Third-party risk management (TPRM) has become a major concern for business leaders. There is an increased reliance on products and services offered by third-party vendors, which in turn expands the surface for security incidents, data breaches, and other risk exposure caused by those vendors. This change in risk exposure posed by third parties calls for organizations to take an active role in managing and mitigating third-party risks before negative impacts are faced by their customers or operations.
This article will explore five top challenges facing third-party risk management today and provide potential solutions, — and to hear a deeper dive into the subject, watch our related on-demand webinar, “Taking a Strategic Approach to Your Third-Party Risk Management Program.”
Challenge 1: Gathering a complete supplier universe
The first challenge in third-party risk management is creating visibility by building and maintaining an inventory or register that represents the full universe of current and propsective suppliers that could present risk to your organization. It is important to consider that there may not be just one source of vendor information. Consider reconciling vendor information across sources like intake questionnaires from Compliance, financial spend from Accounting, and contracts from Legal. Fourth parties (the vendors supporting your vendors) are also an important consideration and an enhancement to the vendor record. This universe or inventory should be easy to maintain and update with new information obtained through intake procedures and manual or automated reconciliation processes to capture vendors across sources.
Challenge 2: Determining the state of vendor due diligence
The next challenge is determining and keeping track of the risk management activites required for each vendor at any given point in time. Depending on a combination of attributes — such as the vendor type, criticality to the business, or risk level — organizations can impose different levels of due diligence activities for their vendors, which are often aligned to a risk tier. Risk tiering allows organization to set the cadence for recuring reviews based on overall risk.
Start by indicating the progress and next review dates for each vendor. You could manually track the status information on a spreadsheet, but the ideal solution is to use an automated status tracking system or dashboard. You can also consider vendor monitoring software or a connected platform to collect the status of each due diligence activity. The goal is to have a readily accessible view of all vendor due diligence activities that are in progress and completed, with alerts for issues that require a particular team’s attention or emerging trends that third-party risk managers should bring to management’s attention.
Challenge 3: Performing due diligence activities
Aside from tracking the status of due diligence activities, the process of performing a new vendor intake, sending questionnaires, requesting vendor support, researching, and then reviewing all the documentation related to that review presents a real challenge for many organizations. For gathering due diligence responses and documentation, you can use survey tools or a service management/ticketing system, but you will need to reconcile the data with your vendor universe. On the other hand, if you use an integrated GRC system or vendor management tool, intake functionality, questionnaires, and communication functionality is often included, with responses feeding directly into the vendor record. For higher risk vendors, remote or onsite audits may be necessary to ensure they meet organizational policies or align with defined risk tolerance. Lower risk vendors may only require a review of documentation or compliance reports, or no review at all. The objective should be to spend your risk management resources in proportion to the inherent risk of each vendor.
Challenge 4: Risk treatment planning
The question arising from every review is, “Is the level of risk presented appropriate enough to move forward with this vendor, or are there mitigations that need to be addressed by the vendor, the internal business owner, or both?” The answer to this question often depends on the vendor risk tier or the service’s materiality in your business operations.
A more significant challenge arises when very few vendors have qualified, or none meet your security or privacy requirements. Some vendors simply will not meet your organization’s needs. Sometimes your organization may allow a vendor to resolve a deficiency or deviation from a policy that would otherwise disqualify them from the partnership. When this occurs, engaging with the vendor and establishing a realistic agreed-upon timeline to address the issues you discover is important. The remediation should be assigned to a responsible party and tracked through to competion according to a defined plan or timeline. In certain cases, the addition of contractual obligations with specific deliverables required for the continued partnership might also be a helpful risk treatment strategy.
Challenge 5: Assessing vendor risk individually and in aggregate
Getting throught the first four challenges is just part of the puzzle. The next challenge is bringing all this data together to paint a picture of risk of a single vendor, the individual enterprise or security risks impacted by a collection of vendors, and an aggregate risk view of the supplier universe. When systematically associating risks with vendors, you can pivot the association and see which risks are impacted by vendors. This insight may help your organization make decisions on which vendors you might favor, avoid, or even replace based on risk rankings ultimately aggregating to an overall TPRM risk. Providing transparent reporting to management on the riskiest third parties or the areas of the business with the highest levels of third-party risk can be helpful for cultivating risk aware decision making and driving a reduction of third party risk across the organization.
Taking Action in TPRM
While organizations depend on each other for mutual success, we cannot let our guard down even after a relationship is established. By actively vetting, managing third-party risk, and using technology as an enabler, we are positioning our organizations to avoid damaging surprises. To learn more, watch our related on-demand webinar, “Taking a Strategic Approach to Your Third-Party Risk Management Program.”
Richard Marcus, CISA, CRISC, CISM, TPECS, is VP, Information Security at AuditBoard, where he is focused on product, infrastructure, and corporate IT security, as well as leading the charge on AuditBoard’s own internal compliance initiatives. In this capacity, he has become an AuditBoard product power user, leveraging the platform’s robust feature set to satisfy compliance, risk assessment, and audit use cases. Connect with Richard on LinkedIn.
John Volles, CISA, is a Director of Information Security Compliance responsible for managing AuditBoard’s compliance, risk, and privacy obligations as well as helping customers understand AuditBoard’s security posture and position. John joined AuditBoard from EY, where he reviewed and implemented client compliance programs and supporting technologies. Connect with John on LinkedIn.