Over the past several articles I’ve gone into some depth about TPRM; why it’s a critical part of managing cyber risk, how to integrate TPRM into your enterprise risk program, and the importance of assessment and governance to the overall effort. In doing so it’s possible this focus has created the impression that TPRM is difficult, complex, and necessarily consumes a great deal of resources to offer any value. So, in this writing, I’ll step back, and try to offer some simplifying perspective.
Managing third party risk is a process. More specifically it’s a series of processes. The level of sophistication and resource consumption required will vary greatly as you set about establishing and operating a set of processes that accomplish just five primary tasks:
- Evaluate vendors based on a set of defined criteria
- Determine and gather information needed to assess performance
- Manage subject matter expert review and scoring results
- Deliver actionable information in reports and dashboards
- Govern the first four to assure response to change and continuity year over year
All the details discussed to date reflect consideration to nourish these five core processes. If you do them all, in whatever form is effective for your enterprise, you’ll have a strong foundation for a quality TPRM program. All the frills, details, and nuances hang on these; it’s really that simple. So, let’s look at each more closely.
Evaluate vendors based on a set of defined criteria
You’ve already determined the vendor is capable of doing the work you need with quality. That’s why they are in this “process”. Let’s look at the important questions you’ll want to consider to evaluate your vendors.
- First, are they performing work in accordance with the standards your firm requires? If not, you have clear risk opportunity to your operations, brand, revenue, and more.
- Second, do they have access to your facility, either directly or remotely? This question helps set the scope of potential risk opportunity. For example, HVAC maintenance vendors offer a different scope of access and opportunity than payroll processors or remote marketing services.
- Third, is your data being kept safe and secure? Are you certain of what data is accessible to them, where and how they may store any, and how it is secured? Depending upon your business, the answers may have regulatory implications.
- Fourth, do you have a formal process to evaluate your vendors? A system is made of processes represented as a specific series of repeatable steps to accomplish a specific outcome. It is what it does. How does your formal process compare?
- Fifth, what is the impact if something were to go awry, and what mitigation or remediation actions might be necessary? Not only what’s the extent of risk posed by their service to your enterprise, but what’s the dimension of any response needed to address an incident?
Determine and gather information needed to assess performance
This is about performance of contracted services and about how well a vendor addresses risk within the requirements of your process. Some of this data is fundamental information about the vendor as a company. There are no ends to the number of details you might want to gather about your suppliers, vendors, materials sources, service providers, and partners. But random data gathering may do more to distort and cloud rather than clarify any understanding of a company’s nature. You do want to know if they are financially sound, if there’s serious litigation pending, whether they have a security process, and if so, its assessment. If your business is heavily regulated, then FinCEN compliance or other data might be important.
Fortunately, you don’t need to gather such information all on your own. Sending your vendors and suppliers exhaustive questionnaires and requesting hundreds of documents is a very 1990’s way of managing this process. It’s also one that bloats a vendor’s time-in-process and can scare many otherwise good firms away from being your partner. There are excellent data services offering subscriptions to all these critical categories of information and more. From SOC1’s and 2’s, to foreign government experience, credit ratings, reliability scores, global incident histories, regulatory findings and more. Often this data comes with details about its currency and with interpretive assistance. These may be important features to seek to help streamline internal processes, keeping your TPRM efforts effective, but streamlined and lean. Using data services is an excellent way to simplify your TPRM process and keep internal expenses in line with your risk appetite and budget.
Manage subject matter expert review and scoring results
By putting only relevant data into your process, subject matter experts (SME’s) will have a simpler time identifying items they wish to explore in more depth, if any. This will speed the overall vetting and approval process. Good data also means there may be fewer cases requiring review by SME’s. They do not necessarily need to examine everything. Complete reliable data will enable any identified concerns to be communicated, remediation determined and monitored. SME’s will be able to handle more cases in less time, and this will present a less complicated, bureaucratic process to your vendors. That’s important, particularly for small but highly skilled and qualified companies that do not have the resources to become entangled in a lengthy, complicated TPRM diligence exercise. Scoring also becomes simpler and more easily standardized when you have a stable, well defined, and easily completed dataset. Leaving SME’s to manually engage your third-party participants to fill data gaps and complete evaluations can be a tedious process leading to incomplete assessments or reliance upon presumptions based upon the data at hand. Both increase inherent risk needlessly.
Deliver actionable information in reports and dashboards
Decision-makers don’t rely upon data piles or lengthy narrative reports to make decisions and evaluate process operating performance. This is often where otherwise good programs fall short, leading to impressions of program dysfunction and abandonment. The best processes yield actionable information, that clearly answers key business questions. They employ visualization and distribution technologies to make this information clearly useful without expert interpretation, that’s readily available through predetermined reports in common formats, delivered to portals, internal web sites, or posted to secure repositories where they are easily retrieved by authorized managers. Empowering executives to make informed decisions is one of the most powerful outcomes of a quality TPRM program.
Govern these first four to assure response to change and continuity year over year
Managing these process steps to assure they remain effective is important. As company needs change there will be opportunities to adjust processes to adapt. Technology tools will introduce new features, may employ artificial intelligence features (AI) and offer more predictive analytics gleaned from the data stores you establish. Today’s global economy may lead to suppliers from virtually anywhere around the world offering services to meet your business needs. Adapting your TPRM processes to sustain your commitments to compliance regulatory and contractual obligations, expense pressures, all while sustaining an active cyber risk defense will be challenging.
Recap
Extending your operating and cyber risk through a threat perimeter extending to wherever your business takes you can be managed with thoughtful attention to TPRM processes as noted here. It can and should be made simple by keeping to the four core value basics:
- Evaluate vendors based on a set of defined criteria
- Determine and gather information needed to assess performance
- Manage subject matter expert review and scoring results
- Deliver actionable information in reports and dashboards
Employing subscription data services, keeping expert review for the cases where it adds value, making and delivering clear business reports, and applying sound process governance oversight will assure the program continues to deliver cost-effective value well into the future.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.