Building the TPRM Business Case

Published by Sabrina Pagnotta on April 22, 2021

Identifying the problem

It all starts with identifying the problem or challenge that’s getting in the way of achieving your goals. In the TPRM business case, it’s usually the tremendous workload required to complete third-party risk assessments to engage in a business relationship. Plus the after work of managing and monitoring that relationship.

For enterprises conducting evaluations, this includes sending spreadsheets with requirements, deciding which requirements apply to each new potential vendor, chasing them to complete the assessments and respond to any findings, and then asking for periodic updates of security documentation. Not to mention the need to have a clear understanding of risk across the supply chain, who are the riskiest third-parties, where to focus, and how to continuously monitor the vendor ecosystem.

Download our free strategy guide: Building a Scalable TPRM Program

For third-party vendors being assessed, this means answering the same security questions and sharing the same documents over and over again – questionnaires, certifications, insurances, you name it.

These issues are an important part of the TPRM business case. They express the problems with the current situation and demonstrate the benefits of the new vision.

Analyzing the solutions

Once the problem or improvement opportunity is identified, it’s time to analyze the possible solutions. We discussed “the good, the bad, and the ugly” in another blog, but essentially there are three ways of tackling TPRM:

With a purpose-built tool – A TPRM workflow management platform
With a tool built for something else that you can somewhat adapt – While their intentions are good, they’re tackling up functionality to an existing framework that may or may not work
Without a tool – Sticking to the manual process with emails and spreadsheets

Ideally you’re trying to answer the million dollar question: Is purchasing a TPRM tool worth the investment? To answer that question, the TPRM business case justifies the need for resources or expenditure to seek approval from the C-level.

There are different templates and ways to layout the TPRM business case, but as rule of thumb it should include the following sections:

Executive Summary
Current situation and possible solutions
Financial analysis
Project definition
Project organization

Don’t forget to describe the benefits, technical solutions needed and the impact on operations. It’s also a good practice to estimate costs and dates.

Fitting the use case in the TPRM business case

As the situational analysis, project scope, and finance aspects vary across organizations, we’ll focus on the TPRM use case when going for choice #1 (the dedicated TPRM tool).

As an exercise, we’ll build the use case for adopting our ThirdPartyTrust platform with its two offerings: Enterprise and Beacon. Fun fact: this was based on the proposal that a real customer used to promote ThirdPartyTrust in their organization.

It would go something like this:

ThirdPartyTrust is a third-party risk management (TPRM) workflow management, document repository, and process automation platform that facilitates third-party risk assessments at scale. Its unique network approach allows for streamlined processes to expedite risk assessments and eliminate the dependency on email and spreadsheets.

With 17,000+ (and counting) third-party security profiles readily available, combined with continuous monitoring based on security rating data feeds, the collective intelligence of the network is leveraged to solve the problem of repetitive, manual efforts.

By using ThirdPartyTrust, an organization can improve third-party risk management and process automation regardless of directional need – ie. whether ‘sharing-in’ or ‘sharing-out’. In this sense, ThirdPartyTrust addresses three use cases, summarized below.

Use case 1: Network Share-In (To be used primarily by Information Security teams)

Enables organizations to assess more vendors with the same resources, by scaling their process to request security documents, review questionnaires, manage findings and centralize communication with vendors through a single platform.

Use-Case 2: Network Share-Out (To be used primarily by GRC teams)

Enables organizations that are a third-party to other organizations to easily share their security posture and compliance documentation with partners, customers, regulators. This reduces the workload of completing questionnaires, speeds up the sales cycle and improves ROI. Third-parties can save time and manual effort by securely sharing a centralized security/compliance profile, thus avoiding starting from scratch on every customer security assessment.

This Beacon profile includes all questionnaires, certifications, and attestations (eg., SIG Core and Lite, Cloud Security Alliance CAIQ, SOC Reports, ISO Certifications, PCI-DSS AOCs, pen tests, insurance documentation, etc.).

Use case 3: Periodic or Ad-Hoc Compliance Check-Ins (To be used by Information Security and GRC teams)

ThirdPartyTrust contributes positively to periodic re-assessments and third-party incident management (eg., incidents impacting the supply chain ecosystem like Solarwinds).

Improve visibility across the entire vendor ecosystem and focus on the most pressing issues
Quickly determine whether information previously supplied is still evergreen
Easily send custom questionnaires through widespread outreach efforts
Track responses, create findings, collect documentation and easily add these new layers on top of existing assessments

Key Benefits

The entire community of organizations and third-parties benefits from sharing information both ways
Community crowd-sourced evidence gathering (answer once, share repeatedly)
ThirdPartyTrust pre-built integrations (BitSight, RiskRecon, SecurityScorecard, and more)
Built from the ground-up on APIs (integrates well with other systems)
Ability to require third-party to add its most critical vendors to platform (ie. fourth-party risk management)
Intuitive UI/UX
Dedicated Customer Success Support (via integrated chat, email or telephone)

To learn more about how ThirdPartyTrust can help you streamline your third-party risk assessment and monitoring process, request your free trial now:

Explore ThirdPartyTrust

Sabrina Pagnotta

Sr. Content Strategist

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.