In today’s world, organizations are increasingly depending on their third-party vendors, suppliers, and partners to support their operations.
This way of working, in addition to the digitalization era we’re in, can have great advantages such as being able to offer new services quickly while relying on other’s expertise or cutting costs on already existing processes. However, by opening their (digital) doors to third-parties or by sending them their precious data, organizations are exposing themselves to a broader range of risks. From data breaches caused by third-parties and unauthorized accesses through third-parties to regulatory compliance failures, the organization’s risk exposure should also factor in third-party security risks.
Third-Party Risk Management (TPRM) evolves around the ability for organizations to identify, and remain in control of, the risks that emanate from working with their third-parties. In fact, relying on third-parties comes with a shared responsibility between you and your third-party of which you ultimately bear the end responsibility.
In this very first blogpost, within a series dedicated to TPRM, we’ll introduce TPRM and its key components. In the next blogposts, we will tackle specific topics and address questions you might have on TPRM.
So, what is Third-Party Risk Management?
TPRM is the process of identifying, minimizing, and keeping a control on the risks that come from working with third-parties or service providers. In very simple terms, we’re assessing the maturity of third-parties (e.g. suppliers), in terms of cybersecurity, before signing the contract with them. By “third-parties” & “service providers” we aim at any organization which either:
In building strong TPRM foundations, organizations can minimize risks before they even exist by identifying them before having signed any contract, and by asking the third-party to remediate some of the findings. Through TPRM, an organization can ensure, to some extent, the alignment of their own security requirements across the entire supply chain (whether internal or outsourced). Organizations with a mature TPRM process will also monitor the activities of their third-parties, and regularly reassess the risks.
Why should we give TPRM the right level of importance?
Our introduction so far already provides you with ideas on the importance of Third-Party Risk Management. As we said, organizations become more and more digitally interconnected and reliant on their third-parties Let us stress here the key reasons of the importance of TPRM in your security program:
A mature and well maintained TPRM program will make it easy to demonstrate to higher management that this is all under control.
According to ENISA’s Threat Landscape (2023), Supply Chain Attack/Third-Party Security breaches is one of the top threats to be considered. Does your organization consider it?
How to build your TPRM framework?
Based on our experience, we propose a couple of building blocks to structure your TPRM activities.
1. Obtain visibility on all your third-parties.
To start your TPRM efforts, you first need to have an eye on all the third-parties your organization is involved with. A central inventory of your third-parties is a must.
If your organization has a procurement team, they’ll typically already have such an inventory. We recommend to link your efforts with the procurement team, rather than recreate such an inventory on your side; as this will add complexity in keeping both inventories aligned. With procurement being the gatekeeper of contracts, joining forces will also help your TPRM efforts in identifying new third-parties or third-parties for which the relationship has ended.
Would your organization not yet have a procurement team, or such an inventory, clear communication & processes with the business side will be crucial for them to share with you the list of third-parties they are aware of.
2. Start from your risk management program and risk appetite to steer your efforts.
Next, you should determine your security risk appetite and use this to steer your third-party risk management efforts. Don’t be mistaken, just as with every security discipline, you will spill resources if you don’t set your focus right. Applying the concept of tiering based on inherent risk1 is crucial in this aspect (refer to 3. below).
3. Execute with operational excellence.
TPRM is often perceived, by the business wanting to contract with the third-party, as a time consuming constraint. It is of utmost importance that your TPRM program is well integrated with other existing functions within your organization, such as procurement, data protection office, IT, etc.
Running a third-party risk management program should focus based in our opinion on 3 key activities:
Finally, your organization will want to define indicators to be able to monitor both:
Because measuring will allow you to identify areas for operational excellence improvement and better risk coverage.
As a lot of companies still organize their TPRM efforts mostly manually, it can be interesting to explore automation capabilities to achieve further operational excellence. For ideas on this we refer to an earlier blogpost.
Conclusion
As organizations are more and more interconnected with their third-parties and relying on them to support their operations, the need for effective Third-Party Risk Management becomes inevitable. By focusing on TPRM, organizations can minimize the risks of engaging with their third-parties and remain in control of these risks. TPRM will not only proactively protect organizations’ sensitive data, operational continuity, and reputation but will strengthen trust with the organization’s stakeholders & customers by demonstrating your control over your supply chain.
Thanks for reading our blogpost. Feel free to reach out with NVISO and in particular the dedicated Enterprise GRC team to dig further into this subject, share your feedback or discuss on how we can built something together.
About the authors
David & Noé both joined NVISO about 5 years ago. Since then, they have worked on different TPRM projects at some of Belgium’s biggest financial institutions, including 3 years together in the same TPRM project.