Search Results

As the third party risk management field continues to evolve, a growing number of practitioners are seeking guidance on how to best categorize the complex third party relationships they encounter throughout their organizations. For a practitioner to properly identify and reduce third party risks, it is important that they first define their third party population and determine scope for their key relationships. Defining Your Population When tasked with defining the population, third party risk professionals should first recognize what terms offer the best range of coverage for their specific organization. Commonly used population classifications such as supplier, contractor, and vendor, each allude to the population’s specialization, which may be acceptable when defining certain populations. But, due to their selectivity, practitioners are often unable to classify entire populations by these specialized terms. Similarly, circumstances in which organizations defy the traditional supplier-vendor relationship (ex. charities or affiliates) also require a more inclusive means of population definition. In most cases, if terms such as supplier, contractor, and vendor do not suit the population, practitioners look to the expression “third party.” Unlike other population classifications in the risk management space, this term acts as an inclusive umbrella and applies to a diverse range of populations. Furthermore, third party risk practitioners may find it worthwhile to define the business owners for third party relationships, at both executive and operational levels, to gain insight of where risks should flow within their populations. In the instance that an organization is engaged in an expansive third party relationship, with multiple engagements throughout their firm, it is crucial to be aware of who owns the relationship and how the risks should be dispersed. All organizations should take their unique populations into consideration when deciding upon a definition. Determining Your Scope In relation to risk management, scope refers to what aspects of an organization’s control environment are under the authority of their third party risk management program. Many organizations have individual criteria within each type of third party category. This reference point aims to define whether or not a set of the third party population will be in or out of their risk management program’s scope. A main criterion that many organizations adhere to, in order to determine if a relationship is in or out of scope, is whether they will share data with the third party population or if the third party will host technology for the organization. In comparison, a third party that does not physically engage with an organization’s site, have access to data, and/or does not host a technology for the organization would likely be considered out of scope for a majority of third party risk management assessments. Additionally, companies consider contractors or contingent workers, in addition to other non-employees, to be out of the scope for risk management activities. In the instance of contractors, organizations frequently struggle to outline a standard that can properly express whether issues of related risk are a human resource, information security, or third party risk management responsibility. An effective way to address this issue could be for a third party risk management program to look to the top level of the staffing organization that supplies their contractors, instead of attempting to mass manage the risks associated with every worker from the ground up. Rather than focus on the risk of the workforce provided by their arrangement with a third party, the organization should inspect the risk presented in the arrangement itself. This would also allow the organization to have more opportunities to drive the controls they require in their relationships. Conclusion It is important to define your third party population to better understand the risks and impacts of said risks to your organization. Defining your population also ensures you manage and monitor your third parties using a risk-based approach. If you apply the same risk management approach to all of your third parties, you run the risk of overstating the impact your relationships have to your organization. Once you understand a risk, you must take action to mitigate that risk. Reviewing all third parties using the same lens puts a strain on resources, as well as allows less time for you to focus on the higher-level risks. Defining your population and the scope of your program ensures you more accurately reflect the impact third party risk has to your organization, as well as allows you to effectively monitor said risk.

Guest Author: Kimberley Allan , CMO for Aravo Solutions As the events of 2020 unfolded, operational risk teams around the world were provided a real-life ‘stress test’. In the process, many organizations realized that third-party risk management (TPRM) is much more than simply a regulatory requirement - it is, in reality, a material part of business resilience. Now, many organizations are reevaluating how their TPRM programs can not only comply with a surge of new regulations, but also cope better with emerging risks, and build greater resilience in their supply chains. TPRM leaders are being challenged to do this fast. This means they must have their eye on the horizon and understand what’s ahead. Here we discuss five trends that TPRM leaders should have on their radar. 1. Programs are becoming more holistic and cross-functional If you’re running your third-party management program in silos, or confining your program coverage to a single risk domain – it’s time to think more broadly. Programs are now becoming more holistic and cross-functional. Rather than operating in departmental silos (such as procurement, compliance, risk, information security, data privacy etc.) that do not collaborate, more organizations are now looking to develop a cross-functional approach to monitoring and managing third-party relationships. Just as operational silos are being broken down – so too are risk silos. Programs are now expected to monitor multiple risk domains, including cyber security, data privacy, anti-bribery and corruption, ESG, quality, and more. Programs are also extending deeper into supply chains to address these risks – it’s not just third parties that need to be accounted for – but 4th parties, 5th parties and beyond. 2. Environmental, Social, Governance (ESG) If ESG is not on your third-party risk radar – it should be. ESG is being catapulted up the board agenda, with renewed focus and vigor from regulators, particularly those in the EU. Increasingly, organizations will need to consider not just their own footprint, but also understand and monitor their third parties' and suppliers' footprint and social impact. In March 2021, the European Parliament voted for the adoption of a binding EU law that requires companies to conduct environmental and human rights due diligence along their full value chain or face concrete fines, sanctions and/or civil liability. It is likely that this law will come into force in the 2021-2022 timeframe. Germany is also set to introduce fines, under its Due Diligence Act , for companies procuring parts or materials abroad from suppliers who fail to meet minimum human rights and environmental standards. Unlike some of the other laws that seek to shine light on modern slavery and human trafficking in supply chains (such as the current UK Modern Slavery Act and California's Transparency in Supply Chains Act) these new acts are not just a reporting requirement. These have teeth and will require organizations to conduct the appropriate risk-based approach to due diligence and address issues, or face penalties. It’s also likely that these regulations will have global implications: acts from the EU are typically broad in nature. Companies that are headquartered outside of the EU will still be in scope if they have operations and employees within the EU. 3. Operational Resilience COVID meant operational risk plans received a real-life stress test. Employees (both internal and those at third-party organizations) were instructed to work from home, and global restrictions on travel and transit resulted in significant disruptions to physical supply chains. Plans were found wanting – and this has brought operational resilience (and more broadly business resilience and organizational resilience) front of mind. Operational Resilience is more than Business Continuity Management (BCM). It’s more than Operational Risk Management. It’s more than Supply Chain Resilience or Third-Party Risk Management. It’s a combination of all of these, but is taken from a critical, service-driven approach to managing risk, response, and recovery. Operational Resilience has been creeping up the agenda, particularly with Financial Services regulators, for some time. We’ve recently seen a number of Principles, Frameworks and Guidance documents published by the regulators, including: EBA : Guidelines on Outsourcing Arrangements FCA/PRA : Operational Resilience: Impact Tolerance for Important Business Services PRA : Outsourcing and Third-party Risk Management ECB : The European Union’s Digital Operational Resilience Act (DORA) ECB : Cyber Resilience Oversight Expectations for Financial Market Infrastructure OCC : Bulletin 2020-94 Operational Risk: Sound Practices to Strengthen Operational Resilience FSB : Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships: Discussion paper There are a range of drivers behind this focus on operational resilience: The threat landscape is growing in complexity and variety (which includes everything from the threats associated with the pandemic, state sponsored cyber supply chain hacks, geopolitical volatility, to extreme weather); A greater reliance on vendors, third parties, and outsourced providers to support organizations’ critical services; The momentum of digital transformation projects, which are in many cases outpacing organizations’ ability to accommodate change; The growing threat of cyberattacks which has also led to a stronger formalization of the relationship between BCM and cybersecurity. All of these factors mean organizations need a comprehensive solution to plan and prepare for continuity of operations and services as well as to monitor threats, prevent incidents where possible, and execute associated response, recovery and restoration plans. A core component of resilience involves the ability to manage the risks associated with third parties, 4th parties and beyond (nth parties), including concentration risks associated with these. The approach to operational resilience also needs to be holistic and cross-functional. 4. Cyber Security and Cyber Supply Chain Risk Management (C-SCRM) When it comes to third-party risk management programs, cyber security is always top-of mind. And this should come as no surprise – more often than not, security breaches stem from a third-party vulnerability. A recent survey by the Ponemon Institute and SecureLink found that over half of organizations (51%) have experienced a data breach caused by third parties that led to the misuse of sensitive or confidential information. And the criminals exploiting flaws in controls are creative and resourceful – from Target’s HVAC breach to criminals hacking a fish tank to steal data from a casino ! When there’s a will (and a weakness) there’s a way. Now it’s cyber supply chains that are increasingly under attack. SolarWinds demonstrated that sophisticated state players are targeting digital supply chains (including third-party applications). And, more recently, security researchers discovered a software supply chain vulnerability at Composer, the main tool used to manage and install dependencies for PHP, which could put millions of websites at risk. These types of vulnerabilities, and the attacks exploiting them, hit the headlines every week. This means TPRM programs need to evolve to better manage cyber risks further into their supply chain. To support this, NIST recently published guidance: Key Practices in Cyber Supply Chain Risk Management: Observations from Industry , which sets out 8 key best practices designed to help organizations of all sizes and industries build a robust program. 5. Intelligent Automation Finally, all the above - the growing range of risks to manage, increased regulatory emphasis, the need to manage risks further into physical and digital supply chains - mean that smarter automation for TPRM programs is essential. There is simply too much data and too many complex business processes to manage programs manually. TPRM leaders need to harness the power of technology, and be aware of the tools and technologies that can support their programs. AI and Machine Learning capabilities are now embedded in some of the market’s leading TPRM technologies, which provide added efficiencies to programs, and ensure resources are focused on the more strategic aspects of your program, rather than the administration. Conclusion While TPRM remains dynamic, one thing remains constant – and that’s ongoing expectation by global regulators for robust third-party risk management programs. With the volume and velocity of change, TPRM programs must be agile and adaptable. Having a view of trends that will affect how third-party risks are managed helps you prepare for tomorrow, today, and build greater business resilience in the process.

Guest Author: Tom Rogers, CEO for VendorCentric One of the most important parts of an effective third-party risk management function is creating an effective governance and oversight structure. Doing so drives accountability and ensures that the right ‘tone at the top’ is set by your board and senior management. Plus, in the past decade, regulators across most industries have made this a consistent theme in their communications about their own expectations for third-party management programs. So, what does effective oversight of the third-party risk management function look like? Since complexity can vary based on an organization’s industry and size, I recommend that – as a baseline – a well-designed function should have the following five components. Policy. The starting point is to formally document the third-party risk management policy and obtain board approval (initially and annually thereafter). This provides the framework for the program, and ensures the appropriate tone at the top. Lines of Defense and Accountability. Roles should be defined in all parts of the risk framework from the day-to-day business owners to the various lines of defense and senior management – if possible, placing these into performance goals also helps ensure attention is paid throughout the year. Vendor Management Function. The vendor management function should be clearly defined within the organization and, as importantly, properly resourced and independent from the lines of business. Resourcing goes hand-in-hand with effectiveness, and independence ensures that business needs or “favorite vendors” don’t drown out proper risk decisioning. Data and Reporting. Timely reporting is crucial for effective oversight. This requires three things: leveraging technology to capture and report data, using key indicators to compare against contract standards and trends, and distributing the appropriate reporting segments to each line of defense. Further, reporting should include both quantitative data along with more qualitative “color commentary” on where levels of risk are increasing or decreasing and any inconsistency versus the overall enterprise risk appetite for risk. Documentation and Rigor. Lastly, complete and accurate documentation of risk management activities should be maintained to support oversight by internal audit and regulators. Further, minutes from board, audit committee, and risk committee meetings should also be maintained to evidence discussions and actions, in case of a dispute or regulatory inquiry. Effective oversight also requires buy-in and active support from the senior leadership team. Simply providing direction and passive support isn’t enough – accountability needs to be evident in follow up actions. Their ability to receive and help resolve issues when escalated, and ‘wield the hammer’ when needed, will ensure the function has teeth. Conversely, depending on the size and complexity of your organization, gaining support of the senior leadership team may not be easy. Particularly since third party risk management, and certain vendor relationships, are often controversial in terms of expense, preferred vendors, and missteps that span across multiple business lines. However, building that level of trust and support can help immensely when things go wrong – if the vendor management team knows that they have the backing of senior management, it makes difficult decisions such as terminating a contract or declaring a breach a much more confident decision. Setting aside the regulatory guidance, if that’s possible, remember that third party risk management creates a real strategic business advantage in the form of cost savings, solid contracts and greater confidence that outsourcing a particular product or service will continue to go well. And effective governance and oversight of the third-party management function is necessary to make it all happen. Author: Tom Rogers Job Title: CEO Organization: Vendor Centric Tom is a trusted advisor on procurement and third-party management to organizations across the United States. Having worked with over 120 organizations over his 30-year career, he has a unique ability to bring both creativity and discipline to finding solutions for even the most complex challenges his clients face.

It comes as no shock that a focus on data security continues to rise with the increased number of breaches that occur as a result of organizations' third parties. While programs come in all shapes and sizes, the following five activities are often missed when creating or progressing your Third Party Risk Management (TPRM) program. 1. Inventory your assets. The first step to protecting your assets (i.e. data) is to know where and what your assets are, yet many organizations struggle to understand this key component. Keeping an accurate and up to date inventory of not only your third parties, but also what data you send to them and where it resides is helpful in better understanding how your assets are being protected. Without this list, it is extremely difficult to know what third parties have access to your company's information. With regards to obtaining an inventory of your organization's third parties, you can always start with Accounts Payable to see who you are paying and review your organization's contracts. You can also leverage software discovery tools to better understand what software your employees may have purchased or are using (as there are contracts in the form of click-through agreements tied to the software). Last, you can review inventories that may already exist within your business areas (especially if you do not have a centralized Procurement process). With regards to an inventory of your data and where it resides, you can include questions within your risk assessments to determine what data will be/is being sent to your third parties, as well as where it resides within their organizations. You will also want to ask your third parties if they are sending your data to other organizations. You will then want to take this information and input it into a central repository of some sort. An example would be an excel with the third party's name, type of data they have access to and/or host, location of said data (where it resides), and in what medium or format it resides in. This is particularly helpful if you are terming relations with a vendor and need the third party to return and/or destroy your data or if said third party experienced a breach. Inventorying your assets, location of data, and third parties are good first steps to ensuring you better understand your risk posture. 2. Centralize documentation. There are many factors within an organization that contribute to the difficulty of finding and/or maintaining appropriate documentation. Much of this is due to the organic nature or organizations and the challenges of organizational silos. For example, your Legal and Supply Chain teams may use one repository for all contracts but other groups in the organization may not have access to said repository. Other teams may use different applications for the same activity. Another example is the business may request documentation from a third party; however, a Third Party Security team may request similar or different documentation from that same third party. With documentation in several locations, this can lead to transparency issues, as well as create an inconsistent and frustrating experience for a third party. Maintaining a comprehensive inventory of third party documentation can help alleviate some of these issues, while also ensuring your organization understands all of the products/services and controls needing to be reviewed for a third party. A central documentation repository will also save time and resources during the risk assessment process. While there is no one, right solution for every organization, there is value in ensuring documentation is centrally maintained. 3. Assess risk based on organizational risk appetite. The risk assessment is likely the most varied item in the third party risk review process between different organizations. While some organizations may have as few as ten questions, other organizations may have 2,000 questions. If you have worked in a risk-related field for any length of time, you are most likely struggling with this question: What is the right number of questions? Unfortunately, there is no right or wrong answer to that question. Having a good understanding of what is important to your organization is a key step in determining what questions you should ask in your assessment. As an example, Financial organizations may have a completely different set of questions and care more about certain items compared to Healthcare organizations. The key is to determine what risks your organization is not willing to accept and focus your questions on those key areas. You may also want to add weight to these questions when assessing the risk of your third parties. This will ensure you are evaluating the right level of risk based upon your organization's risk appetite. 4. Educate your executives. Having executive leaderships buy-in and support is critically important to ensuring you maintain an effective Third Party Risk Management program. But where do you start? Education is key and will ensure your executives have a working knowledge of the third party risk assessment and oversight process. Start with one executive who can be your champion and meet with him/her on a regular basis to ensure you have buy-in. Think outside the box when approaching your other executives. One example is holding a Third Party Risk summit strictly for your executives. This could be a two-hour event where you go through the risk assessment program, why it's important, how it saves your organization money and resources, what risks are trending (where your third parties fall short), and why you need their support. Without leadership support, any third party risks you discover may not be addressed at the appropriate level and ultimately put your own organization at risk. 5. Sync for collaboration. Almost every department within your organization will require the services of a third party at some point in time. However, if there is not collaboration between the Third Party Risk Management function and the business, risk assessment efforts may be duplicated across the organization or risks may not be assessed at all. Therefore, it's helpful to sync third party efforts and activities across departments. After all, your business is the risk owner and responsible for understanding and managing the risks related to their third party relationships. When syncing third party risk management activities, you may find a better outcome if you meet with your business departments to determine what third party processes already exist. You can then tie in your own third party risk management efforts into their existing processes (example, if the business is already meeting with a third party regularly, you can work with their schedule to risk assess said third party). This method does not always work if there are limited third party processes within the organization. You can also take the approach that your team will help alleviate some of the risk management work from the business and bring them in to discuss risks your team discovers. Your business can also keep you updated when there are changes to the relationship with the third party (example, ownership changes, leveraging new products/services, or sending additional data). There is also a huge benefit to ensuring you maintain collaboration with your business partners. Collaboration can ensure you understand the evolving nature of third party relationships and also ensure your business understands the risks they are accepting on behalf of the organization. Conclusion. While the third party risk management space is not new for many, it is becoming increasingly important as business processes and data continue to be diversified. Having a good hold of the risk your organization takes on by being in a relationship with third parties can ensure you mitigate said risk appropriately. Identifying and addressing gaps in your program, such as the ones noted above, can allow your organization to continuously improve upon your risk mitigation techniques.

Guest Author: FortifyData It has become apparent that it is no longer sufficient for businesses to only secure their internally-controlled infrastructure and services. They must also diligently evaluate the security policies and procedures of their third parties. Organizations interact with each of their third parties in different ways. And frankly, some are more critical to daily operations than others. And while every third party your organization partners with introduces some risk into your organization, when managing that risk, it is important to have the ability to prioritize risks most relevant to your business as well as focus remediation efforts on the most critical issues. Accuracy First generation scoring platforms don’t offer customization on how each third party influences the inherent risk for your organization so the resulting score is more generalized. In addition, these platforms simply conduct passive assessments using open source intelligence data available over the internet. Only next generation platforms, that perform passive assessments, as well as active but non-intrusive infrastructure and web application assessments provide the most comprehensive and accurate representation of risk.  Efficiency A lack of score accuracy results in your team using precious man-hours and resources working to mitigate less important risks. For example, you may be willing to tolerate  more risk from one third party than you are from another one based on the impact of that particular third party to your business. Therefore, time will be better spent focusing on that third party than draining resources on the other, less critical ones. The more accurate your score from a next generation risk management platform, the more efficient and effective your risk management program will be. The ability to categorize and prioritize the third-party risk mitigation tasks most important to your organization sets up your IT and/or security team for success. Relevancy In addition to being able to configure which risks are most relevant to your organization and determine how much risk you are willing to accept given your relationship with each third party, you must also consider how current the data is that you are reviewing. If third-party risks are not being actively monitored in near real time, you could be wasting time focusing on old data that is no longer relevant. An ever-changing threat landscape requires continuous monitoring to ensure the overall risk status is accurate.  Conclusion The success of your third-party risk management program is based on three components: accuracy, efficiency and relevancy. Having the capability to categorize your third-party relationships is fundamental to understanding and effectively managing the risk each one introduces to your organization. You can only achieve this understanding with a next generation third-party risk management platform that allows for configuration and continuous, near real-time monitoring in order to produce the most relevant view into your organization’s inherent risks. These features result in the ability for your team to use their time wisely by prioritizing the most crucial mitigation efforts. TPRA Disclaimer: TPRA does not endorse or sponsor the products/services of one particular TPRA vendor member; however, we do communicate training opportunities and vendor offerings provided by our vendor membership for the benefit of the community.

Welcome to the TPRA blog site! We hope to post regular blogs from subject matter experts on topics that you want to hear about. Be sure to check back regularly! If you would like to be a contributor for one of our blog posts, please email your blog idea to info@tprassociation.org. Thank you! #TPRABlog #ThirdPartyRisk