Nimble Risk Management (NRM)

Addressing the Increasing Needs of Third-Party Risk Management (TPRM)

Addressing the Increasing Needs of Third-Party Risk Management (TPRM)

Rob Bowman

Third Party Risk Management (TPRM) refers to the process of identifying, assessing, and mitigating risks associated with third parties – entities that provide services or products but are not directly part of the organization.  A third party is an entity that provides a product or service directly to your customers and/or an entity critical to maintaining your daily operations. Third parties are people, organizations, and information systems with whom your company has a direct relationship. They are entities on whom your data’s confidentiality, integrity, or availability relies but are not your employees or customers.

The risks third-party entities pose to the organization can include operational, financial, reputational, and compliance risks.  Every business with third-party vendors should define a TPRM strategy. TPRM involves continuously finding, assessing, and controlling the risks associated with external partnerships to ensure they don’t cause more harm than good. An iterative approach that gathers information throughout the relationships with third parties is highly recommended. Three key strategies are recommended to manage third-party risk better:   

  1. Leveraging internal risk management expertise
  2. Creating a standard risk management framework
  3. Highlighting areas of low visibility

Some common examples of third parties that require risk management include:

  • Contract developers who help build your application
  • Open-source developers whose projects you incorporate into your product
  • Other software vendors your organization uses
  • Partners
  • Consultants
  • Vendors
  • Suppliers

Organizations are experiencing a surge in their exposure to third-party risk
A data breach resulting from an unmanaged third-party risk can have lasting repercussions in every aspect of your business. Some of the risks you must consider include risks to reputation, operation, morale, credit, and compliance. In the 2022 Gartner Enterprise Risk Management (ERM) Survey on Third-Party Risk, risk leaders said their organizations are working with more third parties (68%), relying more on those third parties (65%), and using third parties for a greater array of services (54%) than they were just a few short years ago. These organizations are also navigating an unprecedented period of simultaneous major disruptions, which include supply chain disruption, Russia’s invasion of Ukraine, and cybercrime. These disruptions continue to have massive, cascading effects across organizations’ third-party networks.

TPRM has unique characteristics
Business risks come in many forms. Third-Party Risk Management (TPRM) and outsourcing have emerged as critical components that demand strategic attention in every organization. Third-party risk management is about more than any specific type of risk, such as cybersecurity. Almost all companies today have supply chains and depend upon some third parties to do business. Most enterprise risks have a single risk owner, but because TPRM is so vast and varied, different groups and roles are responsible for different parts of the risk. This means third-party risk has no overarching owner with whom ERM can act as a thought partner. This poses a big coordination challenge. TPRM has unique characteristics because:

  1. Risk ownership is naturally distributed among many different people and functions
  2. It has many heterogeneous risks that vary greatly in importance

3. Risk issues are numerous and diverse

4. Available data is almost always point-in-time and lagged. It therefore requires different management tactics to be effective.

Determine Ownership of Corporate Third-Party Risk Management (TPRM)
The first step in establishing a third-party risk management program is determining which department and roles are responsible for establishing and administering your protocol. If you don’t have a risk management department —and many companies don’t—the responsibility often falls to roles like:

  • Chief Information Security Officer (CISO)  
  • Chief Technology Office (CTO)
  • Information Technology (IT)  
  • Sourcing and Procurement  
  • Contract Manager  

Other executive titles often used for company Enterprise Risk Management (ERM) roles are:

  • Chief Risk Officer (CRO)
  • Chief Financial Officer (CFO
  • Chief Audit Officer (CAO)
  • Chief Operating Officer (COO)
  • Director of Risk Management
  • Vice President of Risk Management
  • CCEO – Chief Compliance and Ethics Officer
  • Specialized titles for risk management roles: Operational Risk Manager, Compliance Risk Manager, and Cyber Risk Manager.

Once your company has determined which department and roles are responsible for establishing and administering your risk management protocol, you must develop a protocol for handling risk management. This process starts with understanding the third-party vendor management life cycle so you can systematically review the risks associated with every third party.

Define a Third-Party Risk Management Life Cycle
Developing a process for third-party risk management means defining and understanding the lifecycle of third-party relationships. While every company is different in how they approach risk management, here are some key stages of the life cycle to consider for your formal process:

  • Sourcing & Vetting
    As soon as you identify a need for a third party, make a list of all of the possible solutions, vet them, and also evaluate the potential risks.
  • Scoring the risk
    What specific risks are involved? How critical are those risks? Risk factors typically include severity and how likely a problem is to occur.
  • Performing an internal Assessment and Review
    From there, you must define what changes or considerations your organization needs to make to mitigate those risks. At this time, you also must define how frequently you need to review this vendor, and what metrics you’ll use for evaluating ongoing risk.
  • Performing ongoing risk monitoring
    For the duration of your relationship with the third party, you’ll need to conduct ongoing monitoring. Some of this will be the third-parties responsibility, but you’ll also want to pay attention to media reports, business updates, sanctions lists of an international company, breach notifications, and other various methods of gathering intelligence.  Include maintaining compliance with all applicable laws and regulations. It’s your responsibility as an organization to ensure that you are aware of all regulatory bodies and requirements your company is subject to.
  • End the third-party relationship if necessary to minimize risk
    Whether you no longer need the third party or the risk becomes too great to continue, there comes a time to end the relationship. Rather than letting it gather dust and opening yourself up to the possibility of unmonitored breaches, you must develop a specific offboarding process.

Utilize Three Overarching Imperatives for Managing Third-Party Risk
To develop and maintain a prioritized, enterprise-level view of third-party risk, heads of ERM must:

  1. Define enterprise-level priorities. Play more of a role in identifying enterprise-level priorities to aggregate third-party risk at the enterprise level. For example, determine whether third-party cybersecurity risk is more important than third-party financial risk, and rank order priorities appropriately.

2. Enable cross-functional alignment. Do more to align and coordinate the many disparate groups or functions involved in third-party risk.

3. Monitor forward-looking indicators. Find and track forward-looking indicators on third-party risk to focus analysis on the most critical emerging issues in the third-party risk landscape. A focused set of easily monitored indicators enables ERM to reliably spot enterprise-critical trends.

To break these imperatives down a bit:

  • Defining enterprise-level priorities can be difficult because it is hard to isolate and combine only those inputs that matter most at the enterprise level for third-party risk. The many heterogeneous sub-risks that third-party risk encompasses vary greatly in their relevance to different parts of the business. This makes it difficult to distill clear priorities using a traditional, “bottom-up” approach. Overcome this challenge by developing a scoring framework based on enterprise-level risk factors to consistently assess the risk posed by individual third parties and prioritize risk actions.
  • Aligning and coordinating the many disparate groups or functions involved  is hard because of differences in perspective, type, and level of expertise. Also functional priorities prevent the various co-owners of third-party risk from arriving at a shared view of the highest-priority enterprise-level issues and acting to resolve them. Differences in decision-making authority further complicate the picture, as subject matter experts with the greatest awareness and understanding of specific third-party risk issues often lack the authority to act on those issues. Solve this problem by holding cross-functional discussions of third-party risk that break down functional silos. By engaging expertise and authority at appropriate moments in the process, ERM can fulfill its mandate to get risk information from the informed to the empowered in a timely manner. Monitor
  • Monitoring forward-looking indicators is critical. It is hard to detect enterprise-critical changes in third-party risk before they have an adverse impact. Typical key risk indicators (KRIs) fail to distinguish and prioritize enterprise-level thirdparty risks. Moreover, these KRIs tend to reflect third-party issues that have already occurred or the organization’s current level of exposure to third-party risk, rather than providing a forward-looking perspective on third-party risk. 12 Source: Gartner Illustrative Counter this by developing enterprise third-party risk KRIs.

To accomplish the above follow this process:

  1. Define enterprise-level third-party risk priorities. Following the approach described above, begin by defining the aspects of third-party risk that matter most at the enterprise level.

2. Identify corresponding “must avoid” outcomes. For each enterprise-critical dimension of third-party risk, identify corresponding severe but preventable third-party outcomes that would prevent the achievement of strategic objectives.

3. Identify drivers of those outcomes to track. Perform root cause analysis to identify changes in the world that would make “must avoid” outcomes more likely.

4. Where possible, leverage existing KRIs. Review third-party risk KRIs currently tracked by the business and select any that align with the drivers of “must avoid” outcomes you identified.

5. Identify new E-TPRM KRIs (Key Risk Indicators). Where existing KRIs are insufficient, select new enterprise third-party risk KRIs. Prioritize low-effort monitoring by selecting KRIs that are externally available, objective, benchmarked, and scaled.

Results from Correct Implementation of Corporate TPRM Processes
Key findings from Gartner’s ERM surveys include:

  • Organizations that screen third parties using integrated and streamlined questionnaires are 54% more likely to uncover potential risks sooner than those that use exhaustive due diligence questionnaires.
  • Organizations that proactively track changes in the scope of a third-party relationship caused by the organization’s changing business risk appetite are 30% more likely to remediate third-party risks.
  • Organizations can achieve a 43% improved outcome in remediating risks before they have a material impact by helping cross-functional partners fully understand and integrate shared third-party risk information.

The risks third-party entities pose to the organization can include operational, financial, reputational, and compliance risks. Perform due diligence to ensure that third-party relationships don’t cause more harm than good. When it comes to risk management, there are no hard and fast rules. The most important question to consider when building your program is where your company stands with third parties or suppliers. Do they pose an inherent risk to your organization? What data do you share with them? Which regulations do they need to comply with?  

Your organization should select the Third-party Risk Management Framework that best fits your needs, keeping in mind that there is no right or wrong between programs. It is simply a matter of effectively aligning your business process with your risk management process. Delaying or having poor TPRM processes can cost your business in many ways.

References:

  • Third Party Risk Management: Best Practices for CCEOs –Link Here
  • 5 Key Insights for Third Party Risk Management Design and Governance –Link Here
  • What is Third Party Risk Management? –Link Here
  • What Is Third Party Risk Management: The 3 Types of TPRM –Link Here

Comments

Leave a Reply

Discover more from Nimble Risk Management (NRM) | Reducing business risk through optimized value delivery.

Subscribe now to keep reading and get access to the full archive.

Continue reading