A Breakdown: Who Owns Third-Party Risk Management?
Organizations of all sizes share common third-party risk management (TPRM) challenges, including disjointed processes, strategic sourcing struggles, shadow IT, and ongoing risk mitigation. Over time, these obstacles become significant blockers, inhibiting productivity to the detriment of your organization’s bottom line.
There are a variety of stakeholders across the business that “own” third-party risk and contribute to the management of these challenges. Key stakeholders include:
- Chief Information Security Officer (CISO)
- Challenges: The main challenges CISOs face include overseeing the overall IT security posture of an organization, and aligning security operations with the business’ needs.
- Goals: A CISOs TPRM goals are to manage and report on all organization risk, with third-party risk being one aspect of this.
- Chief Information Officer (CIO)
- Challenges: The main challenges CIOs face include balancing efficiency and budget with strategic innovation.
- Goals: A CIO’s goals are to implement affordable technology, taking into account the total cost of ownership (TCO), service level agreements (SLAs), and overall vendor performance. CIOs account for infrastructure integrations to ensure third-party technology is flexible to grow with the business, not out of it.
- Information Security (InfoSec)
- Challenges: InfoSec teams are responsible for the security of data while holding internal employees accountable to uphold their company’s InfoSec policies and procedures.
- Goals: An InfoSec’s TPRM goals are often times embedded under their organization’s overall governance, risk and compliance (GRC) Ultimately, the TPRM-related goals of an InfoSec team are to understand which third parties are in use, what data they have access to, how they are using it, where it resides, and most importantly, how it’s protected.
- Third-Party Risk Manager/Vendor Risk Manager
- Challenges: A Third-Party Risk Manager (or Vendor Risk Manager) is responsible for the overall management and monitoring of risks and performance for all third parties, suppliers, vendors, contractors, and service providers.
- Goals: Third-Party or Vendor Risk Managers set out to efficiently manage the entire vendor lifecycle for all third parties. This includes streamlining vendor onboarding, assisting procurement with contracting as needed, performing assessments, handling risk mitigation, and monitoring vendor risk and performance over time. This is in addition to helping maintain third party and vendor compliance.
- Global Sourcing & Compliance
- Challenges: The main challenges Global Sourcing and Compliance professionals face is identifying new and compliant suppliers to improve their employee’s productivity and achieve their organization’s goals.
- Goals: The goals of this position are to identify inefficiencies and pinpoint suppliers that can help. Additionally, Global Sourcing and Compliance is tasked with helping ensure the overall compliance of all suppliers.
- Contract Managers
- Challenges: The main role of a Contract Management professional is negotiating legal terms with third parties, while holding existing vendors accountable to their contractual requirements.
- Goals: Contract Management professionals work to ensure vendor contracts include all their organization’s key requirements, as well as monitor and report on contractual terms tied to third parties and their performance.
- Chief Procurement Officer (CPO)
- Challenges: The Chief Procurement officer’s main challenges are managing and supervising the third-party procurement process while overseeing cost reduction and negotiations.
- Goals: This persona is responsible for the end-to-end management of third-party purchase orders and contracts. They maintain detailed reports on cost reduction, contract compliance, and overall supply chain threats and viabilities of third parties.
- Chief Privacy Officer (CPO)
- Challenges: A Chief Privacy Officer’s main TPRM challenges include reviewing the privacy and compliance posture of third parties while overseeing all third-party data transfers.
- Goals: The CPO office works to create a centralized inventory of vendors, track data flows and cross-border data transfers, limit privacy risks, maintain records for privacy compliance, and implement a privacy incident response plan in the event of a third-party personal data breach.
- The Business (HR, Marketing, Sales, Finance, etc.)
- Challenges: Business units constantly want to use new tools that improve the productivity of their department without having to resort to shadow IT. However, due to security, privacy, and compliance requirements, vendor selection and onboarding takes longer than they would like.
- Goals: The business’ goal is to work better across all stakeholders to onboard third parties in an efficient and timely manner so they can improve productivity across their business unit, without sacrificing security, privacy, and compliance.
Ultimately, each third-party risk stakeholder across the business has unique responsibilities, challenges, and goals as it relates to TPRM. However, it is safe to say that everyone in an organization – no matter how small their role – ‘owns’ TPRM together.