• CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY

Building the TPRM Business Case

Published by Sabrina Pagnotta on April 22, 2021
Categories
  • Blog
Tags
  • TPRM Best Practices
Building the TPRM Business Case
You know it’s time to build the TPRM business case when you’re tired of tracking gigantic spreadsheets and chasing vendors via email to complete your assessments. If you seek to manage third-party risk in a more efficient and scalable way, start by letting the C-level know why you need a third-party risk management (TPRM) tool with a strong business case.

Let’s start with a quick definition:

A business case is the justification for undertaking a project, programme or portfolio. It brings together the benefits, disadvantages, costs and risks of alternative options and provides a rationale for the preferred solution.

Identifying the problem

It all starts with identifying the problem or challenge that’s getting in the way of achieving your goals. In the TPRM business case, it’s usually the tremendous workload required to complete third-party risk assessments to engage in a business relationship. Plus the after work of managing and monitoring that relationship.

For enterprises conducting evaluations, this includes sending spreadsheets with requirements, deciding which requirements apply to each new potential vendor, chasing them to complete the assessments and respond to any findings, and then asking for periodic updates of security documentation. Not to mention the need to have a clear understanding of risk across the supply chain, who are the riskiest third-parties, where to focus, and how to continuously monitor the vendor ecosystem.

Download our free strategy guide: Building a Scalable TPRM Program

For third-party vendors being assessed, this means answering the same security questions and sharing the same documents over and over again – questionnaires, certifications, insurances, you name it.

These issues are an important part of the TPRM business case. They express the problems with the current situation and demonstrate the benefits of the new vision.

Analyzing the solutions

Once the problem or improvement opportunity is identified, it’s time to analyze the possible solutions. We discussed “the good, the bad, and the ugly” in another blog, but essentially there are three ways of tackling TPRM:

  1. With a purpose-built tool – A TPRM workflow management platform
  2. With a tool built for something else that you can somewhat adapt – While their intentions are good, they’re tackling up functionality to an existing framework that may or may not work
  3. Without a tool – Sticking to the manual process with emails and spreadsheets

Ideally you’re trying to answer the million dollar question: Is purchasing a TPRM tool worth the investment? To answer that question, the TPRM business case justifies the need for resources or expenditure to seek approval from the C-level.

There are different templates and ways to layout the TPRM business case, but as rule of thumb it should include the following sections:

  • Executive Summary
  • Current situation and possible solutions
  • Financial analysis
  • Project definition
  • Project organization

Don’t forget to describe the benefits, technical solutions needed and the impact on operations. It’s also a good practice to estimate costs and dates.

Fitting the use case in the TPRM business case

As the situational analysis, project scope, and finance aspects vary across organizations, we’ll focus on the TPRM use case when going for choice #1 (the dedicated TPRM tool).

As an exercise, we’ll build the use case for adopting our ThirdPartyTrust platform with its two offerings: Enterprise and Beacon. Fun fact: this was based on the proposal that a real customer used to promote ThirdPartyTrust in their organization.

It would go something like this:

ThirdPartyTrust is a third-party risk management (TPRM) workflow management, document repository, and process automation platform that facilitates third-party risk assessments at scale. Its unique network approach allows for streamlined processes to expedite risk assessments and eliminate the dependency on email and spreadsheets.

With 17,000+ (and counting) third-party security profiles readily available, combined with continuous monitoring based on security rating data feeds, the collective intelligence of the network is leveraged to solve the problem of repetitive, manual efforts.

By using ThirdPartyTrust, an organization can improve third-party risk management and process automation regardless of directional need – ie. whether ‘sharing-in’ or ‘sharing-out’. In this sense, ThirdPartyTrust addresses three use cases, summarized below.

Use case 1: Network Share-In (To be used primarily by Information Security teams)

Enables organizations to assess more vendors with the same resources, by scaling their process to request security documents, review questionnaires, manage findings and centralize communication with vendors through a single platform.

Use-Case 2: Network Share-Out (To be used primarily by GRC teams)

Enables organizations that are a third-party to other organizations to easily share their security posture and compliance documentation with partners, customers, regulators. This reduces the workload of completing questionnaires, speeds up the sales cycle and improves ROI. Third-parties can save time and manual effort by securely sharing a centralized security/compliance profile, thus avoiding starting from scratch on every customer security assessment.

This Beacon profile includes all questionnaires, certifications, and attestations (eg., SIG Core and Lite, Cloud Security Alliance CAIQ, SOC Reports, ISO Certifications, PCI-DSS AOCs, pen tests, insurance documentation, etc.).

Use case 3: Periodic or Ad-Hoc Compliance Check-Ins (To be used by Information Security and GRC teams)

ThirdPartyTrust contributes positively to periodic re-assessments and third-party incident management (eg., incidents impacting the supply chain ecosystem like Solarwinds).

  • Improve visibility across the entire vendor ecosystem and focus on the most pressing issues
  • Quickly determine whether information previously supplied is still evergreen
  • Easily send custom questionnaires through widespread outreach efforts
  • Track responses, create findings, collect documentation and easily add these new layers on top of existing assessments

Key Benefits

  • The entire community of organizations and third-parties benefits from sharing information both ways
  • Community crowd-sourced evidence gathering (answer once, share repeatedly)
  • ThirdPartyTrust pre-built integrations (BitSight, RiskRecon, SecurityScorecard, and more)
  • Built from the ground-up on APIs (integrates well with other systems)
  • Ability to require third-party to add its most critical vendors to platform (ie. fourth-party risk management)
  • Intuitive UI/UX
  • Dedicated Customer Success Support (via integrated chat, email or telephone)

 

To learn more about how ThirdPartyTrust can help you streamline your third-party risk assessment and monitoring process, request your free trial now:

Explore ThirdPartyTrust

Sabrina Pagnotta
Sabrina Pagnotta
Sr. Content Strategist
  • Phone
    |+1-617-245-0469
  • Address
    |
    111 Huntington Ave, Suite 2010, Boston, MA 02199
  • Sales
    |sales@bitsighttech.com
  • Contact Us
Laika_SOC2_TypeI_PurpleIris        CSA_Trusted_Cloud_Provider

©2022 ThirdPartyTrust, LLC and its Affiliates. All Rights Reserved. | 111 Huntington Ave. Suite 2010 Boston, MA 02199
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Reject AllAccept
Cookie Settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT