Deloitte’s 2022 Global Third-Party Risk Management Survey showed that 73% of respondents have a moderate to high level of dependence on cloud service providers (CSPs) — which is expected to increase to 88% in the years ahead. However, only one-third of respondents indicated that they use technology solutions to better understand the ecosystem of material third-party relationships.
The truth underlying these statistics? Third-party risk is real and growing. Any third party — vendor, provider of product components, partner, or customer — can present new risks to your organization. The need for robust third-party risk management (TPRM) has been growing over time, and many organizations are not ready.
While working on AuditBoard’s information security team, we’ve experienced the intensification of TPRM efforts firsthand. In this article, we’d like to share some of our approaches to establishing a process to manage third-party risk, categorizing third-party relationships by risk level, and reviewing and monitoring risk levels of third parties.
Embedding TPRM in Business Processes
TPRM activity is most effective when embedded within existing third-party intake processes, with the most TPRM effort expended on the riskiest relationships. To capture a complete register of all third-party relationships, it helps to partner with colleagues in legal, procurement, and IT. Formalizing TPRM as part of the process of onboarding third parties helps ensure every new relationship gets identified as you populate the register.
Categorizing Third Parties
TPRM can be a resource-intensive process, so it’s helpful to categorize all relationships. Risk categories help ensure your risk management resource capacity is deployed in proportion to the relative levels of each relationship’s inherent risk factors.
For instance, a vendor who processes our customer data would be high risk, but we would rank them as medium risk if they only process proprietary data. We might decide to review high-risk relationships annually, and complete onsite audits as part of that review, whereas medium-risk parties are reviewed via controls questionnaires every two years.
Reviewing and Scanning Third Parties — and Tracking Outcomes
Categorization schemes may vary from one organization to the next, and approaches to reviewing third-party relationship risk can vary too — from one organization to the next, and from one risk category to the next. There are a number of approaches we can take to review third parties’ risk profiles:
- Compliance certifications and reports can be cost and time effective to review, and have the added benefits of third-party verification of adherence to certain regulatory requirements. Frameworks like Google SLSA Framework and NIST SP 800-161 have been helpful resources for us recently. However, they may not be specific enough to address every relationship’s specific risk profile or controls needs.
- Standardized questionnaires like Standardized Information Gathering Questionnaire (SIG) or Cloud Security Alliance’s CCM and CAIQ offer standardization and an easy basis for comparing responses, though gathering third-party risk data this way is both manual and subjective.
- Security controls questionnaires have the benefit of being customizable by third-party type, use case, data classification, access level, and likely impact area. But like standardized questionnaires, controls questionnaires are also manual and subjective.
The frequency of reviews will depend on a third party’s level of risk. We recommend augmenting periodic reviews with targeted assessments following public zero-day, data breach, and other security incidents. Internal risk evaluations might trigger targeted assessments as well.
Any third party may look good based on review alone, but changes are likely to occur over time. Where software as a service and similar providers are concerned, it helps to assess environments from time to time to provide a more active view of vulnerabilities.
Looking ahead, as you identify risks through these reviews, monitoring, and other means, you’ll want to identify who owns the risk, establish a timeline for remediation, and track the risk until remediation is complete. You’ll want to track the latest review dates and review outcomes as well. Large, complex organizations with many third-party relationships will benefit from maintaining a single database of all third-party relationship information.
Advance Your TPRM Journey Today
Many organizations will benefit from establishing or strengthening TPRM programs, because third-party risk is growing. Organizations can get better at TPRM by categorizing their third parties by risk level, and then focusing their risk management resources on the riskiest among them — in addition to implementing purpose-built third-party risk management technology. By mastering TPRM risk data, you’ll put yourself in a stronger position to build an effective TPRM program by tracking relationships, reviews, and outcomes.
Richard Marcus, CISA, CRISC, CISM, TPECS, is VP, Information Security at AuditBoard, where he is focused on product, infrastructure, and corporate IT security, as well as leading the charge on AuditBoard’s own internal compliance initiatives. In this capacity, he has become an AuditBoard product power user, leveraging the platform’s robust feature set to satisfy compliance, risk assessment, and audit use cases. Connect with Richard on LinkedIn.
John Volles, CISA, is a Director of Information Security Compliance responsible for managing AuditBoard’s compliance, risk, and privacy obligations as well as helping customers understand AuditBoard’s security posture and position. John joined AuditBoard from EY, where he reviewed and implemented client compliance programs and supporting technologies. Connect with John on LinkedIn.