It comes as no shock that a focus on data security continues to rise with the increased number of breaches that occur as a result of organizations' third parties. While programs come in all shapes and sizes, the following five activities are often missed when creating or progressing your Third Party Risk Management (TPRM) program.
1. Inventory your assets.
The first step to protecting your assets (i.e. data) is to know where and what your assets are, yet many organizations struggle to understand this key component. Keeping an accurate and up to date inventory of not only your third parties, but also what data you send to them and where it resides is helpful in better understanding how your assets are being protected. Without this list, it is extremely difficult to know what third parties have access to your company's information.
With regards to obtaining an inventory of your organization's third parties, you can always start with Accounts Payable to see who you are paying and review your organization's contracts. You can also leverage software discovery tools to better understand what software your employees may have purchased or are using (as there are contracts in the form of click-through agreements tied to the software). Last, you can review inventories that may already exist within your business areas (especially if you do not have a centralized Procurement process).
With regards to an inventory of your data and where it resides, you can include questions within your risk assessments to determine what data will be/is being sent to your third parties, as well as where it resides within their organizations. You will also want to ask your third parties if they are sending your data to other organizations. You will then want to take this information and input it into a central repository of some sort. An example would be an excel with the third party's name, type of data they have access to and/or host, location of said data (where it resides), and in what medium or format it resides in. This is particularly helpful if you are terming relations with a vendor and need the third party to return and/or destroy your data or if said third party experienced a breach.
Inventorying your assets, location of data, and third parties are good first steps to ensuring you better understand your risk posture.
2. Centralize documentation.
There are many factors within an organization that contribute to the difficulty of finding and/or maintaining appropriate documentation. Much of this is due to the organic nature or organizations and the challenges of organizational silos. For example, your Legal and Supply Chain teams may use one repository for all contracts but other groups in the organization may not have access to said repository. Other teams may use different applications for the same activity. Another example is the business may request documentation from a third party; however, a Third Party Security team may request similar or different documentation from that same third party.
With documentation in several locations, this can lead to transparency issues, as well as create an inconsistent and frustrating experience for a third party. Maintaining a comprehensive inventory of third party documentation can help alleviate some of these issues, while also ensuring your organization understands all of the products/services and controls needing to be reviewed for a third party. A central documentation repository will also save time and resources during the risk assessment process. While there is no one, right solution for every organization, there is value in ensuring documentation is centrally maintained.
3. Assess risk based on organizational risk appetite.
The risk assessment is likely the most varied item in the third party risk review process between different organizations. While some organizations may have as few as ten questions, other organizations may have 2,000 questions. If you have worked in a risk-related field for any length of time, you are most likely struggling with this question: What is the right number of questions?
Unfortunately, there is no right or wrong answer to that question. Having a good understanding of what is important to your organization is a key step in determining what questions you should ask in your assessment. As an example, Financial organizations may have a completely different set of questions and care more about certain items compared to Healthcare organizations. The key is to determine what risks your organization is not willing to accept and focus your questions on those key areas. You may also want to add weight to these questions when assessing the risk of your third parties. This will ensure you are evaluating the right level of risk based upon your organization's risk appetite.
4. Educate your executives.
Having executive leaderships buy-in and support is critically important to ensuring you maintain an effective Third Party Risk Management program. But where do you start? Education is key and will ensure your executives have a working knowledge of the third party risk assessment and oversight process. Start with one executive who can be your champion and meet with him/her on a regular basis to ensure you have buy-in. Think outside the box when approaching your other executives. One example is holding a Third Party Risk summit strictly for your executives. This could be a two-hour event where you go through the risk assessment program, why it's important, how it saves your organization money and resources, what risks are trending (where your third parties fall short), and why you need their support. Without leadership support, any third party risks you discover may not be addressed at the appropriate level and ultimately put your own organization at risk.
5. Sync for collaboration.
Almost every department within your organization will require the services of a third party at some point in time. However, if there is not collaboration between the Third Party Risk Management function and the business, risk assessment efforts may be duplicated across the organization or risks may not be assessed at all. Therefore, it's helpful to sync third party efforts and activities across departments. After all, your business is the risk owner and responsible for understanding and managing the risks related to their third party relationships.
When syncing third party risk management activities, you may find a better outcome if you meet with your business departments to determine what third party processes already exist. You can then tie in your own third party risk management efforts into their existing processes (example, if the business is already meeting with a third party regularly, you can work with their schedule to risk assess said third party). This method does not always work if there are limited third party processes within the organization. You can also take the approach that your team will help alleviate some of the risk management work from the business and bring them in to discuss risks your team discovers. Your business can also keep you updated when there are changes to the relationship with the third party (example, ownership changes, leveraging new products/services, or sending additional data).
There is also a huge benefit to ensuring you maintain collaboration with your business partners. Collaboration can ensure you understand the evolving nature of third party relationships and also ensure your business understands the risks they are accepting on behalf of the organization.
Conclusion.
While the third party risk management space is not new for many, it is becoming increasingly important as business processes and data continue to be diversified. Having a good hold of the risk your organization takes on by being in a relationship with third parties can ensure you mitigate said risk appropriately. Identifying and addressing gaps in your program, such as the ones noted above, can allow your organization to continuously improve upon your risk mitigation techniques.