10 Steps to Streamline Third-Party Risk Management (TPRM)

BLOG 3 MINS April 6, 2020
10 Steps to Streamline Third-Party Risk Management (TPRM)

Third-party risk management (TPRM) isn’t a new concept, however, recent events have brought the discipline into the forefront like never before. Organizations in all industries rely on third parties, whether they be cloud service providers, suppliers, contractors, or other vendors. So, what can you do to better manage third-party risks?

In this article, we’ll outline 10 steps that organizations can take to build a streamlined TPRM program.

1) Define Your Risk Appetite

Risk appetites will vary from company to company, and a great way to define yours is to develop a risk appetite statement. To understand what risk you’re willing to accept, first develop a risk appetite statement.

2) Rethink Your Risks

Only by drilling down to the business process level can you truly understand the risks associated with your vendors. To do so, risks can be thought of in four layers, which includes:

  • The vendor or supplier itself
  • The assets, apps, products, or services the vendor provides
  • The individual engagement for how the assets, apps, products, or services are used
  • The individual business processes

3) Choose Your Standard or Framework

The standard that makes sense for your organization is completely dependent on your internal risk program, as well as industry, region, and other contributing factors. Many organizations will select a standard, and then customize it to meet their requirements. Some of the most common standards and frameworks used to assess third parties are:

4) Understand the Risks You Care About

There are many different types of risks to consider when building your TPRM program. Companies will often classify risks to better report on the potential threats posed by a vendor. Common risk classifications include:

  • Reputational
  • Geographical
  • Geopolitical
  • Strategic
  • Industrial
  • Performance
  • Financial
  • Transactional
  • Operational
  • Cybersecurity
  • Privacy
  • Compliance

5) Create a Centralized Third-Party Inventory

There are several ways to discover which third parties your organization works with. This process can take time, however there are tactics you can use to streamline the process.

  • Pull vendor information from existing technologies such as SSO providers
  • Conduct assessments or interviews with business owners
  • Use self-service portals to enable the business to provide vendor details themselves

6) Classify Your Third Parties

Classifying vendors helps streamline your TPRM program by enabling you to direct your focus to the third parties that present the most risks. To classify third parties, companies often perform short inherent risk assessments (no more than 10 questions). Using this inherent risk, TPRM teams can bucket vendors into tiers, with tier one vendors usually designated as the most critical. This will help you to better prioritize which vendors matter most, saving valuable time on due diligence efforts. 

7) Automate Your Assessments and Risk Mitigation

Traditional assessments take time and are resource intensive. However, instead of sending a spreadsheet-based assessment, many TPRM professionals are taking advantage of new trends in the market, such as:

Once an assessment is conducted and risks are flagged, organizations will begin risk mitigation. Common risk mitigation workflows include four steps:

  • Identification
  • Evaluation
  • Treatment
  • Monitoring 

8) Track Key Contract Terms

Many TPRM professionals will extract key contract terms in a structured format to determine if contractual clauses are adequate, inadequate, or missing. This “structured” tracking method offers clarity for TPRM teams by highlighting what matters most. Some key terms often tracked include:

  • Price and Payment Terms
  • Contract Expiration
  • Confidentiality Clauses
  • Data Processing Agreements
  • 4th Party or Subprocessor Change Clauses
  • Service Level Agreements (SLAs), Product Performance, Response Times
  • And many more…

9) Standardize Your Vendor Risk Reporting and Maintain Records for Compliance

This step is often overlooked yet is one of the most significant aspects of a well-oiled TPRM program. Purpose-built TPRM software can automate recordkeeping and leave you with detailed activity trails to simplify audits. With detailed records maintained, it becomes much easier to report on the things that matter most to your organization. In practice, we see organizations create dashboards that show:

  • Total supplier count
  • Suppliers sorted by risk level
  • Status on all supplier risk assessments
  • Number of suppliers with expiring or expired contracts
  • Risks grouped by level (high, medium, low)
  • Risks by stage within the risk mitigation workflow
  • Risks to your parent organization and risks to your subsidiaries
  • Risk history over time

10) Monitor Vendor, Market, Regulatory Changes Over Time

Assessments offer “moment-in-time” glimpses of a vendor’s risk posture, however, risks can drastically change at any time. Beyond cybersecurity controls, significant events to monitor include:

  • Mergers, acquisitions, or divestitures
  • Internal process changes
  • Negative news or unethical behavior
  • Natural disasters and other business continuity triggering events
  • Product releases
  • Contract changes
  • Industry or regulatory developments
  • Financial viability or cash flow
  • Employee reduction
  • And much more…

If you don’t have a tool in place to constantly monitor your vendors, consider re-assessing your vendors on regular schedule. This schedule may be determined based on the inherent risk of the third party or when contracts are up for renewal.

Want to see how OneTrust Vendorpedia can help you mature and manage your TPRM program? Request a demo today.