Blog was inspired by the TPRA presentation by Tom Rogers, CEO & Founder of Vendor Centric at TPRA’s July 2022 Practitioner Member Meeting. (To watch the full presentation, TPRA Members can visit our Previous Meetings page and navigate to the July 2022 meeting recording.)
Blog format by Meghan Schrader, TPRA Marketing & Communications Coordinator
A question many Third Party Risk Management (TPRM) and vendor management professionals often find themselves asking is: how do we work in a cohesive, organized way to sufficiently mitigate third party risk while enabling the business to move forward with third party relationships? In this blog, we will discuss:
Goals and Challenges with TPRM Process Integration
When bringing in a new third party, the end goal in its simplest form is to optimize the relationship between the business and the third party. At the end of the day, we engage in third party relationships to gain value from their products/services, as well as support business owners in reaching their day-to-day objectives.
But with the use of third-party products/services comes additional risk to the organization. How can we better enable the business while mitigating third party risk?
TPRM Challenges with Integration
Integrating TPRM into business processes can be a challenge. The Business is usually concerned with speed to market and may not understand why certain third-party risk due diligence efforts are needed. In addition, once risk is found, the business may not agree with or feel it is a high enough risk to warrant additional efforts to mitigate said risk. In the beginning phase of integration, it is important to have open lines of communication, and be transparent about what due diligence efforts are needed and why you ask for certain evidence items from the third party. This ensures the business has a clearer understanding of where the third-party risk may lie and what next steps are needed. They may even help you champion certain discussions if they better understand the risk, as well as the support your team has from executives within your organization. To assist with integration, let’s look at what is needed from a due diligence standpoint.
What is Needed to Evaluate Risk
Understand what inherent risks exist
As your organization enters into a new third-party relationship, what are the inherent risks (or risks before controls are considered) that the third party is potentially bringing into the business? Understanding those potential risks will drive your due diligence efforts.
Evaluate controls and mitigate residual risks
Monitor for new risks and ensure remediation is effective
Ensure risk is mitigated even when the relationship is coming to an end
But how do you effectively integrate these TPRM processes into business processes without becoming a bottle neck? Below are some tips you can implement to ensure smooth integration.
Ensuring Integration into Business Process First, determine what the business wants from the third-party relationship. Some immediate needs of the business may include, but not be limited to:
Start working with the third party immediately
Speed to market (they have a project that has a tight deadline)
Security concerns they need to address will be mitigated by the onboarding of the new third party
Reaching a niche market
Long story short, the business wants to know how they can make implementation happen as quickly as possible and sometimes this means they are willing to circumvent certain processes. This is especially true if they do not have a clear understanding of why a process exists in the first place.
Some of the activities you can participate in to ensure integration into the business process is to:
Help the business understand
Help your business understand why certain processes exist and what the steps are to reach the business’ ultimate goal. Consider meeting with the business owner on a regular basis (at least quarterly), to walk them through your process, set target dates and goals, update them on where you are at within certain due diligence processes, and to follow up on findings and where the vendor is at within their "get to green" plans.
Understand the relationship
Only ask for what is needed
Have an exit strategy
In short, there are processes you can put in place to help the business better understand why TPRM exists, the importance of your team, and what is required in order for you to perform your reviews and mitigate risk. It is also important that you work with the business to better understand their goals, objectives, and timelines. Open communication is key throughout the TPRM process, as well as setting expectations up front. If this is done correctly, the business can ultimately become a champion for TPRM and more readily assist you with your review process.
TPRM Challenges with the Rest of the Team
But the TPRM team does not just work with business owners. They also work with other stakeholders to ensure risk decisions are made at the right level, as well as ensure legal and regulatory processes are met.
Below are some examples of additional stakeholders and how TPRM can work with each:
This team is responsible for bringing in new third parties or renewing current contracts. They are the “gate-keepers” for third party relationships. TPRM will want to integrate into the Procurement process so they can 1) be notified when new third-party relationships are formed and can adequately review said relationships and third-party controls before contracts are signed, and 2) review contract redlines that relate to security or other third-party risks. This way they can ensure the contract has set the right level of expectations with regard to what controls the third party must have implemented and will also ensure TPRM receives what they need in order to perform the reviews. Redlining the contract can also ensure TPRM is able to review the third party on an ongoing basis.
Other Operational Teams
Getting Everyone on the Same Page We’ve talked about why working with other teams is important. But how can everyone get on the same page with regards to TPRM expectations? Whether your TPRM program is centralized vs. decentralized, there are a few things that need to be in place to ensure TPRM activities are integrated into business and key stakeholder processes.
Ensure you have the support of your executives. This is crucial for ensuring processes are followed across the enterprise.
Business and stakeholder champions
Ensure everyone has a seat at the table
Strong TPRM policy and procedures
Oversight and reporting
Periodic assessments and testing
Automate - Optional
Third Party Lifecycle Management Framework
But what should your TPRM Program include? Below is a diagram a TPRM framework.
Source: TPRA Third Party Risk Management Lifecycle (c)
The outer circles represent the third-party risk management lifecycle stages from beginning to end, starting with “Sourcing,” and completing at “Termination and Offboarding.”
Within this framework is Operational Governance. While all of the activities are taking place, the glue which holds them together is the policies, procedures, and standards your organization has in place. Governance creates alignment of the people, skills, training, and technologies. This framework can help you better integrate into business operations and provide structure for disparate processes.
Part of the goal here is to communicate to business owners that you are a resource, serving as an advisor and coach to them along the way, as well as detail the importance of dealing with third party risk as quickly as possible. But ultimately, the Business Owners are the risk owners of their third party relationships.
There are many ways to integrate TPRM activities into business processes to enable the business while also mitigating risk. With so many moving parts and areas of focus, it is important to facilitate open communication between all stakeholders and connect as many activities, processes, and systems as possible to ensure consistency and the most effective and efficient risk mitigation performance possible. Utilizing a TPRM framework can help streamline and provide consistency within the TPRM program, while also mitigating risk more effectively. Third party risk affects every area of a business, and therefore should be integrated accordingly.