Practical Steps to Improve your Third-party Risk Management (TPRM) Program
As the way we work continues to evolve rapidly, so too does the complex web of an organization’s list of third-party vendors, and with that comes increased risk and opportunity.
We recently looked at the challenges of managing third-party risk and some key considerations for implementing an effective third-party risk management (TPRM) program. But what are the practical steps you can take to improve it? A combination of enhanced processes, improved understanding, and vendor risk management software.
Research conducted by KPMG International found that third-party risk management is a strategic priority for 85% of businesses, up from 77% prior to the outbreak of the COVID-19 pandemic.
There are four key actions to consider:
- Understand what’s going well, and what’s not – Conduct a self-assessment of your organization’s TPRM capability and ask key questions such as:
► What are our strengths?
► Where are our weaknesses?
It’s a good idea to ensure that part or all of the assessment is carried out by an external party as they will deliver impartial feedback and highlight potential areas for improvement.
- Understand your target state – If you have a vendor-first strategy that leads to a large amount of outsourcing, it’s crucial that you understand your target state for third-party due diligence. Have a roadmap that sets out realistic aims and objectives and how you intend to achieve them. Looking to do too much too soon with your program can cause issues, slow down the progression and can be counterintuitive.
- Build partnerships with vendors – Establishing a close relationship with critical vendors is central to the success of any TPRM program. Without partnerships, it becomes increasingly difficult to work toward common goals. Technology can help with monitoring and assessments, but having the ability to pick up the phone and openly discuss and address issues to mitigate any risks.
- Simplify risk assessments – Become the customer with which vendors want to do business. Keep vendor risk assessments simple and tailor questions to a particular vendor’s products or services. By being pragmatic in your approach to problem-solving, you’ll gather quality data that produces better results. Our TPRM questionnaire blog series will help you build a questionnaire from scratch.
Not all vendors pose equal risk
Another vital step to consider in your TPRM program is ranking vendors in order of importance to your business. For example, if a vendor is managing critical tasks that are central to your operations, you’ll need to know more about them, how they operate and any risks they present.
However, in comparison, if a vendor supplies your organization with office furniture, then there’s no need to present them with a detailed information security risk assessment containing 200 questions that they won’t know how to answer. Any data gathered will be of little value.
It’s also important to consider a vendor’s position in the broader market. You are unlikely to get a response from a big vendor like Microsoft. Instead, you’ll probably be directed to a terms and conditions page. Microsoft will also likely be on most businesses’ supplier lists, but in terms of criticality, do they need to be there if you’re only using applications such as Microsoft Office or Outlook? If either of these products were to go down, it would impact businesses globally, not just yours. Other products, on the other hand, such as Microsoft CRM dynamics, would need to be ranked as high risk as they can be tailored to your individual needs and business processes.
The importance of technology and quality data
Once you have ranked your vendors, data needs to be collected to understand the risks each one presents. Data sits at the heart of every organization, but with TPRM, it is about quality, not quantity. For example, you can gather large amounts of data from extensive vendor risk assessment questionnaires, but if you don’t have the skills or systems in place to use it effectively, it becomes more of a hindrance than a help.
By understanding the why, you can unlock the true value of the data that has been collected
Many organizations see technology and external solutions as the silver bullet that will fix everything.
Yes, they can be helpful, but any tools you choose must be used within the context of your business. Without building a data aggregator that allows you to look at things in a joined-up way, it’s almost impossible to see how the data is working for you.
The biggest challenge organizations have is how to determine the practical impact data has on their operations. It’s easy to make the mistake of asking what technology, such as vendor risk management software, can do rather than why we need it.
Standalone versus GRC tools
A key consideration when purchasing any tool to support your TPRM is the importance of embedding it into your GRC program.
Ask yourself, does the solution you’re looking to implement fit the long-term aims and objectives of your GRC strategy?
Typically, standalone solutions are attractive because key features are tailored to TPRM, they are easy to deploy, and they are cost-effective. However, they also often lack scalability and the mechanisms to build self-improvement processes or mature functionality within the tool.
In contrast, most GRC solutions give you the opportunity to start simple. They are built to support business growth, scale with it, break down information silos, and provide the benefits of an integrated approach to risk management. They do, however, require a much more joined-up approach and a great deal of upfront planning, which means you need to work to a very clear TPRM roadmap to maximize their potential.
The solution: keep it simple and reap the rewards
When it comes to TPRM, the challenge for many organizations is not to mature too quickly. Don’t become blinded by the technology available and equate more functionality and complexity to better results. Choose the solution that works best for your business, start simple and have a plan that allows you to scale over time.
For more information on the Vendor Risk Management software SureCloud offers, get in touch with an expert using the form below.
To find out more about how your organization can improve its TPRM program, check out this episode from our Capability-Centric GRC & Cyber Security podcast.
Stay in the know with SureCloud
Want to keep your fingers on the pulse of the information security world? Subscribe to the SureCloud newsletter and get the latest news, resources and insights – straight to your inbox.