7 steps to effective third-party risk management
A successful third-party risk management (TPRM) program extends way beyond just the onboarding process; organizations need to be invested in the total TPRM lifecycle — from start to finish — if they want to manage risk properly.
A huge amount of time and effort typically goes into an initial vendor assessment and onboarding. But when a third party finally gets on the approved vendor list (AVL), everyone moves on to the next project and might not think about that vendor again — until a data breach or compliance failure happens.
According to an Opus & Ponemon study, organizations share confidential and sensitive information with approximately 583 third parties on average — that adds up to a lot of additional risk. And only 34% of organizations in the study reported keeping a comprehensive inventory of these third parties, while just 35% rated their TPRM program as highly effective.
So how can organizations create a highly effective, better-managed TPRM program? How can you reduce the risk that your vendors pose?
Creating standardized processes and using technology at each step in the TPRM lifecycle — from onboarding to termination — helps you manage vendor risk much more effectively. Here are seven areas where improved processes and dedicated technology can help.
“It’s not uncommon to find an issue when onboarding vendors (in fact, if you never find a single issue, that in itself is a risk!).”
Process and Technology in the TPRM Lifecycle
1. Create a Standardized, Automated Onboarding Process
From the initial vendor request and prescreening to collecting required documentation (e.g., insurance, certifications), following a standard onboarding process ensures that you’re not missing any critical requirements, and that you and your vendor are prepared to start doing business together. You’ll want to first define that process and use your software to standardize the workflow. Read more about defining your frameworks in our blog, Getting Started with Third-Party Risk Management.
As part of your onboarding, you’ll want to create a central repository of vendors (ideally within a software platform) so you can see, at any time, where a vendor is in the onboarding process. And finally, your process should include an easy way for business units and/or procurement to add new vendor requests with a simple online form. Ideally, you’ll use a tool that will automatically notify you, and kick-off an automated onboarding workflow, when a new vendor request is added.
2. Create a Profile for Each Vendor
Creating a risk profile for each vendor will help you define your relationship and understand the products/services they’ll provide — and how essential they are to your organization. It will also define what type of physical, systems and data access to give the vendor.
Categorization through risk profiling makes vetting your vendors more consistent and creates a better understanding of your vendor population. The profile will also dictate the types and complexity of questionnaires you’ll need to round out the vendor risk profile. Because different vendors should get different questions (e.g., your cloud provider may have access to sensitive data, while your office cleaning company likely won’t).
3. Use Risk and Controls Assessments
Once you understand the risk a vendor presents, you’ll need to check that the proper controls are in place to manage that risk, and that they’re operating effectively. Those controls can be part of a larger framework.
There’s no need to reinvent the wheel; you can align to best-practice industry control frameworks (e.g., NIST, ISO, CSA) to support your assessment process.
4. Have a Remediation Management Plan
It’s not uncommon to find an issue when onboarding vendors (in fact, if you never find a single issue, that in itself is a risk!), so having a plan to address and remediate the issues quickly to keep the onboarding process going is critical. With HighBond, there are four steps to the remediation management process, whether it’s a control gap or an exception that’s been identified within a project:
- Record the issue — or better yet, let the software auto-create it for you
- Record action items to identify follow-up measures
- Send recurring action reminders to people that need to respond
- Remediate and retest the issue
Remediation activities don’t have to be painful or crazy time-consuming. You can even make things easier by using rules-based automation to ensure issues aren’t closed before all the action items are completed.
5. Regularly Review Contracts
Now that you’ve remediated your issues, you’ll want to consider how well your vendors are performing against their contracts. TPRM is not “set-it-and-forget-it”: you have to regularly review contracts to monitor vendor performance and stay ahead of renewals or expirations. Because poorly managed contracts are a source of both increased risk (like those data breaches we mentioned earlier) and revenue loss, as are manual contract management methods.
If your TPRM program is at a maturity level where performance management matters, you’ll want to effectively collect, measure, and monitor key performance indicators (KPIs). With the right technology in place, you’ll be able to monitor and proactively assess the risk of non-performance. Learn more about assessing vendor risk with real-time data.
6. Mandate Ongoing Vendor Monitoring
It’s not just the contract that requires a regular check-in. That supplier you vetted a year ago (and haven’t checked back on) could put you in danger of a compliance violation or disrupt your supply chain today. Ongoing monitoring can be accomplished in a number of ways, but some common methods include:
- Automating the scheduling of follow-up assessments based on the risk level of a vendor. A low-risk vendor is maybe scheduled for re-assessment every three years, while a critical vendor may require quarterly reviews.
- Using rule-based automation to trigger assessments when thresholds are breached or related events discovered (e.g., a significant incident identified with a related fourth party).
- Integrating third-party intelligence feeds that provide ongoing monitoring alerts for significant changes to a vendor’s risk ratings (e.g., credit ratings, IT security risk ratings), new appearances in adverse media or on government watch lists, or the filing of public records involving the vendor.
7. Define a Vendor Offboarding Process
You may end a relationship with a vendor for a number of reasons, but it isn’t as simple as just stopping your orders. You’ll need an offboarding strategy that includes finalizing payments, disabling vendor access to data, and more. Just like your onboarding process, the offboarding process can be managed through your software and partially (if not almost totally) automated, to ensure you don’t miss anything.
Getting Started with Third-Party Risk Management
Regulatory requirements, stakeholder expectations, and organizational goals and risks will shift over time. By following the TPRM lifecycle and implementing a software solution that can quickly adapt to changes, you can make the entire TPRM process easier on everyone.