You know it’s time to build the TPRM business case when you’re tired of tracking gigantic spreadsheets and chasing vendors via email to complete your assessments. If you seek to manage third-party risk in a more efficient and scalable way, start by letting the C-level know why you need a third-party risk management (TPRM) tool with a strong business case.
Let’s start with a quick definition:
A business case is the justification for undertaking a project, programme or portfolio. It brings together the benefits, disadvantages, costs and risks of alternative options and provides a rationale for the preferred solution.
Identifying the problem
It all starts with identifying the problem or challenge that’s getting in the way of achieving your goals. In the TPRM business case, it’s usually the tremendous workload required to complete third-party risk assessments to engage in a business relationship. Plus the after work of managing and monitoring that relationship.
For enterprises conducting evaluations, this includes sending spreadsheets with requirements, deciding which requirements apply to each new potential vendor, chasing them to complete the assessments and respond to any findings, and then asking for periodic updates of security documentation. Not to mention the need to have a clear understanding of risk across the supply chain, who are the riskiest third-parties, where to focus, and how to continuously monitor the vendor ecosystem.
For third-party vendors being assessed, this means answering the same security questions and sharing the same documents over and over again – questionnaires, certifications, insurances, you name it.
These issues are an important part of the TPRM business case. They express the problems with the current situation and demonstrate the benefits of the new vision.
Analyzing the solutions
Once the problem or improvement opportunity is identified, it’s time to analyze the possible solutions. We discussed “the good, the bad, and the ugly” in another blog, but essentially there are three ways of tackling TPRM:
- With a purpose-built tool – A TPRM workflow management platform
- With a tool built for something else that you can somewhat adapt – While their intentions are good, they’re tackling up functionality to an existing framework that may or may not work
- Without a tool – Sticking to the manual process with emails and spreadsheets
Ideally you’re trying to answer the million dollar question: Is purchasing a TPRM tool worth the investment? To answer that question, the TPRM business case justifies the need for resources or expenditure to seek approval from the C-level.
There are different templates and ways to layout the TPRM business case, but as rule of thumb it should include the following sections:
- Executive Summary
- Current situation and possible solutions
- Financial analysis
- Project definition
- Project organization
Don’t forget to describe the benefits, technical solutions needed and the impact on operations. It’s also a good practice to estimate costs and dates.
Fitting the use case in the TPRM business case
As the situational analysis, project scope, and finance aspects vary across organizations, we’ll focus on the TPRM use case when going for choice #1 (the dedicated TPRM tool).
As an exercise, we’ll build the use case for adopting our ThirdPartyTrust platform with its two offerings: Enterprise and Beacon. Fun fact: this was based on the proposal that a real customer used to promote ThirdPartyTrust in their organization.
It would go something like this:
ThirdPartyTrust is a third-party risk management (TPRM) workflow management, document repository, and process automation platform that facilitates third-party risk assessments at scale. Its unique network approach allows for streamlined processes to expedite risk assessments and eliminate the dependency on email and spreadsheets.
With 12,000+ (and counting) third-party security profiles readily available, combined with continuous monitoring based on security rating data feeds, the collective intelligence of the network is leveraged to solve the problem of repetitive, manual efforts.
By using ThirdPartyTrust, an organization can improve third-party risk management and process automation regardless of directional need – ie. whether ‘sharing-in’ or ‘sharing-out’. In this sense, ThirdPartyTrust addresses three use cases, summarized below.
Use case 1: Network Share-In (To be used primarily by Information Security teams)
Enables organizations to assess more vendors with the same resources, by scaling their process to request security documents, review questionnaires, manage findings and centralize communication with vendors through a single platform.
Use-Case 2: Network Share-Out (To be used primarily by GRC teams)
Enables organizations that are a third-party to other organizations to easily share their security posture and compliance documentation with partners, customers, regulators. This reduces the workload of completing questionnaires, speeds up the sales cycle and improves ROI. Third-parties can save time and manual effort by securely sharing a centralized security/compliance profile, thus avoiding starting from scratch on every customer security assessment.
This Beacon profile includes all questionnaires, certifications, and attestations (eg., SIG Core and Lite, Cloud Security Alliance CAIQ, SOC Reports, ISO Certifications, PCI-DSS AOCs, pen tests, insurance documentation, etc.).
Use case 3: Periodic or Ad-Hoc Compliance Check-Ins (To be used by Information Security and GRC teams)
ThirdPartyTrust contributes positively to periodic re-assessments and third-party incident management (eg., incidents impacting the supply chain ecosystem like Solarwinds).
- Improve visibility across the entire vendor ecosystem and focus on the most pressing issues
- Quickly determine whether information previously supplied is still evergreen
- Easily send custom questionnaires through widespread outreach efforts
- Track responses, create findings, collect documentation and easily add these new layers on top of existing assessments
- The entire community of organizations and third-parties benefits from sharing information both ways
- Community crowd-sourced evidence gathering (answer once, share repeatedly)
- ThirdPartyTrust pre-built integrations (BitSight, RiskRecon, SecurityScorecard, and more)
- Built from the ground-up on APIs (integrates well with other systems)
- Ability to require third-party to add its most critical vendors to platform (ie. fourth-party risk management)
- Intuitive UI/UX
- Dedicated Customer Success Support (via integrated chat, email or telephone)