What is third party risk management (TPRM)?

Working with a third party can introduce risk to your business.  If they have access to sensitive data they could be a security risk, if they provide an essential component or service for your business they could introduce operational risk, and so on. Third party risk management enables organisations to monitor and assess the risk posed by third parties to identify where it exceeds the threshold set by the business. This allows organisations to make risk-informed decisions and reduce the risk posed by vendors to an acceptable level.

The reputation of a company can also hinge on the reputation of a third party with whom they do business. If a third party has an issue with reputation or a data breach, it can lower customer trust in a business that works with the third party.

Operations can sometimes hinge on third party applications and services, and there is always a risk that the third party can fall victim to a cyber attack or a lapse in service that can lead to operational interruptions, a loss of data or a privacy violation. If there are fourth parties involved the same concerns apply to them.

There can be issues with a product or service delivery from a third party, which can cause transactional issues within an organisation.

Standards are slowly beginning to incorporate third party risk as a requirement for compliance, so risk tolerance for compliance should be extended to third-parties as well.

Regardless of whatever form data may take, there is a degree of risk that arises from allowing a third party to interact with data, including risk from unauthorised access, disruption, modification, recording, inspection or destruction of information.

It is important to work with financially viable third parties to avoid disruptions to the supply chain.  Additionally, third parties who are in financial trouble may not be as focused on security measures, leaving themselves open to unnecessary risk.

When considering working with a third party it’s important to do an initial risk assessment as part of the decision making process - prior to formally bringing a third party onboard. You can use external data to get a broader picture of the third-party risk using, for example, cybersecurity ratings to gauge their security posture.  This reduces the chance of unknowingly inheriting undesirable risk.

Either as part of the initial risk assessment, ideally performed prior to onboarding, or as soon as the third party has been brought onboard there should be a tiering assessment performed.  This assessment is performed internally and results in the third party being placed in a tier that dictates the type and frequency of assessments the third party will receive. Tier 1 or critical vendors are the highest tier.  Some vendors may be at a tier that does not require regular assessments (for example the third parties that cut the grass). External data from, for example, security ratings providers could be used to adjust the tier level if necessary.

Third parties in the upper tiers should have regular risk assessments performed.  These should be based on the area of risk posed by the third-party. For example vendors who manufacture a component may have questions around employee health and safety, while consulting firms may not.  But all third parties would have questions regarding their security posture and financial viability. The frequency of these assessments would be based on the tier, with the highest tier having the most frequent assessments.

When an assessment is returned there may be responses that are unsatisfactory or incomplete. Additionally any objective external data collected around the third parties financial or security posture should be evaluated at this time for any issues. Issues, or findings, can then be reverted back to the third party to respond.

There may be a period where an assessment goes back and forth, tasks are generated, issues are responded to and evidence is provided if necessary.  All communication should be captured for future reference. In the end, there may be some risks that are accepted.

After identifying, analysing and remediating the risk, report on it to the necessary parties. All stakeholders should be able to get the level of visibility they desire.

As previously mentioned, third parties should be continuously assessed, which ideally means monitoring for any changes in risk or performance.  This can be done through more frequent assessments or external data feeds such as continuously updated cyber security ratings.  Changes should automatically trigger an issue, assessment and/or tier change. It is crucial to continuously monitor to ensure that all third parties are fulfilling their obligations and do not pose an undesirable risk to the organisation.

All organisations should have a formal process to retire third parties and ensure all information that should not be stored is permanently deleted.

• Total visibility into all third-party relationships
• A formal, pre-contract assessment and due diligence
• Use of standardised, risk-mitigating terms
• Risk-based monitoring and oversight
• Formal offboarding at the end of the relationship

• Digitise and integrate all aspects of the vendor management lifecycle. Assessing risk should be part of the early stages.
• Consolidate vendor information and collaborate with third parties while maintaining an audit trail of all collaborations.
• Gain and maintain an understanding and visibility of third-party risk and performance, including subsidiaries (or fourth parties).
• Develop a granular assessment of where risk originates.
• Create risk scores to compare, prioritise and communicate risk.
• Use machine learning and automation systems to accomplish more while reducing costs.
• Create a resiliency plan and embed a plan into each aspect of the vendor management system.
• Integrate with other applications (such as data feeds for cybersecurity rates) and third-party systems.

• Improved customer experience
• Improved overall security posture
• Better operational efficiency
• Improved customer acquisition and retention
• Improved customer trust
• Improved revenue, projections and profitability
• Consistent third-party performance that matches expectations
• Improved ability to execute an organisation’s objectives, both strategic business and project-level objectives
• Minimise business disruption
• More quickly recover from disruptions