Updated: Sep 29, 2022
Blog was inspired by the TPRA presentation by Tom Rogers, CEO & Founder of Vendor Centric at TPRA’s July 2022 Practitioner Member Meeting. (To watch the full presentation, TPRA Members can visit our Previous Meetings page and navigate to the July 2022 meeting recording.)
Blog format by Meghan Schrader, TPRA Marketing & Communications Coordinator
A question many Third Party Risk Management (TPRM) and vendor management professionals often find themselves asking is: how do we work in a cohesive, organized way to sufficiently mitigate third party risk while enabling the business to move forward with third party relationships? In this blog, we will discuss:
Goals and Challenges with TPRM Process Integration
When bringing in a new third party, the end goal in its simplest form is to optimize the relationship between the business and the third party. At the end of the day, we engage in third party relationships to gain value from their products/services, as well as support business owners in reaching their day-to-day objectives.
But with the use of third-party products/services comes additional risk to the organization. How can we better enable the business while mitigating third party risk?
TPRM Challenges with Integration
Integrating TPRM into business processes can be a challenge. The Business is usually concerned with speed to market and may not understand why certain third-party risk due diligence efforts are needed. In addition, once risk is found, the business may not agree with or feel it is a high enough risk to warrant additional efforts to mitigate said risk. In the beginning phase of integration, it is important to have open lines of communication, and be transparent about what due diligence efforts are needed and why you ask for certain evidence items from the third party. This ensures the business has a clearer understanding of where the third-party risk may lie and what next steps are needed. They may even help you champion certain discussions if they better understand the risk, as well as the support your team has from executives within your organization. To assist with integration, let’s look at what is needed from a due diligence standpoint.
What is Needed to Evaluate Risk
Understand what inherent risks exist
As your organization enters into a new third-party relationship, what are the inherent risks (or risks before controls are considered) that the third party is potentially bringing into the business? Understanding those potential risks will drive your due diligence efforts.
Evaluate controls and mitigate residual risks
After inherent risk is determined, it is then time to evaluate the controls the third party has in place to mitigate the inherent risk. Findings that come from testing these controls determine the residual risk of a third party. Action plans should then be established with the third party to mitigate said residual risk. If risk cannot be mitigated, then risk must either be accepted (at the appropriate level within your organization) or you may determine that it is too risky to move forward with the relationship.
Monitor for new risks and ensure remediation is effective
Once the relationship is established, it is important to continuously monitor the risks of your third party. Therefore, it is vital to implement continuous monitoring activities to evaluate third party risk on an ongoing basis. It is key in this phase to use a risk-based approach and not treat every vendor the same. This will ensure a long-lasting relationship, while also addressing third party risk at the highest level.
Ensure risk is mitigated even when the relationship is coming to an end
It is important to continue with risk-mitigation efforts even when you are terminating a third-party relationship. You want to ensure a smooth transition away from the third party, while also ensuring all of your organization’s data the third party housed is appropriately handled (i.e., returned and/or destroyed). This can be accomplished through a strong exit strategy, including an offboarding checklist, as well as the acceptance of a certificate of destruction. If you plan for the third party to maintain your data for a specific period of time (i.e., for a legal hold), then you will want to continue to evaluate the third party from a security perspective on an ongoing basis.
But how do you effectively integrate these TPRM processes into business processes without becoming a bottle neck? Below are some tips you can implement to ensure smooth integration.
Ensuring Integration into Business Process First, determine what the business wants from the third-party relationship. Some immediate needs of the business may include, but not be limited to:
Start working with the third party immediately
Speed to market (they have a project that has a tight deadline)
Security concerns they need to address will be mitigated by the onboarding of the new third party
Reaching a niche market
Long story short, the business wants to know how they can make implementation happen as quickly as possible and sometimes this means they are willing to circumvent certain processes. This is especially true if they do not have a clear understanding of why a process exists in the first place.
Some of the activities you can participate in to ensure integration into the business process is to:
Help the business understand
Help your business understand why certain processes exist and what the steps are to reach the business’ ultimate goal. Consider meeting with the business owner on a regular basis (at least quarterly), to walk them through your process, set target dates and goals, update them on where you are at within certain due diligence processes, and to follow up on findings and where the vendor is at within their "get to green" plans.
Understand the relationship
Gain a better understanding of the relationship between the business and third party, and work within the context of the existing relationship. This means work with your business in obtaining what you need from the third party. If the relationship is strained, then find ways to communicate with the third party as efficiently as possible. The business, as well as the third party, want as little effort and disruption as possible.
Only ask for what is needed
Make sure you know what you want to ask the third party and only ask what is needed of them. Do not reach out 100 times because you did not include everything within your first request. This also provides your business with trust in what you are requesting because they know you will only ask for what is needed.
Have an exit strategy
As the relationship is ending, the business owner has other things they need to tend to, so they’ll want the relationship closed out as quickly as possible. There are still activities which need to happen on the back end of the relationship, such as data returned and/or destroyed appropriately. If the third party will maintain data, then security reviews are required until the data is returned and/or destroyed. While the business owner recognizes those necessary activities, they may not always want to put energy into them. To alleviate this step, ensure you think through termination and create an exit strategy before the contract is signed during the pre-contract phase. This ensures a smooth transition away from the third party on the back end of the relationship.
In short, there are processes you can put in place to help the business better understand why TPRM exists, the importance of your team, and what is required in order for you to perform your reviews and mitigate risk. It is also important that you work with the business to better understand their goals, objectives, and timelines. Open communication is key throughout the TPRM process, as well as setting expectations up front. If this is done correctly, the business can ultimately become a champion for TPRM and more readily assist you with your review process.
TPRM Challenges with the Rest of the Team
But the TPRM team does not just work with business owners. They also work with other stakeholders to ensure risk decisions are made at the right level, as well as ensure legal and regulatory processes are met.
Below are some examples of additional stakeholders and how TPRM can work with each:
This team is responsible for bringing in new third parties or renewing current contracts. They are the “gate-keepers” for third party relationships. TPRM will want to integrate into the Procurement process so they can 1) be notified when new third-party relationships are formed and can adequately review said relationships and third-party controls before contracts are signed, and 2) review contract redlines that relate to security or other third-party risks. This way they can ensure the contract has set the right level of expectations with regard to what controls the third party must have implemented and will also ensure TPRM receives what they need in order to perform the reviews. Redlining the contract can also ensure TPRM is able to review the third party on an ongoing basis.
This team ensures the organization is appropriately following regulations and meeting compliance objectives. TPRM will want to work with this team to ensure their third parties are also meeting regulatory compliance objectives. Compliance can also assist TPRM in determining what regulations should be followed for offshore resources.
This team works through contract templates and ensures agreements can be held up within a court of law. TPRM can work with this team to develop contract templates and addendums (which are crucial to ensuring you get the most out of your third-party relationship).
Other Operational Teams
Depending on how your TPRM program is set up (centralized vs. decentralized) there may be other teams TPRM works with to accomplish specific pieces of their review(s). For example, they may work with the Finance team to review the financials of a higher-risk vendor. TPRM should be aware of the current workload of these teams and strategically request reviews for higher-risked vendors so as not to overload other operational teams.
Getting Everyone on the Same Page We’ve talked about why working with other teams is important. But how can everyone get on the same page with regards to TPRM expectations? Whether your TPRM program is centralized vs. decentralized, there are a few things that need to be in place to ensure TPRM activities are integrated into business and key stakeholder processes.
Ensure you have the support of your executives. This is crucial for ensuring processes are followed across the enterprise.
Business and stakeholder champions
Find business and stakeholder champions. Determine who makes the decisions within your organization and ensure they are on your side with regards to TPRM implementation. This can greatly increase your chances for success when integrating TPRM processes into the business, as the loudest and most important decision makers agree with your approach and share that agreement with others.
Ensure everyone has a seat at the table
Ensure everyone has a seat at the table. This allows all necessary players to be heard, provide input, and agree to TPRM processes. They are also more likely to follow the process if they have input into it.
Strong TPRM policy and procedures
Develop a strong TPRM policy, as well as procedures, and ensure it aligns with a TPRM framework. This ensures everyone is aware of the process and can follow appropriately.
Develop a risk committee. Now that your TPRM program is set up, ensuring risks are reviewed at the right level is the next step. You do not want the business accepting high risk on behalf of the organization. Therefore, this committee can help you determine the next steps in your risk mitigation efforts, as well as approve risk escalations and acceptance.
Develop a Responsibility Assignment Matrix (RACI) to clarify roles and responsibilities of the different stakeholder groups. This helps to not only break out what the different activities are, but to also ensure the different stakeholders are aligned in their roles in the process.
Oversight and reporting
Align oversight and reporting, key performance indicators (KPIs)/key risk indicators (KRIs), to create holistic governance and accountability for managing third parties. Ensure risks are reported all the way up to the Board.
Periodic assessments and testing
Perform periodic assessments and testing to ensure TPRM process are working as designed.
Automate - Optional
Automate for better transparency, process integration, workflow, and reporting. Systems should have the ability to automatically notify relevant stakeholders when an action needs to be taken.
Third Party Lifecycle Management Framework
But what should your TPRM Program include? Below is a diagram a TPRM framework.
Source: TPRA Third Party Risk Management Lifecycle (c)
The outer circles represent the third-party risk management lifecycle stages from beginning to end, starting with “Sourcing,” and completing at “Termination and Offboarding.”
Within this framework is Operational Governance. While all of the activities are taking place, the glue which holds them together is the policies, procedures, and standards your organization has in place. Governance creates alignment of the people, skills, training, and technologies. This framework can help you better integrate into business operations and provide structure for disparate processes.
Part of the goal here is to communicate to business owners that you are a resource, serving as an advisor and coach to them along the way, as well as detail the importance of dealing with third party risk as quickly as possible. But ultimately, the Business Owners are the risk owners of their third party relationships.
There are many ways to integrate TPRM activities into business processes to enable the business while also mitigating risk. With so many moving parts and areas of focus, it is important to facilitate open communication between all stakeholders and connect as many activities, processes, and systems as possible to ensure consistency and the most effective and efficient risk mitigation performance possible. Utilizing a TPRM framework can help streamline and provide consistency within the TPRM program, while also mitigating risk more effectively. Third party risk affects every area of a business, and therefore should be integrated accordingly.