By: Halle Reynolds, TPRA Marketing & Social Media Internship
The Third Party Risk Management Lifecycle (noted below within "Starting a TPRM Program") is recommended for every organization seeking to implement a TPRM program. How programs implement the lifecycle is dependent upon their organization’s risk appetite (or the level of risk they are willing to accept), as well as the complexity of their third party relationships. After an organization has established an initial TPRM program, consideration should then be given to enhancements that will accelerate TPRM program efficiency and effectiveness in addressing third party risk. The incorporation of the following best practices is contingent upon an organization's overall objectives, budget, and size.
STARTING A TPRM PROGRAM
TPRM programs begin with a blueprint—a plan for how your program will function. This layout should include aspects from the Third Party Risk Management Lifecycle: Planning & Oversight, Pre-Contract Due Diligence, Contracting, Continuous Monitoring, Disengagement, and Continuous Improvement.
At a minimum, it is best practice to have the following processes in place if you are just beginning your program:
Planning and Oversight - Establish program governance, budget, policies and procedures, third party inventory, and risk rating methodology.
Pre-Contract Due Diligence - Integrate into the Procurement process and ensure due diligence/risk assessment reviews are performed before contracts are signed.
Contracting - Develop a contract template that defines expectation of third party controls that need to be in place, as well as allow for the review of said controls by your organization.
Continuous Monitoring - Run all third parties through an Inherent Risk Questionnaire (IRQ) and establish third party re-assessment triggers and cycle times based on the inherent risk ratings.
Disengagement – Establish a termination checklist, to include the handling/destruction of data and transition to another third party.
Continuous Improvement – Communication and education are key when starting a program. Ensure you have top-down support, as well as the support of the business.
The value you receive from a basic TPRM program can be invaluable. It allows your organization to create a holistic risk lens into your organization’s risk landscape and proactively address and mitigate third party risk in a timely manner. TPRM programs are also required by many regulators, Board members, and customers.
ENHANCING YOUR TPRM PROGRAM
Once you’ve established your TPRM program, then you can begin to enhance and/or automate certain activities to ensure you are focusing on what matters most in a timely and efficient manner.
Below are some examples of enhancements you could make to your program. We will work through the same TPRM lifecycle and discuss enhancements to each phase.
Planning and Oversight - Develop a steering committee to address highest level of risk. Ensure a risk escalation and acceptance process is in place (you may what to do this at a foundational level as well).
Pre-Contract Due Diligence - Ensure you have a seat at the table with those making third party risk-based decisions, such as Procurement, Legal, Compliance, and others. Actively participating in conversations will ensure your program gains the support it needs, as well as ensures you are able to obtain the necessary evidence and documentation to perform your reviews.
Contracting - You may want to “own” certain contract clauses to ensure that any redlines to specific clauses are reviewed by your team. Small changes could affect what evidence you receive from third parties and how you can assess them. You may also want to add noncompliance triggers to your contracts. These triggers ensure you can take action against contract non-compliance.
Continuous Monitoring - Once your program is established, you can then begin to work through nth party reviews. An nth party is a 4th or 5th party (or your third party’s third parties). It’s important to also review nth parties, especially if they will access your organization’s data, are customer facing, or support a key activity related to the product/service you are purchasing from your third party.
Disengagement – Begin to maintain a data inventory (by requesting a data flow diagram from your third party) so that you can more accurately pinpoint data destruction requirements, to include data at nth party locations. Another process enhancement for the disengagement phase is to establish exit strategies during the pre-contract phase to leverage during the disengagement phase. If the third party supports a critical function for your business, it is a good idea to have a transition plan in place before entering into an agreement with the third party.
Continuous Improvement – Continuously re-evaluate risk domains and enhance as the risk environment changes (e.g., Environmental Social Governance (ESG), Ransomware, Pandemic). It is also important to benchmark off peers. Chances are, you're not the first to go through something. Benchmarking is the best way to quickly learn tips and tricks for implementing process enhancements.
The value of continually enhancing your TPRM program is staying up to date on risk trends and ensuring your program is flexible enough to incorporate when/were needed.
AUTOMATING YOUR TPRM PROGRAM
At this point, your program may be gaining momentum quickly as you’ve established the foundational building blocks of your TPRM program and incorporated certain program enhancements. You may now be interested in seeking out ways to automate your program by incorporating tools that can lessen the strain on resources and allow for scalability.
We will again work through the same TPRM lifecycle and discuss activities you can automate within each phase.
Planning and Oversight - Consider a governance, risk, and compliance (GRC) or TPRM platform that provides workflow, assessment, and reporting for third party risk. A comprehensive tool can also allow you to look across third party risk to determine key risk indicators and trends.
Pre-Contract Due Diligence - A GRC or TPRM platform can also assist with automating the questionnaire process and allow you to obtain evidence quicker during the pre-contract due diligence phase. You may also consider joining a third party risk assessment collective (where third parties share the responses to one questionnaire with several organizations) to assist with third party response time.
Contracting - Consider implementing a tool that will notify you when contracts are no longer in compliance with updated contract templates. This helps you ensure that you are maintaining contract compliance with your third parties.
Continuous Monitoring - A tool that can proactively monitor your third parties is a risk rating/intelligence tool. These tools scan the parameter of third party networks and look for public facing vulnerabilities. They are non-intrusive and can often provide you with accurate information on an organization’s vulnerability management and technology refresh program. More innovative tools can also scan the dark web and look for stolen data and/or accounts that belong to third parties. They can also tell you if a third party has offshore locations, as well as the geo-political environment of said offshore location.
Disengagement – Certain tools can assist with identifying when non-compliance triggers are met (which could ultimately lead to a relationship termination). They can also assist with the data transition process.
Continuous Improvement – Automatically feeding into your organization's overall risk management program can help make more informed decisions when looking across the enterprise. Many tools can integrate into risk management tools your organization may already have, thus providing your organization with a more holistic risk lens. This would also allow your organization to focus on efforts to address more critical risk.
Automation can lead to better collaboration, improved transparency around risk, program scalability, quicker response to threats, and provides less burden on resources.
But if you do not have an established program, automating too soon can lead to accelerated issues and misalignment on risk-based decisions. You can find value in automating workflows, assessments, continuous monitoring activities, risk follow-up and validation, reporting, and other third party lifecycle activities.
CONCLUSION
Most TPRM programs start out small and work their way up to more advanced risk management techniques. When beginning, it won’t be necessary to incorporate most tools right away. You may also want to consider current tools your organization already utilizes and determine if/how you can incorporate them into your TPRM program. You should also consider your program's overall objectives, budget, and size when considering which enhancements and tools to implement. The key to evaluating TPRM program maturity vs associated value is understanding your organization's risk appetite to further develop your TPRM program's risk-based approach to assessing, monitoring, and mitigating third party risk.
For more information on this topic, check out the TPRA's YouTube series "TPRM Explained - TPRM Program Maturity vs. Associated Value".