In part 2 of this tutorial, you learn a 6-step approach for implementing third-party risk management (TPRM) within your organization. This article focuses third-party prioritization, due diligence, and risk monitoring.
Third-party risk management is about managing risks introduced by 3rd parties
In part 1 of this article, we defined third-party cyber risk management as a management process aimed at protecting your organization against all sorts of risks introduced by third parties. Nowadays, almost every organization is exposed to third-party risks. For instance, if you run a physical store, you are likely to rely on digital payment services provided by multiple organizations. Your ability to process payments is dependent on the continuity of these organizations. A disruption at the side of your payment provider would infer that you can’t do business anymore. This can be considered a third-party risk.
Third-party risk management is implemented by using a 6-step approach
The following 6 steps can help you implement third-party risk management within your organization:
- Establish foundation (Part 1)
- Define requirement scope (Part 1)
- Create an inventory of third-parties
- Prioritize third parties
- Perform due diligence assessments
- Monitor and follow-up
In part 1 of this article, we discussed the foundation of vendor risk management, scope requirements and the inventory of third parties. In this second part of the article, we focus on prioritization of third parties, due diligence assessments, and risk monitoring.
Step 4: Prioritise third parties
The aim of third-party prioritization is to determine (a) what third parties will be in scope for the due diligence assessments and (b) in what order the third parties or contracts will be assessed. You can do this by assigning a risk profile to your third-party engagements. It is recommended to do this when you rely on a large number of third parties and/or are subject to many compliance frameworks and requirements.
You can prioritize third parties at third-party or contract level. Preferably you prioritize at the contract level as some vendors provide many different services to your organization. The downside is that this will take more time.
Now you need to define a prioritization process in order to determine a risk profile. Unfortunately, there is no generic best practice methodology, guide, or questionnaire for this as it is dependent on the TPRM scope. What you want to achieve is a well-designed and repeatable (your colleague should get the same result) process for the segmentation of third parties. Dedicated tooling can help you to get the job done.
What could the third-party prioritization process look like? First, you need to define segments that you want to use, for instance, low, medium, high, critical. Then you define the criteria that you will use for the prioritization, such as type of business, accessibility of sensitive information, compliance requirements, your dependency on the third-party, spend size or replaceability. Based on the identified criteria, you can define a small list of closed questions. You can use one or two questions per criterium. It is recommended to only use a small number of questions. An example could be: Does this third-party service support a critical business process or critical function?
In the next step, you create a there whereby you list the questions (rows) and assign answers to the different risk levels (columns). It is recommended to take a rule-based approach. If the answer to the question ‘Does this third party service support a critical business process or critical function?’ is yes, then all third parties get a critical risk profile automatically.
The final step is to reach out to the relevant business owners and third-party managers to jointly conduct the risk prioritization for existing contracts. You also need to implement the prioritization process for new third parties and contracts.
Step 5: Perform due diligence assessments
Step 5 is about performing due diligence assessments. This is the core of third-party risk management as it is aimed at identifying the extent to which your organization is exposed to risks caused by third-party relationships.
What type of assessment?
A due diligence assessment can be conducted by using a self-assessment methodology, an audit or by relying on risk profiles created by other companies. Let’s discuss these due diligence assessment types in greater detail:
- Self-assessment is the most common and cost-efficient way to assess third-party risks. You request the third-party to fill it in according their best beliefs. In some cases, you could want them to provide evidence that supports their answers.
- An audit can be conducted to achieve more certainty or even assurance about third-party risks. You can do it yourself or ask an external auditor to assess the third-party. Doing an audit yourself is time-consuming. An external auditor is more expensive.
- Third-party data providers such as SecurityScoreCard and BitSight offer generic company risk profiles and risk reports. The value of these reports differs and is dependent on the scope and setup.
What to assess?
After you have decided the type of the assessment, you have to define the content of the due diligence assessment. There are several options:
- Best practice assessment questionnaires. You could use free or paid best practice assessment templates
- Assessment questionnaires defined by industry groups. Some industry groups have developed their own assessment questionnaires
- Documentation request. You could decide to request annual ISO, PCI or SOC reports from your third-parties. Bear in mind that these reports are not always suitable for TPRM as they are often based on generic processes and capabilities or have a slightly different scope.
- Develop your own assessment questionnaire. You could also create your own questionnaire template, preferably aligned or based on best-practices template. For instance, take a recognized framework like ISO or NIST as a foundation to ensure you are covering all the critical elements. It is advised to keep the number of questions to a minimum. Too many questions will impact third-party engagement and hence response time and quality.
When to assess?
The next and final step is to determine when you want to perform the due diligence assessment. There are multiple options:
- Pre-contract. Most organizations share and negotiate on a set of requirements before the contract with a third-party is closed. Conducting a due diligence assessment at this stage is a good practice as it provides insight in and reduces third-party risks upfront.
- During contract renewal. Contract renewal provides an excellent opportunity for a due diligence assessment. The outcomes of the assessment can be taken into account during the renewal process.
- External event. Sometimes due diligence assessments are initiated due to an incident or additional requirements set by regulators.
- Periodic. Some organizations choose to perform a due diligence assessment on a regular basis, e.g. annually or bi-annually.
- Risk-based. The frequency and timing of the due diligence assessment can be based upon the risk profile of the third-party. This can be considered a good practice since it reduces the burden on vendors and helps to focus on the most critical third-parties and contracts.
- Continuous. In rare occasions organizations demand to have continuous insight into the risks that are introduced by third-parties. It is expected that this type of due diligence assessment will grow in the coming years.
How to send the assessment?
It is key to properly prepare your third-parties that you will conduct a due diligence assessment. Traditionally organizations are used to sending due diligence assessments via spreadsheets and e-mail. This approach is easy but can become difficult to administer and scale if you need to send out many assessments. It is therefore recommended to adopt a cloud-based TPRM solution.
Step 6: Monitor and follow up on third-party risks
The sixth and final step of implementing third-party risk management is monitoring and following up. This step includes ensuring that all assessments are completed, all answers are understood, and that you follow up on risks and other issues that come out of the assessment.
In addition, you need to create an aggregated assessment response- and result overview for your stakeholders based on the assessment questionnaire. As there are most likely different user groups that have an information need (for instance procurement, management, security), you might want to tailor the reporting to the needs (which include amongst others content, visualization, frequency of reporting) of the various stakeholders. It is recommended to conduct a workshop per stakeholder to obtain the reporting requirements.
In this step, you also need to consider what to do in case of risks that are out-of-appetite and other issues that need to be resolved.
Other suggested reading
Curious about other tutorials? Try our tutorial on risk assessments for business continuity purposes