Vendor risk management (VRM) and third party risk management (TPRM) are trending terms following a series of major cyberattacks and data breaches affecting organizations through their third-party vendors (Kaseya and SolarWinds are the latest examples). But what is TPRM?
Assuming your organization interacts with dozens or hundreds of third-party vendors, read on to find out everything you need to know about third-party risk management and how to secure your vendor ecosystem.
What is TPRM?
Third-party risk management (TPRM) is the continuous process of identifying, analyzing, and controlling risks presented by third parties to an organization, its data, operations and finances.
TPRM allows organizations to control the risk that arises from outsourcing services and products, by shedding light into areas of potential business risk.
What is a third party?
The term ‘third party’ encompasses vendors, contractors, suppliers, and any person or entity that provides goods and services to other entities, such as:
- A law firm
- An outsourced software development company
- A company that sells office equipment
- A finance consultant who advises about mergers and acquisitions
- A research center
How to build a third-party risk management framework
Broadly speaking, there are 4 stages on a third-party risk management lifecycle framework:
- Planning & Risk Measurement – Where based on an identified business need, you determine the inherent risk of engaging with a vendor to accomplish a certain goal.
- Due Diligence & Evaluation – Where you conduct the vendor risk assessment, which can be based on standards like the National Institute of Standards and Technology (NIST) Special Publication 800-53 or a customized version to include organization-specific security controls and requirements.
- Contracting – Where based on the assessment results, you negotiate contractual risk controls and measurements.
- Continuous Monitoring – Where you constantly reassess the vendor to ensure compliance with the agreed security standards, by using security ratings and alert mechanisms.
Why is third-party risk management important?
Every organization, no matter the size or industry, engages with third-party vendors. But in working with them, organizations usually grant them access to their network and data, increasing exposure to risk and expanding the attack surface.
As a consequence, securing data and implementing defensive measures does not end at your organization’s digital perimeter. Simply put: you could end up in the headlines because your vendor failed to protect your data and that of your customers.
It is necessary to assess, monitor, and reduce the risks that arise from third-party business relationships, as well as ensure that the vendor will comply with your security standards. This is all part of a third-party risk management (TPRM) program.
What does a TPRM program entail?
A third-party risk management program manages risks associated with third-party vendors, customers, or regulators end-to-end. This involves collecting critical vendor information, assessing their security posture, tracking what data and systems they have access to, understanding what regulations and internal policies apply to them, and more.
In doing so, you might want to know things like:
- Which of your vendors has access to critical information?
- What types of data do they have access to? Think Personally Identifiable Information (PII) or Nonpublic Personal Information (NPI)
- Do their services help your organization to comply with laws, regulations, and standards, such as HIPAA, PCI-DSS, CCPA, GDPR, etc.?
- Do they have an incident response plan?
- Do they comply with any industry standards?
- How will they act in case of a data breach?
Ultimately, the goal of TPRM is for you to know how much risk you are taking by engaging with a vendor, and to have enough information to decide if you want to pursue that relationship.
How does TPRM fit in the overall enterprise risk management strategy?
TPRM is a critical component of a comprehensive Governance, Risk and Compliance or GRC program. GRC manages enterprise risk on a much broader scale, including external risks, issues of corporate governance and compliance with regulatory requirements. Legal, contractual, internal, social, and ethical parameters, as well as industry regulations, fall under the GRC umbrella.
Therefore, every insight from a proper due diligence and vendor risk assessment process, obtained as part of a third-party risk management program, is a valuable input for the overall enterprise risk management and strategic decision making that GRC owns. That is why, in many organizations, TPRM is conducted by the GRC team, though a dedicated department is always preferable.
What are the benefits to having a third-party risk management program in place?
There are a handful of benefits to reducing risk in your supply chain; to name a few:
- Consistency in rating the the security posture of third-parties
- Operational efficiency, with a lower cost and defragmentation of the overall third-party risk management process
- Ensuring that the vendor ecosystem adheres and complies with contractual commitments
- Access to data to make informed decisions on third-party relationships
Learn how Bitsight TPRM can bring your third-party risk management program to new heights and ensure a secure relationship with third party-vendors to avoid unnecessary risks.