Third-party risk management (TPRM) is a practice that organizations around the world use to not only decide which vendors, suppliers, partners, and contractors to work with, but also to continuously monitor and manage these ongoing arrangements. While some details of a third-party risk management program can vary depending on individual organizations, industry, regulatory guidance, and more, the key components of what a successful TPRM program should include remain the same. Whether you’re just beginning to make third-party risk management a priority in your own organization, or you want to understand where your existing program could be improved, the TPRM basics are a good place to start.
Who is considered a third party?
In short, any entity that processes data on your organization’s behalf or provides your organization with technology, products, goods, or services. While some businesses may only consider their vendors or suppliers in a TPRM program, and even refer to their programs as vendor risk management (VRM) or supplier relationship management (SRM). However, it’s important that organizations begin to think of a wider array of external parties that directly impact or come into contact with their business and treat them all as sources of potential risk.
What are the key steps in third-party risk management?
TPRM is typically thought about in terms of a “third-party lifecycle”. This TPRM lifecycle includes the following stages:
- Identification of third parties, vendors, and suppliers
- Contracting and procurement
- Exchanging Data – Sending and receiving third-party or vendor risk assessments
- In-depth assessments and risk reviews
- Risk mitigation – Includes identifying controls and treatment plans
- Reporting and recordkeeping
- Ongoing risk and performance monitoring
How do you determine the risk associated with a third party?
The due diligence and assessments steps in the TPRM lifecycle is the stage at which organizations send questions to their vendors or third parties to learn more about the procedures, policies, and security controls in place to avoid breaches and other incidents and/or respond quickly and appropriately should an incident occur. The content in these assessments are typically dictated by regulations and frameworks that an organization must demonstrate compliance with but are also regularly customized by the individual organizations sending them.
Once an assessment is completed and returned to an organization, responses are reviewed against the necessary standards or frameworks to determine the level of risk that might be involved with working with the third party or vendor. By using a software platform, organizations can easily flag high–risk responses and even provide feedback to the third party on how to address these items and reduce risk.
How do you monitor third-party risk over time?
Today, organizations are largely missing the opportunity to actively monitor their third-party risk throughout the third-party risk management lifecycle. However, there are some options for doing this without adding to an organization’s workload:
- Automating reassessment based on contract expiration or renewal dates
- Using risk exchange software to receive regular updates on third parties
- Automating workflows for internal teams to follow up on assessed and documented risk
When do you stop monitoring your third-party risk?
Monitoring the risk associated with third parties, vendors, or suppliers should not end until the third party has been properly offboarded. The offboarding process is yet another part of the TPRM lifecycle and should be carefully handled and managed through a formalized third-party risk management program process and documented for reference. If improperly offboarded, third parties can still present significant risk to an organization’s operations.
Who owns TPRM in an organization?
The department or personnel that owns third-party risk management really depends on the individual organization. However, there are several departments or job titles that we often see taking the lead with third-party risk management, which include:
- Risk and Compliance
- Information Security
- Procurement and Sourcing
- Vendor Management
While there may be owners of TPRM in an organization, it is important that everyone in an organization be aware of the potential risk associated with third parties and be familiar with the processes involved with managing that risk.
If you’re looking for ways to take your third-party risk management to the next level and improve your program, consider investing in OneTrust Vendorpedia. With Vendorpedia, you can streamline and customize the TPRM lifecycle from onboarding to offboarding, with help at every step along the way.