Article
What is third-party risk management (TPRM)?
Third-party risk management is the process of an organization’s identification, assessment, and control of risks from external business partners and vendors, including vendors, partners, service providers, suppliers, and contractors. It extends risk management beyond an organization’s internal users to encompass the entire ecosystem where vulnerabilities can exist—throughout the lifecycle of all users.
See how to execute risk-based identity access and lifecycle strategies for non-employees.
Third-party risk management provides increased visibility into potential cyber threats to help reduce risk and prevent attacks by applying governance policies to all entities that could be or become a threat vector. It includes processes and procedures that check for and require the mitigation of third-party risk.
It is important to note that the threats addressed with third-party risk management extend beyond cybersecurity and include other vulnerabilities that could harm an organization, such as labor issues, failure to comply with laws or regulations, and audit deficiencies. While these threats are very different from those posed by cyber attackers, they can still significantly negatively impact an organization and result in grave harm.
Why third-party risk management is important
Digital transformation and using more third parties to conduct business has driven the increased importance of third-party risk management, because it has dramatically increased the number of the enterprise’s connected external entities. From supply chain-related vendors and partners to cloud service providers and software-as-a-service (SaaS) solutions, third-party risk management is critical to protecting organizations from cyber threats.
Third-party risk management helps ensure the viability and security of this growing ecosystem. Among the many reasons that third-party risk management is essential are:
- Compliance with laws, regulations, and standards
- Mitigating operational disruptions
- Contingency plans for natural disasters
- Data protection
- Financial health
- Protecting IT and physical security systems and processes
- Plans for continuity in the event of geopolitical issues and crises (e.g., wars, civil unrest)
- Ensuring business and supply chain continuity
- Safeguarding reputation and brand image
Risks from third parties
There are many ways that third parties pose risks to organizations. In some cases, the risk is isolated to a single area, such as a compliance violation. In most cases, however, multiple areas are impacted.
Any organization can be the victim of a cyberattack, but attackers often target third parties that do not have the breadth or depth of security as target organizations.
Once the third party is compromised, it can be used as a launch point to access the higher-value target.
An example is a data breach, which represents several risk categories, including compliance violations, financial and reputational damage, and business disruption. Some third-party risks can affect the enterprise in multiple ways.
Data breaches are an example of a dangerous risk overlapping numerous categories. Ultimately caused by cybersecurity gaps, data breaches include risk across areas like:
- Regulatory compliance
A lack of third-party security controls can cause regulatory violations or failure of a third party to meet compliance requirements. Regulatory compliance risk occurs when services, products, or processes do not meet the minimum standards set forth in laws, rules, regulations, policies, or ethical standards. - Financial
Potential damage to an organization’s financial standing caused by a third party constitutes financial risk. This can be anything from a third party delivering substandard work to producing defective components used by the organization. The financial risk can be fines or legal expenses. - Operational
Operational risk is related to a third-party being the cause of operations shutting down due to failed or inadequate people, processes, or systems. Operational risk could also be attributed to a third party’s lack of preparedness for a natural disaster. - Reputational
Reputational risk can be tied to any number of activities or behaviors that result in negative public opinion spilling over to an organization, because of its relationship with a third party. This can include repercussions from legal issues, data breaches, negative customer experiences, and compliance violations. - Transaction
Any issues with third parties delivering services or products can produce transaction risk. It can also result from a third party’s failure to perform as expected due to diminished capacity, technical issues, or human error.
Benefits of third-party risk management
- Ability to monitor service levels, performance, financial health, and security posture
- Access to more information to improve and expedite decision making
- Improved decision-making from providing organizations with valuable insights and data
- Assurance that third parties engage resources with the appropriate skills and credentials
- Compliance with regulatory requirements
- Control over a third party’s access to networks, applications, and sensitive data
- Enhanced visibility into and oversight of third-party risk factors
- Vendor performance improvement as risk management promotes transparency and accountability
- Fraud detection and prevention
- Stakeholder (including investors, regulators, and business partners) confidence
Third-party risk management processes
The process for third-party risk management revolves around the lifecycle of each third party. Following are considerations, from initial engagement to offboarding, to guide third-party risk management and governance.
Create a third-party risk measurement system to guide due diligence on potential third-party relationships. This tactic aims to measure potential risk against the organization’s acceptable risk levels in various areas, including security, privacy, and disaster recovery systems. In this phase, risk baselines are established.
Understand the risks associated with engaging a third party for a particular task or function and use the measurement tool to assess their risk profile and assign a risk score. This phase of third-party risk management is commonly conducted by having third parties complete a questionnaire, checking a vendor intelligence database, or a combination of these. During the assessment, it is important to include any subcontractors and other outsourced functions that the third party relies on for business continuity.
Categorize third parties and the access they need based on their risk score. A complete inventory should be made of all third parties (including non-employees), their risk scores, and what information they need to access to perform their assigned tasks.
Third-party risk management solutions are often used in conjunction with data governance solutions. This helps organize third-party data, flag potential issues, and ensure compliance with regulations and key security frameworks, such as the International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), or Service Organization Control Type 2 (SOC 2).
Onboard vendors after completing risk assessments.Part of onboarding should include risk conditions in contracts that specify how they will ensure protections are in place to address risks.
Monitor and audit vendors on an ongoing basis.Because third parties’ systems, processes, and behaviors can change and introduce new risks, it is important to have regular risk evaluations and ongoing monitoring. Third-party risk management solutions help automate much of this process using external sources of continuous third-party intelligence to validate assessment responses against external observations. These include:
- cyber intelligence
- business updates
- financial reports
- media screening
- global sanctions lists
- state-owner enterprise screening
- politically-exposed person screening
- breach event notifications
Incident response and contingency planning should be created to ensure business continuity in the event of a failure or termination of a third-party relationship.
Service level agreement (SLA) and performance oversight measurements can be handled with third-party risk management solutions. Functions include assessments and monitoring to confirm whether obligations for performance and compliance are being met.
Offboarding and termination are very important, but oft-neglected functions. Third-party risk management processes ensure that complete assessments are conducted to offboard third parties properly. This includes everything from reviewing deliverables against contracts and settling invoices to removing access to systems, data, applications, and buildings.
Repeat the process for each new third party.Third-party risk management is an ongoing function that needs to be applied to all third parties throughout their lifecycles.
Continuous improvement. Regularly review and improve the organization's third-party risk management program based on lessons learned, emerging threats, and changes in the regulatory landscape. It’s important to stay updated on industry best practices and adapt processes accordingly.
Third-party vendor management
Third-party risk management requires an understanding of the ecosystem. There are many types of third-party vendors, including cloud hosting providers, cloud-based / SaaS software solutions, business partners, suppliers, contractors, contingent workers, agencies, and professional service providers such as tax professionals, accountants, consultants, and attorneys.
Effective third-party risk management solutions help by providing
- Central visibility into all third-party relationships and contracts
- Contractual terms and provisions related to risk management and mitigation
- Identification and evaluation of fourth parties (i.e., downstream vendors, suppliers, contractors)
- Processes for assessing third parties before they are onboarded
- Support for offboarding third parties
- Third-party risk oversight and monitoring
Evaluating third parties
Evaluations should be continuous throughout the third-party lifecycle, but in-depth assessments should be conducted before onboarding. Questions to consider when evaluating third parties include the following; the answers can be organized in a third-party risk management system.
- What type of data and applications is the third party accessing?
- Is the third party only accessing the information needed to perform their tasks?
- Does the third party have physical access to buildings and storage areas?
- What would happen if the third party’s availability is compromised?
- How would a leak of information accessed by a third party impact the organization?
- What policies, procedures, and processes are in place to secure data accessed by a third party?
- Does the security architecture of cloud service and application providers meet compliance requirements?
- Does the third party have processes in place for regular security testing and audits?
- Does the third party have any regulatory compliance verification, such as a Service Organization Controls (SOC) report or a Payment Card Industry Data Security Standard (PCI DSS) Level-1 certification?
- Which regulatory standards does the third party support?
- Does the third party have agreements with downstream vendors that dictate security, privacy, and resiliency terms?
- Does the third party have a disaster recovery and business continuity plan?
- Does the third party have appropriate policies and procedures to ensure the safe return of all organization-owned assets and data?
Recommended documentation that third-party vendors should provide includes:
- Details about the qualifications and experience of the third-party vendor’s leadership team
- Employment policies, especially with regard to employees who handle sensitive data
- Financial health information, such as audited financial statements, annual reports, and U. S. Securities and Exchange Commission (SEC) filings
- Information about service and quality standards
- List of other parties or subcontractors used by the third-party vendor
- Plans for resumption of service in the event of an unexpected disruption
- Proof of ability to implement and monitor the proposed activity
- Records related to significant complaints or litigation, or regulatory actions against the third-party vendor
- Scope of internal controls and systems to ensure data security and privacy protections, and audit coverage
Third-party risk management challenges
Commonly cited third-party risk management challenges include:
- Cumbersome and complex to perform third-party due diligence
- Difficult to compile and maintain an exhaustive list of third parties
- Hard to manage communication around issues
- Onboarding a new third party is time-consuming as collaboration with both internal and external stakeholders is required
- Increased regulatory statutes to adhere to varying and numerous compliance requirements
- Lack of resources dedicated to third-party risk management
- Limited to no policy awareness and training
- Multiple processes need to be continuously monitored and evaluated
- Unstructured third-party monitoring process
- Very resource-intensive task that is difficult to scale when approached manually using spreadsheets and questionnaires
- Cultural and communication differences can occur, especially when working with third parties located in different countries or cultural contexts
- The risk landscape is dynamic and continually evolving
Third-party risk management platforms
There are many types of third-party risk management platforms available to meet organizations’ specific needs, from general-purpose to industry-specific solutions. Third-party risk management platforms are used for assessing, monitoring, reporting, and remediating third-party risks.
Key functions provided with third-party risk management platforms include:
- Acting as the system of record for third-party risk management
- Automating workflows
- Integrating with risk-domain-specific data and insight services
Third-party risk management platform FAQ
What are third-party management solutions?
These are technologies and systems designed to automate third-party risk management processes or functions. Third-party risk management solutions are run on-premises or delivered as enterprise SaaS platforms.
What are security rating services (SRS)?
These are subscription services used by third-party risk management solutions that provide data to help with risk analysis and scoring.
Who are the key stakeholders to consider when implementing a third-party risk management platform?
Internal stakeholders include executives (e.g., CEO, CFO, CIO, COO, CISO), general counsel, board members, internal auditors, and related department heads. External stakeholders include vendors, partners, regulators, and customers.
Should third-party risk management be a priority?
Yes, with a continuously growing and increasingly complex threat landscape, third-party risk management must be a priority. The priority level depends on the number and types of third parties in an organization’s ecosystem.
What are examples of vendors and partners that a third-party risk management platform helps track?
- Cloud service providers
- Financial management services
- IT management services
- Payroll service providers
- Software vendors
- Staffing agencies
- Suppliers and contractors
- Tax professionals
- Marketing and advertising agencies
- Affiliate physicals, travel nurses, students, and volunteers
- Merger and acquisition targets
- Channel partners and resellers
What is third-party compliance?
Third-party compliance ensures that third parties abide by the rules and regulations set forth by organizations, standards bodies, and governments.
Third-party risk management enables mutual success
The discipline of enforcing third-party risk management delivers benefits to all involved. It proactively identifies weaknesses that can be mitigated before vulnerabilities become issues. The effort taken to enable effective third-party risk management minimizes unfortunate outcomes and increases efficiency and productivity as a byproduct.
Take control of your cloud platform.
Learn more about third party risk.