Search Results

Third Party Risk Management (TPRM) oversight supplies an organization with a strong foundation and the requirements needed to develop and steadily support their overall TPRM program. This allows the program to address third party risk at the highest level, while also ensuring governance structures are in place to run the program effectively. TPRM oversight will also ensure key stakeholders are aware of program requirements and assist with the implementation of said requirements.​

By Meghan Schrader The level of risk related to your third parties is frequently changing, making recertifying and reassessing of key importance. Recertification relates to reviewing the third party’s responses to the Inherent Risk Questionnaire (IRQ) as well as noting any changes to their profile, such as changes in legal name, ownership, locations, or the like. Reassessment relates to reassessing your third parties after the initial assessments have been completed and the contract is signed. Organizations are continuously innovating, enhancing, and changing business processes. With this comes changes in third party risk. Practitioners may start to send a third party more data, use more or less of their services, or even change how they are using a third party’s products/services. In parallel, third parties may change ownership, platforms, locations, and/or implement enhanced controls. At the same time, the threat landscape grows in complexity with events such as pandemics and social/political unrest needing to be factored in. In response to all of these changes, innovation, and enhancements, organizations must continually evaluate their third parties to ensure they remain apprised of their risk landscape and work to remediate/mitigate certain risks. But where do organizations start with re-assessing their third parties? Begin with recertifying the Inherent Risk Questionnaire (IRQ). The IRQ should drive your due diligence efforts as it takes into account the level of risk your third party poses before controls are considered. The IRQ can also determine the cycle time for your reviews. Therefore, it is a good idea to determine if responses remain the same or if the IRQ should be updated. At this time, you can also recertify the third party’s profile (or the general information you maintain for the third party) to note any changes in location, ownership, and/or processes. Based on recertification of the IRQ, determine which assessments are in and out of scope. For assessments previously completed that remain in scope, review past responses and risk to determine if a full assessment should be re-sent (if high risk was noted) or if responses from the previous can be sent and new evidence can be obtained (if low risk was noted). Regardless, it is always a good idea to re-test certain controls and obtain new evidence to support those controls. You can also determine from the previous assessment if there are any outstanding items that remain (I.e., are findings still open). Last, determine if new questions should be added to the current assessment based on your organization’s continuous improvement efforts. If a new assessment should be completed, ensure the third party understands why the new assessment is being requested and provide them with ample time to complete the assessment. Once all assessments are completed, determine the residual risk of your third party (or the risk once controls have been evaluated). The residual risk should determine the level of due diligence you will perform within the next year and if any follow-up should be considered. Assessment Types There are many assessments that can be provided to your third party on a continual basis. Assessment types and how often they are completed should be driven off the IRQ. In addition, the level at which they should be completed (light vs. heavy version) should be driven off the residual risk of a third party. Here are just a few assessment types that can be completed within the Continuous Monitoring (Reassessment) phase. Information Security Risk Assessment – May include application, data, and network security, Software Development Lifecycle (SDLC), and Service Organization Controls (SOC) 2, Type II report reviews. Note: TPRA is currently working on an Information Security Questionnaire template in their Focus Group. Find out how you can get involved on our website under Practitioner and Vendor Events. Privacy Impact Assessment – Includes review of data management practices, as well as compliance with privacy regulations. Financial Assessment – Involves evaluating the financial viability of an organization. Disaster Recovery and Business Continuity (DR/BC) – Covers techniques and processes for continuing business performance following a disaster. Physical Access Controls – Determines potential threats to properties, objects, or individuals and the controls to mitigate said risk. Regulatory Assessment – Involves evaluating compliance activities for your third party. Examples include ensuring compliance with Payment Card Industry (PCI), HIPAA, and Gaming regulations. As new regulations are published, it is important to review if a third party is impacted by the regulation and if they have a process in place to comply with said regulation. Negative News Monitoring – Monitoring negative media content by reviewing any existing media concerning a third party can help signal a potential threat—whether reputational or security related—to your organization. Subscribe to certain alerts, such as google alerts, to determine if there are certain impacts to your organization. Passive Monitoring – Risk Rating / Intelligence tools scan the perimeter of third-party networks and look for public facing vulnerabilities. These scans are non-intrusive and can provide you with real-time data on a third party’s vulnerability management program, among other activities. Examples of these tools include, but are not limited to, RiskRecon, BitSight, Security Scorecard, BlackKite Fourth Party Reviews – Reviewing the controls in place for your third party’s material suppliers is also important, especially if they will have access to your data. Offshore Reviews – Involve reviewing the controls in place to mitigate additional risk an offshore location may pose to your organization. You may also want to consider the geo-political environment for that location as well. Last, and in response to the pandemic, you may also want to perform an Operational Resiliency assessment of your third party that not only looks at their Incident Response procedures, but also reviews your own procedures to ensure your third party is incorporated into them. From a Continuous Monitoring standpoint, there may also be times when activities trigger specific assessments not generally performed within your normal due diligence efforts. Certain changes in the relationship and/or way in which the product/service is leveraged may trigger ad hoc reviews. Such trigger examples include, but are not limited to, Change in location of services, Change in risk rating (risk rating/intelligence tool), Change in ownership of the third party, Change in product/service (may now be cloud-based vs. On premise), Change in data sent/stored, Change in contract clauses, and An event or incident occurring. These triggers allow you to determine if your organization should take a second look at the third party and/or if another review needs to be performed. Evidence Collected In addition to the assessments completed, it is best practice to obtain evidence to validate specific controls are in place and operating effectively. Evidence items you may want to obtain include, but are not limited to: Penetration Test Results Independent Attestation – Includes Soc 2, Type II Reports. Policies and Procedures Proof of Key Controls to Evidence Effectiveness Vulnerability Report/Evidence of Patching Continuous Monitoring Report Financials DR/BC Plans and Testing Employee Counts – Includes Key Person Dependency and Any Significant Changes to Staff Levels that have Occurred. Network Diagram – Includes Cloud Architecture and A Data Flow Diagram. Background Checks – Includes Policies and Samples of Actual Background Checks. Employee Access Reviews Training – Includes Broadscale and Specific/Targeted Training. Model Risk – Includes Validation of Models. Negative News Questions to Ask To enhance your relationship with your third party, there are a few questions you will want to ask yourself to ensure you collect certain pieces of evidence at the right time. Those questions include, but are not limited to: For the evidence you are collecting, what is the scope? This ensures you only collect evidence for the product/service the third party is providing to you, and not for other products/services provided to other clients. Are you collecting it at the same time each year? (i.e., do they perform a pen test at the same time each year so that you know when to collect it?) Is the evidence you are collecting noted within the contract to ensure you can collect it? There may be times when a full assessment is not required if specific evidence items can be obtained for testing. There may also be times when you want an independent test performed for key controls to ensure it is thoroughly reviewed (I.e., SOC 2, Type II report). Summary In summary, it is important to continuously evaluate your third party to ensure you remain aware of the risk landscape impacting your organization. Ensure you are recertifying your third party’s profile and IRQ to note any changes within the relationship related to your third party. This should then drive the assessment process and cycle times for which reassessments are completed. Last, it is important to obtain evidence for specific, higher risk controls you evaluate to determine if said controls are in place and operating effectively. It is not best practice to only send your third party a questionnaire. All in all, re-assessing your third party will ensure the impact the third party has on your organization is minimized and strengthen the relationship between you and your third party.

Why is recertifying and reassessing your third parties so important? Because organizations are continuously innovating, enhancing, and changing business processes. With this comes changes in third party risk.  This video explains the importance of regularly reassessing your third parties, as well as provides tips on the reassessment and recertification process.

In this month's Third Party Risk Management (TPRM) Explained video, we discuss " Third Party Engagement " to include third party buy-in , response time , assessment of evidence provided, findings validation, and third party expectations . TPRM Explained is an educational series that focuses on topics specific to TPRM. TPRM Explained is produced and published by Third Party Risk Association (TPRA) in an effort to share knowledge and advance the field of TPRM.

In this month's Third Party Risk Management (TPRM) Explained, we discuss TPRM Program Maturity vs. Associated Value by working through how to Start, Enhance, and Automate TPRM programs using the TPRM lifecycle.

TPRA has created a series of videos explaining a variety of specific TPRM topics. Our first video of the series is " Onsite Visits ." This video will walk you through the pre-planning, during visit, and post-planning phases of an on-site visit.

As the third party risk management field continues to evolve, a growing number of practitioners are seeking guidance on how to best categorize the complex third party relationships they encounter throughout their organizations. For a practitioner to properly identify and reduce third party risks, it is important that they first define their third party population and determine scope for their key relationships. Defining Your Population When tasked with defining the population, third party risk professionals should first recognize what terms offer the best range of coverage for their specific organization. Commonly used population classifications such as supplier, contractor, and vendor, each allude to the population’s specialization, which may be acceptable when defining certain populations. But, due to their selectivity, practitioners are often unable to classify entire populations by these specialized terms. Similarly, circumstances in which organizations defy the traditional supplier-vendor relationship (ex. charities or affiliates) also require a more inclusive means of population definition. In most cases, if terms such as supplier, contractor, and vendor do not suit the population, practitioners look to the expression “third party.” Unlike other population classifications in the risk management space, this term acts as an inclusive umbrella and applies to a diverse range of populations. Furthermore, third party risk practitioners may find it worthwhile to define the business owners for third party relationships, at both executive and operational levels, to gain insight of where risks should flow within their populations. In the instance that an organization is engaged in an expansive third party relationship, with multiple engagements throughout their firm, it is crucial to be aware of who owns the relationship and how the risks should be dispersed. All organizations should take their unique populations into consideration when deciding upon a definition. Determining Your Scope In relation to risk management, scope refers to what aspects of an organization’s control environment are under the authority of their third party risk management program. Many organizations have individual criteria within each type of third party category. This reference point aims to define whether or not a set of the third party population will be in or out of their risk management program’s scope. A main criterion that many organizations adhere to, in order to determine if a relationship is in or out of scope, is whether they will share data with the third party population or if the third party will host technology for the organization. In comparison, a third party that does not physically engage with an organization’s site, have access to data, and/or does not host a technology for the organization would likely be considered out of scope for a majority of third party risk management assessments. Additionally, companies consider contractors or contingent workers, in addition to other non-employees, to be out of the scope for risk management activities. In the instance of contractors, organizations frequently struggle to outline a standard that can properly express whether issues of related risk are a human resource, information security, or third party risk management responsibility. An effective way to address this issue could be for a third party risk management program to look to the top level of the staffing organization that supplies their contractors, instead of attempting to mass manage the risks associated with every worker from the ground up. Rather than focus on the risk of the workforce provided by their arrangement with a third party, the organization should inspect the risk presented in the arrangement itself. This would also allow the organization to have more opportunities to drive the controls they require in their relationships. Conclusion It is important to define your third party population to better understand the risks and impacts of said risks to your organization. Defining your population also ensures you manage and monitor your third parties using a risk-based approach. If you apply the same risk management approach to all of your third parties, you run the risk of overstating the impact your relationships have to your organization. Once you understand a risk, you must take action to mitigate that risk. Reviewing all third parties using the same lens puts a strain on resources, as well as allows less time for you to focus on the higher-level risks. Defining your population and the scope of your program ensures you more accurately reflect the impact third party risk has to your organization, as well as allows you to effectively monitor said risk.

Guest Author: Kimberley Allan , CMO for Aravo Solutions As the events of 2020 unfolded, operational risk teams around the world were provided a real-life ‘stress test’. In the process, many organizations realized that third-party risk management (TPRM) is much more than simply a regulatory requirement - it is, in reality, a material part of business resilience. Now, many organizations are reevaluating how their TPRM programs can not only comply with a surge of new regulations, but also cope better with emerging risks, and build greater resilience in their supply chains. TPRM leaders are being challenged to do this fast. This means they must have their eye on the horizon and understand what’s ahead. Here we discuss five trends that TPRM leaders should have on their radar. 1. Programs are becoming more holistic and cross-functional If you’re running your third-party management program in silos, or confining your program coverage to a single risk domain – it’s time to think more broadly. Programs are now becoming more holistic and cross-functional. Rather than operating in departmental silos (such as procurement, compliance, risk, information security, data privacy etc.) that do not collaborate, more organizations are now looking to develop a cross-functional approach to monitoring and managing third-party relationships. Just as operational silos are being broken down – so too are risk silos. Programs are now expected to monitor multiple risk domains, including cyber security, data privacy, anti-bribery and corruption, ESG, quality, and more. Programs are also extending deeper into supply chains to address these risks – it’s not just third parties that need to be accounted for – but 4th parties, 5th parties and beyond. 2. Environmental, Social, Governance (ESG) If ESG is not on your third-party risk radar – it should be. ESG is being catapulted up the board agenda, with renewed focus and vigor from regulators, particularly those in the EU. Increasingly, organizations will need to consider not just their own footprint, but also understand and monitor their third parties' and suppliers' footprint and social impact. In March 2021, the European Parliament voted for the adoption of a binding EU law that requires companies to conduct environmental and human rights due diligence along their full value chain or face concrete fines, sanctions and/or civil liability. It is likely that this law will come into force in the 2021-2022 timeframe. Germany is also set to introduce fines, under its Due Diligence Act , for companies procuring parts or materials abroad from suppliers who fail to meet minimum human rights and environmental standards. Unlike some of the other laws that seek to shine light on modern slavery and human trafficking in supply chains (such as the current UK Modern Slavery Act and California's Transparency in Supply Chains Act) these new acts are not just a reporting requirement. These have teeth and will require organizations to conduct the appropriate risk-based approach to due diligence and address issues, or face penalties. It’s also likely that these regulations will have global implications: acts from the EU are typically broad in nature. Companies that are headquartered outside of the EU will still be in scope if they have operations and employees within the EU. 3. Operational Resilience COVID meant operational risk plans received a real-life stress test. Employees (both internal and those at third-party organizations) were instructed to work from home, and global restrictions on travel and transit resulted in significant disruptions to physical supply chains. Plans were found wanting – and this has brought operational resilience (and more broadly business resilience and organizational resilience) front of mind. Operational Resilience is more than Business Continuity Management (BCM). It’s more than Operational Risk Management. It’s more than Supply Chain Resilience or Third-Party Risk Management. It’s a combination of all of these, but is taken from a critical, service-driven approach to managing risk, response, and recovery. Operational Resilience has been creeping up the agenda, particularly with Financial Services regulators, for some time. We’ve recently seen a number of Principles, Frameworks and Guidance documents published by the regulators, including: EBA : Guidelines on Outsourcing Arrangements FCA/PRA : Operational Resilience: Impact Tolerance for Important Business Services PRA : Outsourcing and Third-party Risk Management ECB : The European Union’s Digital Operational Resilience Act (DORA) ECB : Cyber Resilience Oversight Expectations for Financial Market Infrastructure OCC : Bulletin 2020-94 Operational Risk: Sound Practices to Strengthen Operational Resilience FSB : Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships: Discussion paper There are a range of drivers behind this focus on operational resilience: The threat landscape is growing in complexity and variety (which includes everything from the threats associated with the pandemic, state sponsored cyber supply chain hacks, geopolitical volatility, to extreme weather); A greater reliance on vendors, third parties, and outsourced providers to support organizations’ critical services; The momentum of digital transformation projects, which are in many cases outpacing organizations’ ability to accommodate change; The growing threat of cyberattacks which has also led to a stronger formalization of the relationship between BCM and cybersecurity. All of these factors mean organizations need a comprehensive solution to plan and prepare for continuity of operations and services as well as to monitor threats, prevent incidents where possible, and execute associated response, recovery and restoration plans. A core component of resilience involves the ability to manage the risks associated with third parties, 4th parties and beyond (nth parties), including concentration risks associated with these. The approach to operational resilience also needs to be holistic and cross-functional. 4. Cyber Security and Cyber Supply Chain Risk Management (C-SCRM) When it comes to third-party risk management programs, cyber security is always top-of mind. And this should come as no surprise – more often than not, security breaches stem from a third-party vulnerability. A recent survey by the Ponemon Institute and SecureLink found that over half of organizations (51%) have experienced a data breach caused by third parties that led to the misuse of sensitive or confidential information. And the criminals exploiting flaws in controls are creative and resourceful – from Target’s HVAC breach to criminals hacking a fish tank to steal data from a casino ! When there’s a will (and a weakness) there’s a way. Now it’s cyber supply chains that are increasingly under attack. SolarWinds demonstrated that sophisticated state players are targeting digital supply chains (including third-party applications). And, more recently, security researchers discovered a software supply chain vulnerability at Composer, the main tool used to manage and install dependencies for PHP, which could put millions of websites at risk. These types of vulnerabilities, and the attacks exploiting them, hit the headlines every week. This means TPRM programs need to evolve to better manage cyber risks further into their supply chain. To support this, NIST recently published guidance: Key Practices in Cyber Supply Chain Risk Management: Observations from Industry , which sets out 8 key best practices designed to help organizations of all sizes and industries build a robust program. 5. Intelligent Automation Finally, all the above - the growing range of risks to manage, increased regulatory emphasis, the need to manage risks further into physical and digital supply chains - mean that smarter automation for TPRM programs is essential. There is simply too much data and too many complex business processes to manage programs manually. TPRM leaders need to harness the power of technology, and be aware of the tools and technologies that can support their programs. AI and Machine Learning capabilities are now embedded in some of the market’s leading TPRM technologies, which provide added efficiencies to programs, and ensure resources are focused on the more strategic aspects of your program, rather than the administration. Conclusion While TPRM remains dynamic, one thing remains constant – and that’s ongoing expectation by global regulators for robust third-party risk management programs. With the volume and velocity of change, TPRM programs must be agile and adaptable. Having a view of trends that will affect how third-party risks are managed helps you prepare for tomorrow, today, and build greater business resilience in the process.

Guest Author: Tom Rogers, CEO for VendorCentric One of the most important parts of an effective third-party risk management function is creating an effective governance and oversight structure. Doing so drives accountability and ensures that the right ‘tone at the top’ is set by your board and senior management. Plus, in the past decade, regulators across most industries have made this a consistent theme in their communications about their own expectations for third-party management programs. So, what does effective oversight of the third-party risk management function look like? Since complexity can vary based on an organization’s industry and size, I recommend that – as a baseline – a well-designed function should have the following five components. Policy. The starting point is to formally document the third-party risk management policy and obtain board approval (initially and annually thereafter). This provides the framework for the program, and ensures the appropriate tone at the top. Lines of Defense and Accountability. Roles should be defined in all parts of the risk framework from the day-to-day business owners to the various lines of defense and senior management – if possible, placing these into performance goals also helps ensure attention is paid throughout the year. Vendor Management Function. The vendor management function should be clearly defined within the organization and, as importantly, properly resourced and independent from the lines of business. Resourcing goes hand-in-hand with effectiveness, and independence ensures that business needs or “favorite vendors” don’t drown out proper risk decisioning. Data and Reporting. Timely reporting is crucial for effective oversight. This requires three things: leveraging technology to capture and report data, using key indicators to compare against contract standards and trends, and distributing the appropriate reporting segments to each line of defense. Further, reporting should include both quantitative data along with more qualitative “color commentary” on where levels of risk are increasing or decreasing and any inconsistency versus the overall enterprise risk appetite for risk. Documentation and Rigor. Lastly, complete and accurate documentation of risk management activities should be maintained to support oversight by internal audit and regulators. Further, minutes from board, audit committee, and risk committee meetings should also be maintained to evidence discussions and actions, in case of a dispute or regulatory inquiry. Effective oversight also requires buy-in and active support from the senior leadership team. Simply providing direction and passive support isn’t enough – accountability needs to be evident in follow up actions. Their ability to receive and help resolve issues when escalated, and ‘wield the hammer’ when needed, will ensure the function has teeth. Conversely, depending on the size and complexity of your organization, gaining support of the senior leadership team may not be easy. Particularly since third party risk management, and certain vendor relationships, are often controversial in terms of expense, preferred vendors, and missteps that span across multiple business lines. However, building that level of trust and support can help immensely when things go wrong – if the vendor management team knows that they have the backing of senior management, it makes difficult decisions such as terminating a contract or declaring a breach a much more confident decision. Setting aside the regulatory guidance, if that’s possible, remember that third party risk management creates a real strategic business advantage in the form of cost savings, solid contracts and greater confidence that outsourcing a particular product or service will continue to go well. And effective governance and oversight of the third-party management function is necessary to make it all happen. Author: Tom Rogers Job Title: CEO Organization: Vendor Centric Tom is a trusted advisor on procurement and third-party management to organizations across the United States. Having worked with over 120 organizations over his 30-year career, he has a unique ability to bring both creativity and discipline to finding solutions for even the most complex challenges his clients face.