Let’s start with a quick definition:
A business case is the justification for undertaking a project, programme or portfolio. It brings together the benefits, disadvantages, costs and risks of alternative options and provides a rationale for the preferred solution.
It all starts with identifying the problem or challenge that’s getting in the way of achieving your goals. In the TPRM business case, it’s usually the tremendous workload required to complete third-party risk assessments to engage in a business relationship. Plus the after work of managing and monitoring that relationship.
For enterprises conducting evaluations, this includes sending spreadsheets with requirements, deciding which requirements apply to each new potential vendor, chasing them to complete the assessments and respond to any findings, and then asking for periodic updates of security documentation. Not to mention the need to have a clear understanding of risk across the supply chain, who are the riskiest third-parties, where to focus, and how to continuously monitor the vendor ecosystem.
For third-party vendors being assessed, this means answering the same security questions and sharing the same documents over and over again – questionnaires, certifications, insurances, you name it.
These issues are an important part of the TPRM business case. They express the problems with the current situation and demonstrate the benefits of the new vision.
Once the problem or improvement opportunity is identified, it’s time to analyze the possible solutions. We discussed “the good, the bad, and the ugly” in another blog, but essentially there are three ways of tackling TPRM:
Ideally you’re trying to answer the million dollar question: Is purchasing a TPRM tool worth the investment? To answer that question, the TPRM business case justifies the need for resources or expenditure to seek approval from the C-level.
There are different templates and ways to layout the TPRM business case, but as rule of thumb it should include the following sections:
Don’t forget to describe the benefits, technical solutions needed and the impact on operations. It’s also a good practice to estimate costs and dates.
As the situational analysis, project scope, and finance aspects vary across organizations, we’ll focus on the TPRM use case when going for choice #1 (the dedicated TPRM tool).
As an exercise, we’ll build the use case for adopting our ThirdPartyTrust platform with its two offerings: Enterprise and Beacon. Fun fact: this was based on the proposal that a real customer used to promote ThirdPartyTrust in their organization.
It would go something like this:
ThirdPartyTrust is a third-party risk management (TPRM) workflow management, document repository, and process automation platform that facilitates third-party risk assessments at scale. Its unique network approach allows for streamlined processes to expedite risk assessments and eliminate the dependency on email and spreadsheets.
With 14,000+ (and counting) third-party security profiles readily available, combined with continuous monitoring based on security rating data feeds, the collective intelligence of the network is leveraged to solve the problem of repetitive, manual efforts.
By using ThirdPartyTrust, an organization can improve third-party risk management and process automation regardless of directional need – ie. whether ‘sharing-in’ or ‘sharing-out’. In this sense, ThirdPartyTrust addresses three use cases, summarized below.
Enables organizations to assess more vendors with the same resources, by scaling their process to request security documents, review questionnaires, manage findings and centralize communication with vendors through a single platform.
Enables organizations that are a third-party to other organizations to easily share their security posture and compliance documentation with partners, customers, regulators. This reduces the workload of completing questionnaires, speeds up the sales cycle and improves ROI. Third-parties can save time and manual effort by securely sharing a centralized security/compliance profile, thus avoiding starting from scratch on every customer security assessment.
This Beacon profile includes all questionnaires, certifications, and attestations (eg., SIG Core and Lite, Cloud Security Alliance CAIQ, SOC Reports, ISO Certifications, PCI-DSS AOCs, pen tests, insurance documentation, etc.).
ThirdPartyTrust contributes positively to periodic re-assessments and third-party incident management (eg., incidents impacting the supply chain ecosystem like Solarwinds).
To learn more about how ThirdPartyTrust can help you streamline your third-party risk assessment and monitoring process, request your free trial now:
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|