Vendor risk management (VRM) and third party risk management (TPRM) are trending terms following a series of major cyberattacks and data breaches affecting organizations through their third party vendors (Kaseya and SolarWinds are the latest examples). But what is TPRM?
The global, interconnected network of enterprises and vendors working together, and the uptick in digitization amid the covid-19 pandemic, stress a growing risk of being hit by a third-party data breach.
Assuming your organization interacts with dozens or hundreds of third party vendors, read on to find out everything you need to know about TPRM and how to secure your vendor ecosystem.
What is TPRM?
Third party risk management is the continuous process of identifying, analyzing and controlling risks presented by third parties to an organization, its data, operations and finances.
TPRM allows organizations to control the risk that arises from outsourcing services and products, by shedding light into areas of potential business risk.
What is a third party?
The term ‘third party’ encompasses vendors, contractors, suppliers, and any person or entity that provides goods and services to other entities, such as:
- A law firm
- An outsourced software development company
- A company that sells office equipment
- A finance consultant who advises about mergers and acquisitions
- A research center
Read more: Vendor or Third Party? A holistic definition of third party risk
How to build a third party risk management framework?
Broadly speaking, there are 4 stages on a third party risk management lifecycle framework:
- Planning & Risk Measurement – where based on an identified business need, you determine the inherent risk of engaging with a vendor to accomplish a certain goal.
- Due Diligence & Evaluation – where you conduct the vendor risk assessment, which can be based on standards like the National Institute of Standards and Technology (NIST) Special Publication 800-53 or a customized version to include organization-specific security controls and requirements
- Contracting – where based on the assessment results, you negotiate contractual risk controls and measurements
- Continuous Monitoring – where you constantly reassess the vendor to ensure compliance with the agreed security standards, by using security ratings and alert mechanisms
Why is third party risk management important?
Every organization, no matter the size or industry, engages with third party vendors. But in working with them, organizations usually grant them access to their network and data, expanding the risk surface.
As a consequence, securing data and implementing defensive measures does not end at your organization’s perimeter. Simply put: you could end up in the headlines because your vendor failed to protect your data and that of your customers.
It is necessary to assess, monitor and reduce the risks that arise from that business relationship, as well as ensure that the third party vendor will comply with your security standards. This is all part of a third party risk management (TPRM) program.
Read more: 3 reasons why vendor risk management is more urgent than ever
What does a TPRM program entail?
A third party risk management program manages risks associated with third party vendors, customers, or regulators end-to-end. This involves collecting critical vendor information, assessing their security posture, tracking what they have access to, understanding what internal policies apply to them, and more.
In doing so, you might want to know things like:
- Which of your vendors has access to critical information?
- What types of data do they have access to? Think Personally Identifiable Information (PII) or Nonpublic Personal Information (NPI)
- Do their services help your organization to comply with laws, regulations, and standards, such as HIPAA, PCI-DSS, CCPA, GDPR, etc.?
- Do they have an incident response plan?
- Do they comply with any industry standards?
- How will they act in case of a data breach?
Read more: Vendor Risk Assessments: 7 Questions to Ask to your Third Party Vendors
Ultimately, the goal of TPRM is for you to know how much risk you are taking by engaging with a vendor, and to have enough information to decide if you want to pursue that relationship.
How does TPRM fit in the overall enterprise risk management strategy?
TPRM is a critical component of a comprehensive Governance, Risk and Compliance or GRC program. GRC manages enterprise risk on a much broader scale, including external risks, issues of corporate governance and compliance with regulatory requirements. Legal, contractual, internal, social and ethical parameters, as well as industry regulations, fall under the GRC umbrella.
Therefore, every insight from a proper due diligence and vendor risk assessment process, obtained as part of a third party risk management program, is a valuable input for the overall enterprise risk management and strategic decision making that GRC owns. That is why, in many organizations, TPRM is conducted by the GRC team.
What are the benefits to having a Third Party Risk Management program in place?
There are a handful of benefits to reducing risk in your supply chain; to name a few:
- Consistency in rating the the security posture of third-parties
- Operational efficiency, with a lower cost and defragmentation of the overall third party risk management process
- Ensuring that the vendor ecosystem adheres and complies with contractual commitments
- Access to data to make informed decisions on third-party relationships
Mastering third-party risk management will bring your organization to new heights and ensure a secure relationship with third party vendors to avoid unnecessary risks.
Learn how ThirdPartyTrust can help you build and automate your third party risk assessment and monitoring process:
