• CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY

Obtaining and Retaining Executive Buy-in To Your Third-Party Risk Management Program

Published by Guest Writer on June 4, 2020
Categories
  • Blog
Tags
  • TPRM Best Practices
Obtaining-Executive-Buy-in-To-Your-TPRM-Program
Without buy-in from executive leadership to your third-party risk management program, you are not likely to get it off the ground and keep it there. Tone at the top is critical. Here are seven tips for obtaining and maintaining the support you need from the C-suite:
  1. Build a business case – To convince the leadership of your organization that they need to invest in a third-party risk management program, you need to build a compelling business case. Focus on demonstrating how a relatively modest investment in a third-party risk management program can result in a substantial reduction of annual loss expectancy from adverse events caused by third-parties.
  2. Leverage an executive sponsor – Unless you are a C-suite executive yourself, you need an ally in the C-suite. Recruit an executive level sponsor for your third-party risk management program and spend the time necessary to educate them. You are not finished until they are as big of a proponent of a third-party risk management program as you are.
  3. Build cross-functional support – Practice diplomacy to win over supporters throughout the organization. Meet with the leaders of other departments and explain the benefits of a third-party risk management program. Build alliances with the leaders of functions that can directly benefit from the program. Good candidates are the procurement, legal, IT, audit, and finance functions.
  4. Seek approval from a governing body – If your organization has a security steering committee, a risk management committee, an internal controls committee, or other corporate governing body, seek formal approval of a charter for the establishment of a third-party risk management program. If the governing body doesn’t approve programs, then at least present the program in that forum to improve the odds of organizational acceptance.
  5. Make it company policy – A third-party risk management program depends on acceptance by the individuals who build and manage relationships with third parties. One way to ensure that acceptance is to make your third-party risk management processes mandatory by codifying them within official company policies. Create a third-party risk management policy and seek approval from a governing body (see above).
  6. Minimize friction – The primary reason executives oppose the establishment of a third-party risk management program is the fear that the accompanying processes will create friction that unnecessarily slows the establishment of third-party relationships. You can avoid this criticism by designing efficient processes, automating workflows, and altering the robustness of the due diligence performed and the frequency of reviews depending on the criticality of the third-party.
  7. Keep it front and center – Support for your third-party risk management program may wane over time if executives are not regularly reminded of its benefits. Use periodic updates to continuously underscore the value of the program. When executives have ongoing insight into third-party risk, they are not likely to want to lose that visibility.

Although every organization is different, following these seven tips should greatly improve your chances of building and retaining executive buy-in to your third-party risk management program.
bradley profile photo

Bradley J. Schaufenbuel

(CISO, CISSP)
Vice President and Chief Information Security Officer at Paychex, a leading payroll, human resource, and benefits outsourcing company. He is a speaker at industry conferences and author of multiple books (including two “For Dummies” titles), and has had numerous articles published in professional journals on a wide variety of topics related to information security and governance.
Guest Writer
Guest Writer
  • Phone
    |+1-617-245-0469
  • Address
    |
    111 Huntington Ave, Suite 2010, Boston, MA 02199
  • Sales
    |sales@bitsighttech.com
  • Contact Us
Laika_SOC2_TypeI_PurpleIris        CSA_Trusted_Cloud_Provider

©2022 ThirdPartyTrust, LLC and its Affiliates. All Rights Reserved. | 111 Huntington Ave. Suite 2010 Boston, MA 02199
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Reject AllAccept
Cookie Settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT