If you’re questioning whether third-party risk management (TPRM) applies to you or your organization, you’re in the right place. And I’ll give you a hint… yes, it does.
Third-party risk should be a concern of everyone on both personal and professional levels. Personal applications of TPRM aside, here you’ll find some guidance on understanding the importance of TPRM and best practices for developing successful programs for your organization.
Who should consider TPRM?
All of us! Whether you outsource one function or 25, or, actually, even zero, you should consider TPRM as a critical step to set your organization up for success.
Who is a third party?
Any organization to whom another organization outsources a function. Outsourced functions can range anywhere from cleaning and custodial staff, to payroll processing, to data storage. If you’ve ever uttered the phrase “_____________ does that for us” you’ve got yourself a third-party. And they will present risk to your organization.
What should you do to address that risk?
Whether you’ve not yet outsourced or you currently contract with a plethora of third parties, a formal, documented and approved TPRM program is imperative in order to manage risk during the entire third-party lifecycle.
When is a TPRM program applicable?
A TPRM program should be applicable throughout the entire third-party lifecycle. An effective TPRM lifecycle is comprised of three phases:
1. Onboarding
Onboarding begins at the point at which an organization begins looking for a third-party to perform a certain function for them. It includes planning activities in order to manage relationships as they become involved in TPRM lifecycle, and continues into a due diligence phase whereby an organization performs research on potential third parties in order to verify that they meet certain established, required criteria.
2. Monitoring
Monitoring follows onboarding and is the phase in which a third-party has been selected and continues until termination is necessary. . Monitoring is the fun part! (Without getting too existential, even the monitoring-of-a-third-party phase can be outsourced to a third-party.) For the Monitoring phase to be effective, an organization should, during Onboarding, plan for the Monitoring activities that are most suitable to gain adequate assurance over the third-party’s security. For example, verifying that the third-party will have a SOC report available for review on an ongoing basis, and/or that a right-to-audit clause exists in the contract and/or verifying the willingness of the third-party to complete a security questionnaire at an agreed-upon frequency, etc.
Monitoring phase requirements include the need for an organization to develop criteria to determine the criticality of their third-parties which should dictate the scope and frequency of vendor assessments. The higher the criticality, the more often the third-party should be assessed for controls that directly relate to the risk posed by the third-party. For example, third-parties that store and process highly confidential data that are crucial to financial or operational activities will likely be scored with a high criticality rating and should be assessed annually.
Another factor that could impact the criticality ranking of a third-party is the related replacement risk of that third-party. i.e., a third-party may be high-criticality simply because of the lack of competition in their space, and, thus, no other third-parties to perform that service should your selected third-party cease operations.
3. Termination
Termination is the final phase of the third-party lifecycle and should be planned for during onboarding and exercised whenever needed to ensure relationships terminate and transition (whether back in-house or to another third-party) in an efficient manner.
Anywhere that your own third parties have a presence, where your data lives, or where fourth parties have a presence, etc. The physical locations where the TPRM process is relevant and should be established during the onboarding process and updated as necessary.
Why are TPRM programs necessary?
Depending on your industry or regulatory environment, you may be required to do so. However, whether required to or not, TPRM addresses a specific kind of risk that in the past has gone unaddressed and resulted in multiple instances of data breaches due to third-party risk not being managed. It all boils down to one important fact: you can outsource nearly any function, but you cannot outsource risk.
How to implement a TPRM Program?
Implementing TPRM programs vary based on organizational landscape. However, one important first goal must be accomplished: executive support. In close second is cross-functional participation. Without a top-down, all-in approach, from C-Suite to staff, and from procurement to operations, a TPRM program will not be successful.
Related Articles
This article is part of a series exploring the importance of third-party risk management programs, you can view additional articles below.
- Third Party Risk Management in 2020: What We’ve Seen
- Third Party Risk Management Planning During COVID-19
- Compliance and Third Party Risk Management: A Function for Continued Success
- How Third Party Risk Management Caters to Your Organization
- Your Cyber Program is only as Strong as Your Weakest Link – Including Your Vendors
- Secrets Revealed: What Your Third Party Auditors Don’t Want You to Know
- Third Party Risk Management Virtual Assessments Forced by Pandemic
- Mind Your T’s and C’s
View our entire Third Party Risk Management article library here.
About Schneider Downs Third-Party Risk Management
Schneider Downs is a registered assessment firm with the Shared Assessments Group, the clear leader in third-party risk management guidance. Our personnel are experienced in all facets of vendor risk management, and have the credentials necessary (CTPRP, CISA, CISSP, etc.) to achieve meaningful results to help your organization effectively achieve new vendor risk management heights.
Learn more at www.schneiderdowns.com/tprm or contact us for more information.