• CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY

Third-Party Risk Management: The Good, the Bad, and the Ugly

Published by Sabrina Pagnotta on October 9, 2020
Categories
  • Blog
Tags
  • TPRM Best Practices
Boost your Supply Chain Resilience

Third-party risk management (TPRM) is the process of identifying, analyzing and mitigating risks associated with outsourcing to third-party vendors or service providers. There are many ways and frameworks to do it, but as we’ve come to understand from customer stories, organizations usually follow one of the following three: the good, the bad, and the ugly.

What we see most commonly is using spreadsheets and sending dozens of follow up emails, but that’s a thing of the past. We now have dedicated tools to assess and monitor third-party risk, which are lightyears ahead of traditional, heavy GRC tools.

It all comes down to how you approach the situation. As Blondie “The Good” said in the 1966 Western movie that inspired this blog:

“There are two kinds of people in the world. Those with guns and those that dig. You dig?”

Read on to discover what’s your TPRM type and how to do it the good way!

1. The Good: With a Focused Tool

The Good, the Bad, and the Ugly depicts Blondie as a confident bounty hunter and an expert at his craft. He exudes confidence as he knows there is nobody better at what he does. 

Same thing happens to CISOs after they implement a focused tool for third-party risk management. They know they’ve made the right choice and they’re confident that they’ll reduce their workload while increasing capacity. Don’t just take our word: explore our case studies to discover why a focused tool is the way to go.

A perfect example of the good way is our own ThirdPartyTrust, a purpose-built TPRM workflow management, document repository and process automation platform. It automates and proceduralizes the most time consuming aspects of the traditional TPRM method (email and spreadsheets) so you can assess more third-parties with less internal resources. 

Inversely, if you’re a third-party to someone else, you can scale your security response process by building a single repository for all questionnaires, certifications, and attestations, and share it with your customers with the click of a button.

If you’re interested in The Good Way, book your ThirdPartyTrust demo now!

Here go some reasons why ThirdPartyTrust gets chosen as a TPRM ally:

  • Ease of use
  • Easy implementation
  • Light footprint in the network
  • SSO and end-to-end encryption
  • Unlimited Custom & Standard Questionnaires
  • For third-parties, a single security profile to share with all customers
  • For enterprises, a streamlined, automated process to assess third-parties

With a tool like this, the time needed to complete assessments is just a couple of hours, as you only need to invite your vendor or customer to the platform to share security documents and discuss any follow up questions. Your team can focus on analyzing data instead of collecting it.

Learn More About ThirdPartyTrust

Also, with automation built into the on-boarding and upkeep of vendor security documents, you can bring on hundreds of vendors in one year. Scaling your TPRM program with a risk-based approach was never this easy!

2. The Bad: With a Tool that’s Meant for Something Else

The Bad is a borderline-sadistic mercenary, which is not that different from trying to run an effective TPRM program on a GRC tool or supply chain platform. It’s almost as if the platform takes pleasure in killing your productivity… For the better of everyone, it’s time for the good to shoot the bad.

There are all sorts of tools that forcely added third-party risk management capabilities to their feature set. While their intentions are good, they’re tackling up functionality to an existing framework that may or may not work. For example, some GRC systems add features to track risks and questionnaires into a “magical” system, but they show some disadvantages:

  • They’re too resource intensive
  • There’s too much upkeep required
  • Implementation can be hard and heavy
  • There’s a very large footprint in the network
  • They sometimes require in-premises installations as opposed to cloud delivery models

With a tool like this, the time needed to complete assessments can range from 1 to 3 days.

Also, organizations who complete 20 or more vendor assessments per month with multiple teams working at the same time can find it hard to suit their needs on a grand scale with these sorts of tools.

3. The Ugly: Manual Process, No Tool At All

As a supporting character, being comically oafish yet also cunning, cagey, resilient and resourceful can be great. But not so much when it comes to your TPRM program. Just as The Ugly, most people find themselves (figuratively) “at the end of the ropes.” Yes, he survived, but he curses his very existence and the situation he’s in. 

Are you willing to suffer every time you need to complete an assessment? Or are you looking to make things smoother on both ends?

Most of our customers come to us tired of the manual TPRM process, which includes managing all due diligence and risk monitoring tasks via email. Obviously it’s very difficult to manage and takes a lot of time to process everything.

challenges-traditional-tprm

Furthermore, security documents are insecurely sent as attachments and there’s a lot of dependency of the analysts’ “gut feeling” to determine where the risks lie, as opposed to tools with continuous monitoring, data feeds, and automatic risk scoring.

With a process like this, the time needed to complete assessments can range from 3 to 15 days.

To Sum Up…

The key question to understand if it’s time to choose a dedicated TPRM tool is probably this: Given more resources, would you assess more vendors? If the answer is yes, then we’re here to help you automate and scale your program.




To learn more about how ThirdPartyTrust can help you streamline your TPRM program, request your free trial now:


Trial Account Sign-Up
Sabrina Pagnotta
Sabrina Pagnotta
Sr. Content Strategist
  • Phone
    |+1-617-245-0469
  • Address
    |
    111 Huntington Ave, Suite 2010, Boston, MA 02199
  • Sales
    |sales@bitsighttech.com
  • Contact Us
Laika_SOC2_TypeI_PurpleIris        CSA_Trusted_Cloud_Provider

©2022 ThirdPartyTrust, LLC and its Affiliates. All Rights Reserved. | 111 Huntington Ave. Suite 2010 Boston, MA 02199
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Reject AllAccept
Cookie Settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT