Authors: TPRA Team & Practitioner Focus Group
The way in which organizations leverage third parties has evolved over the years; thereby, increasing the quantity and severity of risks posed by third parties on an organization. Parallel to this evolution is an increase in the regulations surrounding organizations and their relationships with third parties. To ensure third parties are operating securely and effectively, by adequately monitoring and mitigating risks related to the data and/or processes that have been outsourced, an organization must have in place an effective Third Party Risk Management (TPRM) program. At the end of the day, an organization’s ability to effectively detect, manage, and mitigate third party risk is reliant upon the foundation in which an organization has built their TPRM program on.
Building the Foundation
A TPRM program consists of six phases, which make up the TPRM Lifecycle. This article will focus on the first phase, Planning and Oversight. Program Planning and Oversight supplies an organization with a strong foundation and the requirements needed to develop and steadily support their overall TPRM program. This phase ensures the program can address third party risk at the highest level, while also ensuring governance structures are in place to run the program effectively. If implemented correctly, the Program Planning and Oversight phases will ensure key stakeholders are aware of, support, and help implement program requirements. This phase also ensures your entire organization is on-board as the TPRM program will touch every department within your organization (from Business Owners to Legal and Information Security).
Let's review the activities associated with the Planning & Oversight phase. Executive Support The success of your TPRM program depends on the support you receive from your C-Suite, as well as your Board. To gain leadership support, you must first market and sell the need for your program. To assist with this, a strong Business Case should be leveraged. A good business case should include, but not be limited to, the following components:
A description of what third-party risk management is, to include definitions, to ensure the program's scope is understood.
Essential program features, including leadership support, enterprise-wide implementation, the TPRM framework, budget considerations, the need for a risk committee, transparency and communication, and reporting mechanisms.
Avenues for benchmarking to ensure the program leverages processes that already exist, can maintain flexibility when new risks are discovered, grows with the business, and continuously improves.
Defining expected program outcomes, or the return on investment for implementing a TPRM program. Such expected outcomes may include, but not be limited to, visibility into third party risk, defining impact third parties pose to your organization, continuous monitoring of third parties to proactively mitigate risk, a reduction in residual risk through mitigation efforts, compliance with specific regulations and policies, and operational resiliency in the event of a disruption due to a third party.
The Third Party Risk Association (TPRA), in conjunction with Shared Assessments, created “The Business Case for Third Party Risk Management: A Starting Point for Senior Leadership” in an ongoing effort to support the global community of TPRM practitioners. The document walks through the components above in greater detail and exists for you to leverage within your own program.
Policies and Procedures
Once leadership is on-board with the program's implementation, it is time to develop comprehensive TPRM program policies and procedures to establish consistent and effective TPRM practices across the organization. Your policies and procedures should align with current internal policies, pertinent regulations, and industry best practices. Gain and use input from key stakeholders throughout the organization to ensure the establishment of your policies and procedures is successful. Your organization should then review the policies and procedures annually and perform updates, if necessary, to align with best practices and respond to emerging risks.
Note: Policies should note the terms and expectations of your TPRM program; whereas procedures should detail the actions required to implement your program.
At a high level, policies and procedures should:
Provide a purpose statement that notes the role TPRM will play within your organization.
Include definitions for third party risk management terms to ensure a consistent understanding throughout your organization.
List all job functions that play a key role in the implementation and management of your TPRM program, as well as the responsibilities for each.
Document each stage of the TPRM lifecycle to ensure the structure and processes of your TPRM program are clear and adoptable.
Make clear that third party due diligence requirements must be completed before a contract is executed.
Inventory of Third Parties It is imperative that you develop and maintain an up-to-date inventory of your third parties to ensure your TPRM program has sufficient coverage of third party risks. Please keep in mind that based on your organization’s definition of a third party, your inventory may not simply be based off the contracts you have in place with other organizations. There are several sources you can leverage (such as Accounts Payable, software discovery tools, and Business Owner surveys) to better understand the third party relationships your organization has in place. All third parties, whether contracts are in place or monies are exchanged, should be noted within your inventory. You may then choose to note certain third parties as in or out of scope once you move through the TPRM process; however, you will at least be able to evidence that you reviewed all third parties in some capacity.
Within this activity, you may find it beneficial to establish sub-service categories for products/services third parties provide to your organization. Categories may include, but not be limited to, Marketing Services, Professional Associations, Software Providers, Hosted Solutions, etc. This ensures you better understand how the business leverages third party products/services, as well as allows you to determine if a third party should be in or out of scope for specific due diligence activities.
Once you have an established your third party inventory, you will want to collect and maintain certain data elements related to your third parties within a central repository. Establish a process to add, maintain, and remove third-party information from your inventory regularly to ensure it is always up to date. This will allow you to look across third parties for risk trends, as well as ensure due diligence efforts are conducted for each product/service provided.
Organizational Risk Appetite
Next, establish risk ratings for your TPRM program and ensure they are in line with your organization’s risk appetite (the risk your organization is or is not willing to accept). Developing an organizational risk appetite is important in that it allows leadership to make enterprise-wide, strategic decisions on how to effectively manage and mitigate risk. It also allows your TPRM program to define risk thresholds for activities and controls that must be in place to ensure your organization meets its business objectives and protects its confidential data.
Risk ratings are used to identify the potential impact and likelihood of a third party risk occurring. Once an inventory of third parties is established, the next step is to run them through an inherent risk questionnaire (IRQ) to identify the risk before controls are assessed. This then drives the level of due diligence required for a third party. It also assists with tiering your third parties to ensure your program is risk-based. The risk identified after due diligence is performed (after controls are assessed), is the residual risk rating. This rating then further drives your continuous monitoring efforts and reassessment cycle times.
Program Oversight and Governance
Senior leadership, as well as Board support, are essential to ensuring your TPRM program is successful by setting the right “tone from the top.” Absent that support, an organization is unlikely to achieve consistent and timely adoption across all business and risk functions. Since third parties support all aspects of a company’s operations and revenue-generating activities, the scope of their risks mirrors every aspect of your organization. As a result, only enterprise-wide implementation will ensure a TPRM program covers all relevant business risks for a firm.
In addition, it is important to implement program oversight activities, which may include the establishment of a Risk Committee. The committee should determine the thresholds for risk escalation and risk acceptance, as well as the frequency of reporting on third party risks to leadership (including the Board). Essentially, the oversight (or risk) committee takes the information gained from your TPRM program and uses it to drive risk-informed decisions.
Metrics and Reporting Ensure you establish measurable, specific, and relevant metrics for your program. Metrics should guide the development and execution of your program, as well as inform stakeholders of the risk landscape related to your organization’s third parties. Reporting should be tailored to specific target audiences to ensure they make better, data-driven decisions after reviewing the information. Target groups that should receive regular TPRM program updates, can include, but not be limited to:
Board – Receives updates on the TPRM program's overall health and the mitigation strategies for higher–risk third parties.
Executives – Receive the risk ratings for third parties assessed and updates on risk–mitigation activities for higher–risk third parties.
Risk Committee(s) - Receive risk ratings for third parties assessed and updates on risk-mitigation strategies, escalations, and risks requiring acceptance.
Business/Relationship Owners - Receive updates on third party due diligence efforts and assessment outcomes.
Other Key Stakeholders (such as Compliance Teams) – Receive data on specific risks posed to the organization (such as regulatory/compliance risk).
TPRM Managers – Receive updates on program maturity, resource allocation, risk mitigation efforts, process exceptions, escalations, and any risks requiring business acceptance.
Education and Training
Transparency and communication are key when developing, implementing, and maintaining any TPRM program. All stakeholders must be familiar with TPRM program policies and procedures, as well as their role within the program. Business owners need to understand they are the owners of their third party’s risk and that the TPRM program’s role is to support their risk-based decisions related to said third party. Best practice is to develop a TPRM training and education program and tailor it to your specific business partners. At a minimum, organizational training should be held annually, as well as when a new relationship owner is established. Your education program should also include third parties, to ensure they are aware of your program’s due diligence activities, expectations, risk remediation and follow up processes, and escalation procedures.
Regulatory Compliance
Regulatory compliance has been a stable item on many board agendas, due to the increase in regulations related to third party oversight. There are a variety of reasons behind this focus, but the main drivers are related to the threat landscape growing in complexity, momentum of digital transformation, political and social unrest, as well as responses to the global pandemic. The regulatory risks your third parties do not address can present both reputational and financial risk for your own firm if your organization’s name comes up as purchasing services from said third party should an issue arise. As a result, regulatory agencies are mandating you to understand the risks associated with doing business with your third parties. Ensuring your third party is complying with pertinent regulations may result in a reduction of regulatory fines on your organization, ensure they are operating with integrity, and actively prevent attempts at bribery, corruption, and other threats.
Budgeting Establishing basic or even aspirational objectives under a TPRM framework requires a realistic alignment with available budgets to support risk operations. For example, if a TPRM framework requires diligence for all higher inherent risk third parties before and after a contract is signed, then the budget should be commensurate with activities in support of achieving this objective.
Budget considerations can include, but not be limited to:
Resources – Current and future employees and/or contractors.
Operations – Any cost associated with daily tasks and running the business.
Maturity Model – Process enhancements required and what resources are needed to get to the next level of maturity.
Travel – Costs associated with onsite visits and training.
Training – Fees for conferences, training, and certifications to ensure maintenance of knowledgeable & skilled professionals that are appraised of risk trends.
Tools – Budget for TPRM program tools. Consider estimating cost savings a tool(s) will bring by automating certain processes.
TPRM is a non-revenue generating discipline; therefore, it is a good idea to also quantify your program’s value by emphasizing what could occur if the program is not established. Also, provide a financial impact questionnaire as proof of the program’s financial impact and/or savings from mitigation of risk. Conclusion Your TPRM program will touch every department within your organization. As such, it is necessary to ensure alignment and support across the enterprise. As you establish your TPRM program, it is important to thoughtfully and strategically implement the above activities to ensure your program can successfully meet its business objectives and effectively mitigate third party risk.