to offset internal resource constraints is by prioritizing TPRM initiatives based on the level of risk. We recommend adopting risk management technology that supports effective prioritization and lets you focus efforts on the third parties that will have the greatest impact — and likelihood of impact — to the organization.
3. Enable Continuous Monitoring
Continuous monitoring is critical for effective TPRM in today’s chaotic risk environment, in which risks emerge and change with increasing velocity and volatility. Unfortunately, continuous monitoring is often the least mature area of TPRM process for many companies.
Many companies are embracing TPRM technology tools and automation to help centralize governance while supporting and automating continuous monitoring activities and workflows. These technologies can use TPRM data (including key risk indicators, or KRIs) to create strategic value for the organization and drive continuous risk reduction across the third-party surface area.
4. Consider Cyber Insurance Coverage
Given the fast-growing financial, operational, and reputational costs of cybersecurity breaches, cyber insurance coverage is quickly becoming a must-have for many businesses, offering invaluable protection and assistance for helping organizations to withstand and recover from attacks. Unfortunately, we’re in a difficult environment for buying cyber insurance, given ongoing breaches and ransomware incidents, the number of claims that have been paid, and the overwhelming risk insurers have taken on.
Cyber insurance is nevertheless an option for businesses looking to reduce their third-party cybersecurity risk. That’s why we recommend considering cyber insurance coverage, and revisiting your coverage annually, weighing the costs and benefits for your company.
5. Assess TPRM Maturity
Understanding the maturity of your TPRM program is foundational for reducing risk and moving towards a more secure program. The key considerations below can help ensure that you’re asking all the right questions.
Understand Third-Party Dependencies, Categorization, and Value
Consider third parties’ key dependencies, risk categorization, and value to the organization. Identify critical vendors and assess their business and cyber resiliency.
- Remember, all third parties aren’t equal. Determine the risk-criticality of third-party relationships by better understanding services provided, and the impact a loss of services would have to your organization. Put activities in place to mitigate risks to a level that is tolerable to your company’s risk appetite.
- Different tiers deserve different review processes. Critical vendors need deep-dive reviews, and potential onsite audits, but a more narrow-scoped questionnaire may be sufficient for others.
- Focus assessments on the risk scenarios that matter for your organization, referencing the key risks identified via your existing enterprise risk assessment processes.
Download AuditBoard and RSM’s new ebook, Third-Party Risk Management: Trends and Strategies to Help You Stay Ahead of the Curve, to help your organization identify, reduce, and monitor third-party risk.