In speaking with customers and prospects, we realize that some organizations find third-party risk management a messy area. Usually, it’s because there is no dedicated team, so the risk accountability is shared among multiple areas or business owners. From there arises the issue of not having a centralized and/or standardized way of assessing third party vendors. So how to build a central program to be deployed across the organization, with TPRM and governance as a priority?
First, ensure there is executive management support and buy-in. Providing a strong business case to demonstrate the need for governance structure and standardize processes, defining roles and responsibilities, overall due diligence, monitoring and reporting. In addition, lack of any TPRM process could potentially cause reputational risk.
Read more: Building the TPRM business case
This would lead to a governance structure that will probably include:
Once a governance structure is established and understands its role in the organization, the TPRM program overall workflow can be defined. Organizations can quickly improve efficiency by starting with an intake form. An automated intake form or automatic scorings based on custom criteria will make the difference in terms of how much intervention is needed throughout the process.
Having a TPRM technology provider will enable streamlining the process. There still will be a need for manual intervention to review assessments, but it will be significantly reduced. This allows more time for analysis, investigation and follow ups.
As companies have a better understanding of their vendor population, frameworks and methodologies can be developed, in order to standardize the assessment, workflow, and terminology around how the organization perceives (and manages) risk.
Not all vendors are created equal, but a framework should be developed in order to normalize the risk. This would include assessing the level of risk based on the impact category that it would have on your organization, such as:
It’s important to understand that the actual function of the TPRM program is not only performing full risk assessment, but also ensuring that the third-party is complying with legal and regulatory requirements such as GDPR and CCPA, and I think we’ll have more of these as states start to implement their own. The TPRM program is not a one and done, but must also include continuous monitoring.
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|