Search Results

By: Heather Kadavy, CERP, CBVM CFSSP (Ret.) “Individuals who execute the Third Party Risk Management process for [Enter Your Company Name] are qualified and competent, have clearly defined responsibilities, and are accountable for their actions. They understand our risk culture and appetite. They have a robust understanding and oversight of our core and ancillary activities, third party relationships and the various ecosystems leveraged by our organization to address operational and technical capacities to ensure our TPRM Program is aligned with our strategies, to appropriately balance risk-taking and rewards.” Every businesses board of directors, shareholder or executive team probably wants to hear some variation of this solid assurance statement regarding their TPRM Program’s effectiveness. In reality, it is increasingly more difficult to truly accomplish. Why? The Transitioning of the Workforce is Fast and Furious. Onboarding a new employee typically means they hit the ground running with limited time on the job necessary to acquire the depth and breadth of knowledge to fully understand the complexities of the critical process, services, and activities of the organization let alone the third party relationships, contractual obligations, and internal risk, control and gap decision alignments both internally and externally that each organization faces. TPRM Teams are often physically, or through priorities, siloed in their view and actions. It takes a team of subject matter experts from each line of business, as well as the TPRM team, to fully understand risks associated with third parties and to do so effectively means articulating strategies and priorities; ultimately, everyone rowing in the same direction and everyone pulling their own weigh. Employees are Re-prioritizing, Exhausted or Disengaged. Today’s workforce are either (a) focused on the immediate priorities of making or saving money (e.g. sales, processing and client satisfaction), (b) exhausted and taking short cuts; or (c) disengaged (aka “quiet quitting”). This can potentially lead to sub optional oversight of third party relationships; thereby, increasing the potential for damage to your businesses through reputation or operational loss. Resources are earmarked for Client Facing solutions. TPRM teams are often asked to “get by one more year” with the resources at hand in a growing and complex ecosystem. Third Party, 4th and Nth Parties All Face the Same Problems. Each has an ecosystem that has its own shifting workforce, cultural, operational and technical uniqueness to manage, so proving answers to our TPRM teams sometimes takes a back seat. All of these complexities make it harder to achieve the utopia idea that each TPRM team will have an in-depth knowledge of each relationship, while also managing risks effectively. As a result, key TPRM processes become abstract concepts that our fast paced society with shortened attention spans have to balance. Knowing this, how can TPRM programs operate effectively? It Starts with the Right Team. Engagement and alignment across the three lines of defense is critical to your success. Get Real! By acknowledging the reality of either your starting point or the areas of improvement that your TPRM Program still needs to address, you and your team will be more aligned on the direction and priorities to strategically roadmap your needs. Take a long-term view of the opportunities to incrementally enhance your TPRM Program Effectiveness. It’s a marathon not a sprint. However, that does not mean your TPRM team shouldn't prioritize the areas of improvement needed to mature your program. Begin by breaking your strategic priorities down into incremental sprints. making the overall process less overwhelming. Know Your Third Parties (KYTP) - Create opportunities to develop the relationship between your employees and third parties, building upon collaboration and mutual trust. Many times a third party will provide: A due diligence packet or answers to inherent risk questionnaires. Implement a “If they provide it you need to review it” motto. Receiving and archiving information is NOT risk management. It is only through the review that you can understand, identify, assess and prepare to mitigate risks. A number of interactive touch point meetings, leverage these meetings to incrementally address due diligence concerns and continue learning about the complex eco-systems of your third party. Be purposeful when engaging with them and remember that one size does not fit all. Schedule these discussions on a risk-based frequency and recognize your third party is an extension of your own security program. A set number of free or discounted online working groups, customer forums, webinars, conferences, etc. This is a great way to network and build relationships with the third party’s personnel with the greatest organizational, operational, and technical knowledge regarding their products, services, and ecosystem. When your organization is intentional about improving the effectiveness of the relationships with your third parties, it will indirectly drive better collaboration, allow for the sharing of more information, protect your assets and reputation, maintain compliance with regulations, improve your third party's overall experience, and ultimately better mitigate the impact third parties pose to your organization.

Third Party Risk Management (TPRM) is a critical process for organizations that rely on third parties to provide goods or services. It involves identifying, assessing, and mitigating risks associated with these third parties, in order to ensure that they do not negatively impact the organization's operations or reputation. As the number of third parties and the complexity of their relationships with organizations increase, managing third party risk has become a more difficult and time-consuming task. This is where automation comes in. Areas to Automate in the TPRM Lifecycle Automation can streamline and improve the process by eliminating human completion of repetitive tasks, reducing error, and increasing efficiency. There are several key areas where automation can be applied in the TPRM process, including: 1. Third Party Onboarding Third Party onboarding is the process of evaluating and accepting new third parties into the organization's TPRM program. It can be a time-consuming and resource-intensive process, involving a significant amount of paperwork and documentation. Automation can help streamline this process by handling the collection and verification of third party information, such as tax IDs, business licenses, and insurance certificates. This can significantly reduce the time and resources required to onboard new third parties. 2. Risk Assessment Risk assessment is the process of identifying and evaluating the risks associated with a third party. This can be a complex and time-consuming process, involving a significant amount of data collection and analysis. Automation can help simplify this process by performing data collection and analysis and providing an objective and consistent approach to risk assessments. Automation can also help identify and evaluate risks that may not be immediately obvious to human reviewers. 3. Continuous Monitoring Continuous monitoring is the ongoing process of monitoring a third party's performance, as well as compliance with the organization's TPRM program. This can involve monitoring the financial stability, regulatory compliance, and incident reporting of third parties. Automation can assist with simplifying this stage by creating a real-time data collection and analysis process and providing alerts of any potential issues. This then helps organizations to quickly identify and respond to any potential risks in a shorter period of time. 4. Reports and Communication Reports and communication are important aspects of the TPRM lifecycle, as they provide decision-makers with the information they need to make informed decisions about their third parties. Automation can help to simplify this process by removing the need for a human to generate reports and ensure real-time updates on third party performance and compliance. As with continuous monitoring, this can help organizations to quickly identify and respond to any potential risks. Benefits of Automation in TPRM The use of automation can provide several benefits to organizations, including: 1. Increased Efficiency Automation can help to streamline and simplify the TPRM process, reducing the time and resources required to manage third party risk. This can help organizations to focus on more important tasks, such as identifying and mitigating high-priority risks. 2. Improved Accuracy Automation can help to reduce human error and provide a more objective and consistent approach to risk assessment. This then helps organizations to make more informed decisions about their third parties. 3. Increased Visibility Automation can provide organizations with real-time visibility into third party performance and compliance. This then helps organizations to quickly identify and respond to any potential risks. 4. Compliance Automation can also help organizations to comply with regulatory requirements by providing real-time alerts of any potential issues, as well as provide an audit trail for the alerts. Challenges of Automation in TPRM Despite the many benefits of automation, there are also some challenges that organizations may face when implementing automation. These challenges include: Challenge #1: Lack of Flexibility One of the biggest challenges of using automation in the TPRM process is the lack of flexibility. Automated systems are often inflexible and may not be able to adapt to the unique needs of different organizations, as well as third party relationships. This can make it difficult for organizations to customize their TPRM processes to meet their specific requirements. Additionally, automated systems may not be able to handle unexpected situations or changes in third party risk levels. Challenge #2: Data Quality and Integrity Another challenge of using automation in the TPRM process is data quality and integrity. Automated systems rely on accurate and up-to-date data to function properly. However, TPRM data can be complex and difficult to collect and maintain. Organizations may struggle to ensure the accuracy and completeness of their TPRM data, which can lead to inaccuracies and inconsistencies in their automated systems. This can make it difficult to accurately assess third party risks and develop effective mitigation strategies. Challenge #3: Security Concerns Security is a major concern when it comes to using automation in the TPRM process. Automated systems may be vulnerable to cyber threats, such as hacking and malware. This can put sensitive TPRM data at risk and make it difficult for organizations to protect themselves against potential data breaches. Additionally, automated systems may not be able to detect and respond to advanced threats, such as social engineering and phishing attacks. Challenge #4: Limited Human Involvement Another challenge of using automation in the TPRM process is limited human involvement. Automated systems may not be able to fully replicate the expertise and judgement of human analysts. This can make it difficult for organizations to identify and assess third party risks, while also developing effective mitigation strategies. Additionally, automated systems may not be able to provide the same level of transparency and accountability as human-led processes. Challenge #5: Cost and Complexity Finally, using automation in the TPRM process can be expensive and complex. Organizations may need to invest in expensive software and hardware to implement and maintain automated systems. Additionally, organizations may need to hire specialized personnel to manage and maintain their automated systems. This can make it difficult for organizations to justify the cost and complexity of using automation in TPRM processes. Conclusion Automation can be a powerful tool for improving the TPRM process, but it also presents several challenges. These challenges may include a lack of flexibility, data quality and integrity issues, security concerns, limited human involvement, and cost and complexity. Organizations need to carefully consider these challenges when deciding whether to use automation in their TPRM processes. By understanding these challenges and taking steps to address them, organizations can improve their TPRM processes and better protect themselves against potential risks.

During COVID lockdown, the only option many offshore business processing offices (BPO), as well as every other business, were faced with was to send employees home to work remotely. Whether it was because their facilities could not implement the necessary requirements for a safe working environment, or the local government required them to disperse the workforce, it happened. There was a scramble by many organizations to quickly adapt so that work could continue during pandemic restrictions with minimal interruptions for not only their own organizations, but also the organizations they support. With COVID restrictions now lifted in most countries, the return to the office for Offshore Delivery Centers (ODCs) now has begun in many cases. However, these BPOs face the same challenges their customers face in attracting and retaining talent post-COVID as many workers would prefer to work either hybrid (some days in office, some at home) or fully remote. If organizations want the best talent and service from the BPO vendors, allowing their vendors to operate in a hybrid or remote setting is going to be the requirement. Many customers are concerned with the risk of data leakage in these hybrid/remote options; therefore, are requesting solutions and options to allow this to take place while also mitigating the risk to both organizations. Risk-based approach Why is offshore work considered more risky than onshore work? Many offshore resources have access to sensitive data, and yet, the resources are not direct employees of the customer. The distance makes the risk higher due to the inability to continuously validate that work is happening securely and safely on a daily basis. However, not all data risk is the same; therefore allowing organizations to take a more risk-based approach. The first step in taking a more risk-based approach is educating internal business partners on the risks with certain data sets being sent to or accessed by offshore resources. You can then discuss with business partners what controls need to be in place with each data set to lower the risk as it relates to said data accessed. For example, development work that only interacts with lower environments, such as Development or Test, and has no sensitive data, could be done remotely and offshore (not in an ODC) as it requires less control. On the opposite end of the risk spectrum, access to credit card data or personal health information (PHI) would require additional controls and monitoring to be in place or should never be sent outside an ODC. Enterprise Security for BPO Many customers of BPOs focus only on the security of the service the vendor provides. However, given the interconnectivity they may have with the BPO, they should also review their enterprise and information security controls as well. Starting with connections; dedicated connections between your organization and offshore BPOs require network devices, which presents a weak link. Network device manufacturers often release security patches and maintenance releases. Request from the BPO how often they update their network devices. The question you can ask is noted below. What is their policy for critical security patches and notification to you, as their customer, when these updates and maintenance patches are to be installed? Downtime for these devices must be regularly planned and–when a critical release is required­–installed at the earliest possible moment. You can also ask: What is the BPO's Intrusion Detection/Prevention System and is it adequate? Does the BPO use a security information and event management (SIEM) tool and does it collect information from all critical systems within the network? Does the BPO have a Data Loss Prevention system or tool in place that would detect when an employee or intruder begins to exfiltrate data, or does it only detect a threat actor after they’ve taken gigabytes? Does the BPO perform cybersecurity awareness training, to include an insider threat module? Service-Level Security for Customers of BPOs Once you’ve established the BPO either has adequate enterprise-level controls in place, or is remediating toward your security baseline, ask: how are they securing the service they provide to you as the customer? If the data is remotely accessed via a Virtual Desktop Interface (VDI) on your own network, how have they disabled activities like copy-and-paste, right-click actions, limiting access to only URLs required to perform their work, and preventing access to personal email and chat? If the data is in a shared cloud environment with the BPO, what controls within the cloud are enabled? Is it in a single-tenant or multi-tenant environment? How are access controls managed? Ensure the vendor revocation of access rights meet your requirements. Look at the connections to ensure it is not allowing deprecated version of transport layer security (TLS). End-Point Security for Hybrid/Remote workers One of the most important controls for remote workers is security controls enabled on the endpoints, like laptops or desktops. The level of controls found on laptops can go from the simple to the complex. At a minimum, it should be an ‘always-on’ VPN; meaning as soon as the laptop is switched on and connects to the employee’s home network, it is creating an encrypted tunnel. As the risk becomes greater for the data and connection, there should be more active controls on the endpoint such as heuristic analysis of keyboard strokes, artificial intelligence software that analyzes laptop camera images, and biometric requirements for logins. All endpoints should also be connected to a data loss prevention (DLP), intrusion detection system (IDS)/intrusion prevention system (IPS), and a corporate SEIM to ensure a holistic approach to security. Network Devices and Remote Work A weak link in this remote work approach is the assumption that all home-based routers are secure. Questions you can ask the BPO include: Are employees required to regularly update their home routers and how is this monitored? Is it a router that your corporate network would trust on its own network? If there are thousands of offshore employees working from home, then that is thousands of potential attack points that may be vulnerable. The best option is to require the BPO to issue company-supplied, configured, and controlled routers. As long as the program to issue and control these devices is well-designed and run, then much of the above risks listed are reduced. BPOs can also ramp up that security by only allowing employees to connect to the BPO network with approved devices, to ensure the risk isn't elevated when said employees work from or connect into the WIFI of a local coffee shop or other less secure location. The middle ground would be to have a list of company ‘approved’ devices to ensure they meet minimum standards to lower the risk. The employee can register their device with the company (using serial number, access controls, and other critical information) to allow the BPO to monitor security updates and patches, informing affected employees when their devices are at risk. Zero Trust for BPO A Zero Trust approach can greatly reduce your risk for a breach; however, it will not lower your risk level to zero as nothing can perform that task. This section explains a Zero Trust approach you can take with your BPOs. First would be to investigate how the BPO approaches zero trust. Since only 22% of organizations report being fully at zero trust, it might need to be a risk-based approach, focusing on the highest risk data and connections. Another zero-trust action your organization can take, as the customer, is to implement controls on your own network. Where the BPO connects to your network, have it in a bastion or demilitarized zone (DMZ) that is configured for the level of access that is based on least-privilege. Require biometrics, multi-factor authentication (MFA), re-logins after every few hours, and a privileged access management (PAM) system to ensure these accounts are better secured. Physical Validation of Security for Remote Work As the ability to travel opens back up, it is important that those who are customers of BPOs begin to perform physical validation of their critical vendors. Previously, a visit to an offshore vendor followed a familiar script: fly to the country of location and meet with the security and operations team to get physical validation of both logical and physical controls. There was a tour of the ODC offices to ensure the expected physical controls were present on the floor: separate spaces, no recording devices (such as phones) allowed in, badges and biometrics for entry, validation of clean room polices, and similar physical checks. With remote work, these checks are not possible at every remote worker’s home. However, that doesn’t mean they can be skipped, nor does it mean they can’t be checked. For example, require the vendor to randomly check, like an audit sampling, some of their employee’s home offices. Physical validation can also include having the BPO connect to a set sampling of remote worker’s cameras and validate specific, physical controls. If your BPO already does this, then ask: Have monitoring controls caught any examples of potentially risky behavior? Ask them to show how they dealt with risky employee behavior to ensure it aligns with their policy and your expectations as their customer. Conclusion COVID changed a lot of things in the business world. It is doubtful the ‘work remote’ genie can be put back into the bottle. The best talent will want the flexibility to work remote or hybrid, which will, in turn, provide them with the ability to deliver better service. It will also allow BPOs to hire and retain talented employees. Regardless of your personal views on remote offshore work, there are ways to allow your BPOs to deliver service remotely while keeping the risk to your data and your network lowered to the risk appetite that aligns with your organization.

by Third Party Risk Association & Shared Assessments As part of our ongoing support to the large global community of third-party risk practitioners and programs, the Third Party Risk Association (TPRA) and Shared Assessments have together prepared The Business Case for Third Party Risk Management (TPRM): A Starting Point for Senior Leadership. At a time when many firms are planning and finalizing their annual budgets, our two organizations developed this basic guidance for senior executives and board members to encourage them either to launch new or to mature legacy third-party risk programs in the coming year. Working with hundreds of companies and thousands of risk professionals globally, our two membership organizations bring decades of collective experience with third-party risk management, including what regulators and clients routinely expect from such programs. We hope that our combined experience will help the vast and growing audience of TPRM professionals and programs gain or expand the leadership commitment and budgets they need to improve their ability to protect their firms, their clients, and the related assets they are working to safeguard. Download Now!

Blog was inspired by the TPRA presentation by Tom Rogers, CEO & Founder of Vendor Centric at TPRA’s July 2022 Practitioner Member Meeting. (To watch the full presentation, TPRA Members can visit our Previous Meetings page and navigate to the July 2022 meeting recording.) Blog format by Meghan Schrader, TPRA Marketing & Communications Coordinator A question many Third Party Risk Management (TPRM) and vendor management professionals often find themselves asking is: how do we work in a cohesive, organized way to sufficiently mitigate third party risk while enabling the business to move forward with third party relationships? In this blog, we will discuss: The common goals and challenges to integrating TPRM processes across the organization Tips for improving process integration with business stakeholders Different stakeholders and how TPRM can work with each Key aspects of TPRM governance needed to make integration work Provide a TPRM lifecycle-based framework that enables better integration of people, processes, and systems Goals and Challenges with TPRM Process Integration When bringing in a new third party, the end goal in its simplest form is to optimize the relationship between the business and the third party. At the end of the day, we engage in third party relationships to gain value from their products/services, as well as support business owners in reaching their day-to-day objectives. But with the use of third-party products/services comes additional risk to the organization. How can we better enable the business while mitigating third party risk? TPRM Challenges with Integration Integrating TPRM into business processes can be a challenge. The Business is usually concerned with speed to market and may not understand why certain third-party risk due diligence efforts are needed. In addition, once risk is found, the business may not agree with or feel it is a high enough risk to warrant additional efforts to mitigate said risk. In the beginning phase of integration, it is important to have open lines of communication, and be transparent about what due diligence efforts are needed and why you ask for certain evidence items from the third party. This ensures the business has a clearer understanding of where the third-party risk may lie and what next steps are needed. They may even help you champion certain discussions if they better understand the risk, as well as the support your team has from executives within your organization. To assist with integration, let’s look at what is needed from a due diligence standpoint. What is Needed to Evaluate Risk But how do you effectively integrate these TPRM processes into business processes without becoming a bottle neck? Below are some tips you can implement to ensure smooth integration. Ensuring Integration into Business Process First, determine what the business wants from the third-party relationship. Some immediate needs of the business may include, but not be limited to: Start working with the third party immediately Speed to market (they have a project that has a tight deadline) Security concerns they need to address will be mitigated by the onboarding of the new third party Reaching a niche market Long story short, the business wants to know how they can make implementation happen as quickly as possible and sometimes this means they are willing to circumvent certain processes. This is especially true if they do not have a clear understanding of why a process exists in the first place. Some of the activities you can participate in to ensure integration into the business process is to: In short, there are processes you can put in place to help the business better understand why TPRM exists, the importance of your team, and what is required in order for you to perform your reviews and mitigate risk. It is also important that you work with the business to better understand their goals, objectives, and timelines. Open communication is key throughout the TPRM process, as well as setting expectations up front. If this is done correctly, the business can ultimately become a champion for TPRM and more readily assist you with your review process. TPRM Challenges with the Rest of the Team But the TPRM team does not just work with business owners. They also work with other stakeholders to ensure risk decisions are made at the right level, as well as ensure legal and regulatory processes are met. Below are some examples of additional stakeholders and how TPRM can work with each: Getting Everyone on the Same Page We’ve talked about why working with other teams is important. But how can everyone get on the same page with regards to TPRM expectations? Whether your TPRM program is centralized vs. decentralized, there are a few things that need to be in place to ensure TPRM activities are integrated into business and key stakeholder processes. Third Party Lifecycle Management Framework But what should your TPRM Program include? Below is a diagram a TPRM framework. Source: TPRA Third Party Risk Management Lifecycle (c) The outer circles represent the third-party risk management lifecycle stages from beginning to end, starting with “Sourcing,” and completing at “Termination and Offboarding.” Within this framework is Operational Governance. While all of the activities are taking place, the glue which holds them together is the policies, procedures, and standards your organization has in place. Governance creates alignment of the people, skills, training, and technologies. This framework can help you better integrate into business operations and provide structure for disparate processes. Part of the goal here is to communicate to business owners that you are a resource, serving as an advisor and coach to them along the way, as well as detail the importance of dealing with third party risk as quickly as possible. But ultimately, the Business Owners are the risk owners of their third party relationships. Conclusion There are many ways to integrate TPRM activities into business processes to enable the business while also mitigating risk. With so many moving parts and areas of focus, it is important to facilitate open communication between all stakeholders and connect as many activities, processes, and systems as possible to ensure consistency and the most effective and efficient risk mitigation performance possible. Utilizing a TPRM framework can help streamline and provide consistency within the TPRM program, while also mitigating risk more effectively. Third party risk affects every area of a business, and therefore should be integrated accordingly.

By Meghan Schrader The level of risk related to your third parties is frequently changing, making recertifying and reassessing of key importance. Recertification relates to reviewing the third party’s responses to the Inherent Risk Questionnaire (IRQ) as well as noting any changes to their profile, such as changes in legal name, ownership, locations, or the like. Reassessment relates to reassessing your third parties after the initial assessments have been completed and the contract is signed. Organizations are continuously innovating, enhancing, and changing business processes. With this comes changes in third party risk. Practitioners may start to send a third party more data, use more or less of their services, or even change how they are using a third party’s products/services. In parallel, third parties may change ownership, platforms, locations, and/or implement enhanced controls. At the same time, the threat landscape grows in complexity with events such as pandemics and social/political unrest needing to be factored in. In response to all of these changes, innovation, and enhancements, organizations must continually evaluate their third parties to ensure they remain apprised of their risk landscape and work to remediate/mitigate certain risks. But where do organizations start with re-assessing their third parties? Begin with recertifying the Inherent Risk Questionnaire (IRQ). The IRQ should drive your due diligence efforts as it takes into account the level of risk your third party poses before controls are considered. The IRQ can also determine the cycle time for your reviews. Therefore, it is a good idea to determine if responses remain the same or if the IRQ should be updated. At this time, you can also recertify the third party’s profile (or the general information you maintain for the third party) to note any changes in location, ownership, and/or processes. Based on recertification of the IRQ, determine which assessments are in and out of scope. For assessments previously completed that remain in scope, review past responses and risk to determine if a full assessment should be re-sent (if high risk was noted) or if responses from the previous can be sent and new evidence can be obtained (if low risk was noted). Regardless, it is always a good idea to re-test certain controls and obtain new evidence to support those controls. You can also determine from the previous assessment if there are any outstanding items that remain (I.e., are findings still open). Last, determine if new questions should be added to the current assessment based on your organization’s continuous improvement efforts. If a new assessment should be completed, ensure the third party understands why the new assessment is being requested and provide them with ample time to complete the assessment. Once all assessments are completed, determine the residual risk of your third party (or the risk once controls have been evaluated). The residual risk should determine the level of due diligence you will perform within the next year and if any follow-up should be considered. Assessment Types There are many assessments that can be provided to your third party on a continual basis. Assessment types and how often they are completed should be driven off the IRQ. In addition, the level at which they should be completed (light vs. heavy version) should be driven off the residual risk of a third party. Here are just a few assessment types that can be completed within the Continuous Monitoring (Reassessment) phase. Information Security Risk Assessment – May include application, data, and network security, Software Development Lifecycle (SDLC), and Service Organization Controls (SOC) 2, Type II report reviews. Note: TPRA is currently working on an Information Security Questionnaire template in their Focus Group. Find out how you can get involved on our website under Practitioner and Vendor Events. Privacy Impact Assessment – Includes review of data management practices, as well as compliance with privacy regulations. Financial Assessment – Involves evaluating the financial viability of an organization. Disaster Recovery and Business Continuity (DR/BC) – Covers techniques and processes for continuing business performance following a disaster. Physical Access Controls – Determines potential threats to properties, objects, or individuals and the controls to mitigate said risk. Regulatory Assessment – Involves evaluating compliance activities for your third party. Examples include ensuring compliance with Payment Card Industry (PCI), HIPAA, and Gaming regulations. As new regulations are published, it is important to review if a third party is impacted by the regulation and if they have a process in place to comply with said regulation. Negative News Monitoring – Monitoring negative media content by reviewing any existing media concerning a third party can help signal a potential threat—whether reputational or security related—to your organization. Subscribe to certain alerts, such as google alerts, to determine if there are certain impacts to your organization. Passive Monitoring – Risk Rating / Intelligence tools scan the perimeter of third-party networks and look for public facing vulnerabilities. These scans are non-intrusive and can provide you with real-time data on a third party’s vulnerability management program, among other activities. Examples of these tools include, but are not limited to, RiskRecon, BitSight, Security Scorecard, BlackKite Fourth Party Reviews – Reviewing the controls in place for your third party’s material suppliers is also important, especially if they will have access to your data. Offshore Reviews – Involve reviewing the controls in place to mitigate additional risk an offshore location may pose to your organization. You may also want to consider the geo-political environment for that location as well. Last, and in response to the pandemic, you may also want to perform an Operational Resiliency assessment of your third party that not only looks at their Incident Response procedures, but also reviews your own procedures to ensure your third party is incorporated into them. From a Continuous Monitoring standpoint, there may also be times when activities trigger specific assessments not generally performed within your normal due diligence efforts. Certain changes in the relationship and/or way in which the product/service is leveraged may trigger ad hoc reviews. Such trigger examples include, but are not limited to, Change in location of services, Change in risk rating (risk rating/intelligence tool), Change in ownership of the third party, Change in product/service (may now be cloud-based vs. On premise), Change in data sent/stored, Change in contract clauses, and An event or incident occurring. These triggers allow you to determine if your organization should take a second look at the third party and/or if another review needs to be performed. Evidence Collected In addition to the assessments completed, it is best practice to obtain evidence to validate specific controls are in place and operating effectively. Evidence items you may want to obtain include, but are not limited to: Penetration Test Results Independent Attestation – Includes Soc 2, Type II Reports. Policies and Procedures Proof of Key Controls to Evidence Effectiveness Vulnerability Report/Evidence of Patching Continuous Monitoring Report Financials DR/BC Plans and Testing Employee Counts – Includes Key Person Dependency and Any Significant Changes to Staff Levels that have Occurred. Network Diagram – Includes Cloud Architecture and A Data Flow Diagram. Background Checks – Includes Policies and Samples of Actual Background Checks. Employee Access Reviews Training – Includes Broadscale and Specific/Targeted Training. Model Risk – Includes Validation of Models. Negative News Questions to Ask To enhance your relationship with your third party, there are a few questions you will want to ask yourself to ensure you collect certain pieces of evidence at the right time. Those questions include, but are not limited to: For the evidence you are collecting, what is the scope? This ensures you only collect evidence for the product/service the third party is providing to you, and not for other products/services provided to other clients. Are you collecting it at the same time each year? (i.e., do they perform a pen test at the same time each year so that you know when to collect it?) Is the evidence you are collecting noted within the contract to ensure you can collect it? There may be times when a full assessment is not required if specific evidence items can be obtained for testing. There may also be times when you want an independent test performed for key controls to ensure it is thoroughly reviewed (I.e., SOC 2, Type II report). Summary In summary, it is important to continuously evaluate your third party to ensure you remain aware of the risk landscape impacting your organization. Ensure you are recertifying your third party’s profile and IRQ to note any changes within the relationship related to your third party. This should then drive the assessment process and cycle times for which reassessments are completed. Last, it is important to obtain evidence for specific, higher risk controls you evaluate to determine if said controls are in place and operating effectively. It is not best practice to only send your third party a questionnaire. All in all, re-assessing your third party will ensure the impact the third party has on your organization is minimized and strengthen the relationship between you and your third party.

TPRM oversight supplies an organization with a strong foundation and the requirements needed to develop and steadily support their overall TPRM program. This then allows the program to address third party risks at the highest level, while ensuring governance structures are in place to run the program effectively. TPRM oversight will also ensure key stakeholders are aware of program requirements and assist with the implementation of said requirements. But what does good TPRM Oversight provide to your program? Accountability Consistency Support Value Let's take a look at the benefits noted above individually to determine what governance activities would be required to achieve each benefit. Accountability - Is the benefit from clear expectations and defined roles & responsibilities. Activities related to this benefit include, but are not limited to: Program Governance – Determine how your TPRM program will run. Will it be Centralized (one team/department is responsible for the majority of program activities) or De-Centralized (multiple teams/departments are responsible for pieces/parts of your TPRM program). Roles & Responsibilities - Clearly define all of the different roles each person/team/department will play. Chances are your entire organization will be impacted by your TPRM program as third party products/services are used by many. Key roles/responsibilities to define may include, but not be limited to, the Assessors, TPRM Program Leads (who will own/maintain the TPRM program policies and procedures), Procurement, Legal, Information Security, Business/Relationship Owners. Third Party Risk Committee – It is best practice to set up and maintain some type of risk committee where third party risks are discussed. This ensures your organization can make informed decisions regarding third party risk, as well as accept risk at the highest level. Business Owners should not be the only ones to accept High risk on behalf of the organization. Education & Training – Create a TPRM education and training program for not only business owners and key stakeholders within your organization, but also third parties. Training may include a summary of how your TPRM program is structured (what assessments are performed and when, the process to validate, follow up on, and remediate findings, and the risk escalation process), as well as what evidence you will be collecting, when, and why. It's also important to communicate business owner and third party expectations and support requirements. Consistency - Is the benefit from defined TPRM program requirements and structured metrics. Policies and Procedures - Document program policies and procedures, to include TPRM lifecycle activities (Planning & Oversight, Pre-Contract Due Diligence, Contracting, Continuous Monitoring/Post-Contract Due Diligence, Disengagement, & Continuous Improvement), handoffs between departments, escalation procedures, and reporting. Metrics & Reporting – Creating program metrics that evaluate program maturity, third party risk trends, and assessment workflow can help you accelerate program performance and reduce third party risk impact on your organization. Continuous Improvement – At least on an annual basis, perform a gap analysis of program activities and controls by comparing them to more mature programs or leveraging TPRM maturity models. Support - Is the benefit from executive-level support and sufficient resources. Budgeting – Develop a comprehensive TPRM program budget that includes resources, operations, maturity model (for future enhancements), travel (for onsite visits), training, and tools. The TPRA held a meeting in October 2021 that reviewed what a comprehensive budget should include. Playback is available to TPRA members on our website. Resourcing – Develop and implement a resource strategy for attracting and retaining talent. In response to the pandemic, a higher volume of regulations, cyber threats, and technology advancements, TPRM is growing in demand and practitioners are becoming more specialized. It is important to ensure your staff is knowledgeable, communicates well, and understands business needs. Tools – If your program has reached a certain level of maturity (at least has documented policies and procedures, as well as a good support system), you may wish to purchase TPRM tools to reduce constraint on your resources and allows you to focus on mitigating third party risk at the highest level. The majority of programs use a TPRM Platform & Continuous Monitoring Tool(s). TPRA is working to create an exhaustive list of TPRM tools. Disclaimer: This list does not include affiliate links and the TPRA does not receive any monetary value from the list. Board Support – Your Board should already be asking your Executives third party-related questions. They have a duty to ensure appropriate action is taken to mitigate third party risk. Ensure you are updating the Board on third party risk trends at a minimum on an annual basis. You may want to work your way up to providing a Board update per quarter. Executive & Business Support - It is imperative to have the support of your executives, which then drives the support you receive from the business. Ensure your executives and business understand the value of having a comprehensive TPRM program in place. Value - Is the benefit of having TPRM program outcomes lead to the mitigation of cyber, financial, and reputational risk. Business Case – It is best practice to have a strong business case documented for why TPRM is important & what value you bring to the organization. This ensures future TPRM program enhancements can be obtained. Responding to Third Party-related Incidents - Studies have shown that the more mature your program is, the less of an impact third party incidents will pose to your organization. Ensure your program contains a plan to respond to and address third party-related incidents and that your Legal and Information Security teams are included within the plan. Holistic View of Risk Landscape - A mature TPRM program can also show your executives, as well as the Board, a more holistic view of your organization's risk landscape, to include fourth and fifth party risk. This then allows the Board and Executives to make better and more informed decisions on strategic initiatives. Overall, good TPRM program governance can not only set your program up for continuous success, but also save your organization from significant business disruption by proactively mitigating third party risk. For more information on TPRM topics and to participate in the many discussions on third party risk, join the community of TPRA Practitioners by visiting www.tprassociation.org/why-join. Standard Practitioner Membership is FREE and Premium Membership (which includes your ticket to our annual, in-person conference) is $199.

By: Halle Reynolds, TPRA Marketing & Social Media Internship The Third Party Risk Management Lifecycle (noted below within "Starting a TPRM Program") is recommended for every organization seeking to implement a TPRM program. How programs implement the lifecycle is dependent upon their organization’s risk appetite (or the level of risk they are willing to accept), as well as the complexity of their third party relationships. After an organization has established an initial TPRM program, consideration should then be given to enhancements that will accelerate TPRM program efficiency and effectiveness in addressing third party risk. The incorporation of the following best practices is contingent upon an organization's overall objectives, budget, and size. STARTING A TPRM PROGRAM TPRM programs begin with a blueprint—a plan for how your program will function. This layout should include aspects from the Third Party Risk Management Lifecycle: Planning & Oversight, Pre-Contract Due Diligence, Contracting, Continuous Monitoring, Disengagement, and Continuous Improvement. At a minimum, it is best practice to have the following processes in place if you are just beginning your program: Planning and Oversight - Establish program governance, budget, policies and procedures, third party inventory, and risk rating methodology. Pre-Contract Due Diligence - Integrate into the Procurement process and ensure due diligence/risk assessment reviews are performed before contracts are signed. Contracting - Develop a contract template that defines expectation of third party controls that need to be in place, as well as allow for the review of said controls by your organization. Continuous Monitoring - Run all third parties through an Inherent Risk Questionnaire (IRQ) and establish third party re-assessment triggers and cycle times based on the inherent risk ratings. Disengagement – Establish a termination checklist, to include the handling/destruction of data and transition to another third party. Continuous Improvement – Communication and education are key when starting a program. Ensure you have top-down support, as well as the support of the business. The value you receive from a basic TPRM program can be invaluable. It allows your organization to create a holistic risk lens into your organization’s risk landscape and proactively address and mitigate third party risk in a timely manner. TPRM programs are also required by many regulators, Board members, and customers. ENHANCING YOUR TPRM PROGRAM Once you’ve established your TPRM program, then you can begin to enhance and/or automate certain activities to ensure you are focusing on what matters most in a timely and efficient manner. Below are some examples of enhancements you could make to your program. We will work through the same TPRM lifecycle and discuss enhancements to each phase. Planning and Oversight - Develop a steering committee to address highest level of risk. Ensure a risk escalation and acceptance process is in place (you may what to do this at a foundational level as well). Pre-Contract Due Diligence - Ensure you have a seat at the table with those making third party risk-based decisions, such as Procurement, Legal, Compliance, and others. Actively participating in conversations will ensure your program gains the support it needs, as well as ensures you are able to obtain the necessary evidence and documentation to perform your reviews. Contracting - You may want to “own” certain contract clauses to ensure that any redlines to specific clauses are reviewed by your team. Small changes could affect what evidence you receive from third parties and how you can assess them. You may also want to add noncompliance triggers to your contracts. These triggers ensure you can take action against contract non-compliance. Continuous Monitoring - Once your program is established, you can then begin to work through nth party reviews. An nth party is a 4th or 5th party (or your third party’s third parties). It’s important to also review nth parties, especially if they will access your organization’s data, are customer facing, or support a key activity related to the product/service you are purchasing from your third party. Disengagement – Begin to maintain a data inventory (by requesting a data flow diagram from your third party) so that you can more accurately pinpoint data destruction requirements, to include data at nth party locations. Another process enhancement for the disengagement phase is to establish exit strategies during the pre-contract phase to leverage during the disengagement phase. If the third party supports a critical function for your business, it is a good idea to have a transition plan in place before entering into an agreement with the third party. Continuous Improvement – Continuously re-evaluate risk domains and enhance as the risk environment changes (e.g., Environmental Social Governance (ESG), Ransomware, Pandemic). It is also important to benchmark off peers. Chances are, you're not the first to go through something. Benchmarking is the best way to quickly learn tips and tricks for implementing process enhancements. The value of continually enhancing your TPRM program is staying up to date on risk trends and ensuring your program is flexible enough to incorporate when/were needed. AUTOMATING YOUR TPRM PROGRAM At this point, your program may be gaining momentum quickly as you’ve established the foundational building blocks of your TPRM program and incorporated certain program enhancements. You may now be interested in seeking out ways to automate your program by incorporating tools that can lessen the strain on resources and allow for scalability. We will again work through the same TPRM lifecycle and discuss activities you can automate within each phase. Planning and Oversight - Consider a governance, risk, and compliance (GRC) or TPRM platform that provides workflow, assessment, and reporting for third party risk. A comprehensive tool can also allow you to look across third party risk to determine key risk indicators and trends. Pre-Contract Due Diligence - A GRC or TPRM platform can also assist with automating the questionnaire process and allow you to obtain evidence quicker during the pre-contract due diligence phase. You may also consider joining a third party risk assessment collective (where third parties share the responses to one questionnaire with several organizations) to assist with third party response time. Contracting - Consider implementing a tool that will notify you when contracts are no longer in compliance with updated contract templates. This helps you ensure that you are maintaining contract compliance with your third parties. Continuous Monitoring - A tool that can proactively monitor your third parties is a risk rating/intelligence tool. These tools scan the parameter of third party networks and look for public facing vulnerabilities. They are non-intrusive and can often provide you with accurate information on an organization’s vulnerability management and technology refresh program. More innovative tools can also scan the dark web and look for stolen data and/or accounts that belong to third parties. They can also tell you if a third party has offshore locations, as well as the geo-political environment of said offshore location. Disengagement – Certain tools can assist with identifying when non-compliance triggers are met (which could ultimately lead to a relationship termination). They can also assist with the data transition process. Continuous Improvement – Automatically feeding into your organization's overall risk management program can help make more informed decisions when looking across the enterprise. Many tools can integrate into risk management tools your organization may already have, thus providing your organization with a more holistic risk lens. This would also allow your organization to focus on efforts to address more critical risk. Automation can lead to better collaboration, improved transparency around risk, program scalability, quicker response to threats, and provides less burden on resources. But if you do not have an established program, automating too soon can lead to accelerated issues and misalignment on risk-based decisions. You can find value in automating workflows, assessments, continuous monitoring activities, risk follow-up and validation, reporting, and other third party lifecycle activities. CONCLUSION Most TPRM programs start out small and work their way up to more advanced risk management techniques. When beginning, it won’t be necessary to incorporate most tools right away. You may also want to consider current tools your organization already utilizes and determine if/how you can incorporate them into your TPRM program. You should also consider your program's overall objectives, budget, and size when considering which enhancements and tools to implement. The key to evaluating TPRM program maturity vs associated value is understanding your organization's risk appetite to further develop your TPRM program's risk-based approach to assessing, monitoring, and mitigating third party risk. For more information on this topic, check out the TPRA's YouTube series "TPRM Explained - TPRM Program Maturity vs. Associated Value".

By: Meghan Schrader, Marketing & Social Media Intern for TPRA Networking – the action or process of interacting with others to exchange information and develop professional or social contacts. As the threat landscape grows in complexity and regulations require organizations to review their third parties with a more focused lens, networking and benchmarking off peers has never been more important. Networking provides opportunities to develop and improve your skill set, while staying on top of the latest trends in your industry. A few key benefits of networking with peers are the opportunities to exchange information/advice and obtain support on experiences, struggles, and goals. This allows you to gain new insights that you may not have otherwise thought of. Discussing common challenges, solutions, and opportunities can also open the door to valuable suggestions and guidance. Odds are, your peers have already gone through growing pains. But what else can you gain from network opportunities and where do you start? Listed below are additional benefits to networking, as well as some tips for getting started. Learn from Industry Experts Within a networking environment, you are able to discuss a variety of topics with industry experts and peers. By learning from experienced members of your industry, you can gain greater insight into your specific area of focus, or expand your perspective with new topics of discussion. By attending and participating in networking activities, you learn from both peers and competitors first-hand, engage in information-sharing, and gain feedback on your ideas, strategies, and practices. Regardless of title or organization, you have the chance to collaborate, promote, and learn in a way that is beneficial for all parties. Through this, you can gain insights and share ideas to advance not only your program, but the whole field of TPRM. Collaborate and Connect Now, more than ever, collaboration and connection are needed for the advancement of the industry. The opportunity to experience and learn new things with peers, develop strategic partnerships, and connect with friends and colleagues is an integral part of networking. A benefit of a networking experience is that connection and discussion is not limited to one group or type of individual. When attending a networking event, you are able to connect with peers from all walks of life, varying experience and program maturity, as well as speakers, sponsors, and many more relevant parties. You can go beyond the screen and ask questions, gain varying perspectives, and expand on the content that was covered. Validate Your Program Activities The need to stay current on best-practices, technology, new techniques, and trends is vitally important; especially when the threat landscape continues to grow in complexity. Networking provides you with educational opportunities, leading to personal and professional growth, and advancement of your knowledge base by learning from thought-leaders. You’ll be able to return to your organization with new ideas to advance and grow your program. Advancing your professional education not only validates your current program, but also lends credibility to your job function. Tips for Networking There are always opportunities for networking no matter where you are at within your career. A few ideas on how and where to get started are: Network via LinkedIn or other social media platforms by sending connection requests; filtering your LinkedIn searches to connect with specific people based on industry, location, and more; attending LinkedIn events; and joining LinkedIn groups to connect with industry professionals and establish relationships. Network via special interest forums to promote discussion, ask questions, and gain real-time support from peers. Network via conferences to connect with industry professionals, gain new insights, and form meaningful professional relationships by engaging in discussion, exchanging business cards, and simply saying ‘hello’ to new people. The informal connections which take place outside of conference breakout sessions can be extremely valuable. (The TPRA actually started when two peers began to network at a conference.) To start networking, find an event or networking platform relates to your industry or that interests you, practice your entrance (meaning practice how you will introduce your self), go into a discussion with an idea in mind of what you would like to get out of it, offer something in return (whether it be a connection for someone, a thought or idea, or another resource), and (optional) work through a follow up activity (whether it be reaching out to them via email or setting up a future call). Follow up is key if you feel the network activity resulted in a benefit to yourself, career, and/or organization. Follow up can also lead to long-lasting and mutually beneficial relationships. Networking through TPRA The Third Party Risk Association (TPRA) is built on the foundation of furthering the Third Party Risk Management profession through knowledge sharing and networking. We do this through community engagement in monthly and quarterly meetings, as well as industry-specific calls, networking events, and benchmarking sessions. In addition, we collaborate on and create guidance, tools, and templates as a community. Lastly, and what you may receive the most benefit from, is communication and collaboration between peers through our Practitioner Slack Forums. Live, in-person conferences also provide a space for networking, discussions, information sharing, and collaboration. Networking in person also aids in growing your relationships with subject matter experts that can help you accelerate your TPRM program. Upcoming Networking Opportunity: TPRA In-Person Conference Third Party Risk Association’s 2022 Third Party Risk Management (TPRM) Conference, “The Art of Third Party Risk” will take place in-person, on April 18th - 20th, 2022, at the AT&T Hotel and Conference Center, in beautiful Austin, Texas. We invite all TPRM Practitioners to join us for three inspiring days of impactful discussion. Any individual and/or organization within the TPRM space (TPRM Professionals, Vendor Managers, Procurement/Sourcing Specialists, Lawyers, Information and/or Cyber Security Professionals, Compliance and/or Privacy Specialists, Auditors, and Service Providers) will find great value in attending this event. Speaker sessions are designed to suit your individual and organizational goals. Take full advantage of our sessions by shaping the experience to best fit your program’s maturity level. Track 1 (Apprentice) is for those developing their TPRM program. Track 2 (Practitioner) is for more mature programs that want to validate and obtain best practices for enhancing their program. Track 3 (Master) is for programs that have reached a higher level of maturity and want to learn more about innovative tools and techniques to elevate and automate certain aspects of their program. There are many benefits to attending in-person conferences, to include receiving continual professional education credits (receive up to 14 CPEs), meeting industry leaders, and validating your TPRM program activities. You can also visit service provider booths and learn about tools and techniques that are shaping the way the industry assesses third party risk. Join us in person to make valuable connections and participate in meaningful discussions on TPRM. Visit our website at www.artofthirdpartyrisk.org to learn more about the conference and to purchase your ticket. By visiting the conference site, you will also find our COVID protocols for the event. Conclusion When you make the investment in participating in a network event specific to your career path, you open the doors to new opportunities that will allow you to share personal experiences, gain validation for your work, and contribute to a growing community of TPRM professionals. It also allows you to return to your organization with new strategies, strong professional relationships, and the insight to help your program and organization accelerate.

As the third party risk management field continues to evolve, a growing number of practitioners are seeking guidance on how to best categorize the complex third party relationships they encounter throughout their organizations. For a practitioner to properly identify and reduce third party risks, it is important that they first define their third party population and determine scope for their key relationships. Defining Your Population When tasked with defining the population, third party risk professionals should first recognize what terms offer the best range of coverage for their specific organization. Commonly used population classifications such as supplier, contractor, and vendor, each allude to the population’s specialization, which may be acceptable when defining certain populations. But, due to their selectivity, practitioners are often unable to classify entire populations by these specialized terms. Similarly, circumstances in which organizations defy the traditional supplier-vendor relationship (ex. charities or affiliates) also require a more inclusive means of population definition. In most cases, if terms such as supplier, contractor, and vendor do not suit the population, practitioners look to the expression “third party.” Unlike other population classifications in the risk management space, this term acts as an inclusive umbrella and applies to a diverse range of populations. Furthermore, third party risk practitioners may find it worthwhile to define the business owners for third party relationships, at both executive and operational levels, to gain insight of where risks should flow within their populations. In the instance that an organization is engaged in an expansive third party relationship, with multiple engagements throughout their firm, it is crucial to be aware of who owns the relationship and how the risks should be dispersed. All organizations should take their unique populations into consideration when deciding upon a definition. Determining Your Scope In relation to risk management, scope refers to what aspects of an organization’s control environment are under the authority of their third party risk management program. Many organizations have individual criteria within each type of third party category. This reference point aims to define whether or not a set of the third party population will be in or out of their risk management program’s scope. A main criterion that many organizations adhere to, in order to determine if a relationship is in or out of scope, is whether they will share data with the third party population or if the third party will host technology for the organization. In comparison, a third party that does not physically engage with an organization’s site, have access to data, and/or does not host a technology for the organization would likely be considered out of scope for a majority of third party risk management assessments. Additionally, companies consider contractors or contingent workers, in addition to other non-employees, to be out of the scope for risk management activities. In the instance of contractors, organizations frequently struggle to outline a standard that can properly express whether issues of related risk are a human resource, information security, or third party risk management responsibility. An effective way to address this issue could be for a third party risk management program to look to the top level of the staffing organization that supplies their contractors, instead of attempting to mass manage the risks associated with every worker from the ground up. Rather than focus on the risk of the workforce provided by their arrangement with a third party, the organization should inspect the risk presented in the arrangement itself. This would also allow the organization to have more opportunities to drive the controls they require in their relationships. Conclusion It is important to define your third party population to better understand the risks and impacts of said risks to your organization. Defining your population also ensures you manage and monitor your third parties using a risk-based approach. If you apply the same risk management approach to all of your third parties, you run the risk of overstating the impact your relationships have to your organization. Once you understand a risk, you must take action to mitigate that risk. Reviewing all third parties using the same lens puts a strain on resources, as well as allows less time for you to focus on the higher-level risks. Defining your population and the scope of your program ensures you more accurately reflect the impact third party risk has to your organization, as well as allows you to effectively monitor said risk.

Guest Author: Kimberley Allan, CMO for Aravo Solutions As the events of 2020 unfolded, operational risk teams around the world were provided a real-life ‘stress test’. In the process, many organizations realized that third-party risk management (TPRM) is much more than simply a regulatory requirement - it is, in reality, a material part of business resilience. Now, many organizations are reevaluating how their TPRM programs can not only comply with a surge of new regulations, but also cope better with emerging risks, and build greater resilience in their supply chains. TPRM leaders are being challenged to do this fast. This means they must have their eye on the horizon and understand what’s ahead. Here we discuss five trends that TPRM leaders should have on their radar. 1. Programs are becoming more holistic and cross-functional If you’re running your third-party management program in silos, or confining your program coverage to a single risk domain – it’s time to think more broadly. Programs are now becoming more holistic and cross-functional. Rather than operating in departmental silos (such as procurement, compliance, risk, information security, data privacy etc.) that do not collaborate, more organizations are now looking to develop a cross-functional approach to monitoring and managing third-party relationships. Just as operational silos are being broken down – so too are risk silos. Programs are now expected to monitor multiple risk domains, including cyber security, data privacy, anti-bribery and corruption, ESG, quality, and more. Programs are also extending deeper into supply chains to address these risks – it’s not just third parties that need to be accounted for – but 4th parties, 5th parties and beyond. 2. Environmental, Social, Governance (ESG) If ESG is not on your third-party risk radar – it should be. ESG is being catapulted up the board agenda, with renewed focus and vigor from regulators, particularly those in the EU. Increasingly, organizations will need to consider not just their own footprint, but also understand and monitor their third parties' and suppliers' footprint and social impact. In March 2021, the European Parliament voted for the adoption of a binding EU law that requires companies to conduct environmental and human rights due diligence along their full value chain or face concrete fines, sanctions and/or civil liability. It is likely that this law will come into force in the 2021-2022 timeframe. Germany is also set to introduce fines, under its Due Diligence Act, for companies procuring parts or materials abroad from suppliers who fail to meet minimum human rights and environmental standards. Unlike some of the other laws that seek to shine light on modern slavery and human trafficking in supply chains (such as the current UK Modern Slavery Act and California's Transparency in Supply Chains Act) these new acts are not just a reporting requirement. These have teeth and will require organizations to conduct the appropriate risk-based approach to due diligence and address issues, or face penalties. It’s also likely that these regulations will have global implications: acts from the EU are typically broad in nature. Companies that are headquartered outside of the EU will still be in scope if they have operations and employees within the EU. 3. Operational Resilience COVID meant operational risk plans received a real-life stress test. Employees (both internal and those at third-party organizations) were instructed to work from home, and global restrictions on travel and transit resulted in significant disruptions to physical supply chains. Plans were found wanting – and this has brought operational resilience (and more broadly business resilience and organizational resilience) front of mind. Operational Resilience is more than Business Continuity Management (BCM). It’s more than Operational Risk Management. It’s more than Supply Chain Resilience or Third-Party Risk Management. It’s a combination of all of these, but is taken from a critical, service-driven approach to managing risk, response, and recovery. Operational Resilience has been creeping up the agenda, particularly with Financial Services regulators, for some time. We’ve recently seen a number of Principles, Frameworks and Guidance documents published by the regulators, including: EBA: Guidelines on Outsourcing Arrangements FCA/PRA: Operational Resilience: Impact Tolerance for Important Business Services PRA: Outsourcing and Third-party Risk Management ECB: The European Union’s Digital Operational Resilience Act (DORA) ECB: Cyber Resilience Oversight Expectations for Financial Market Infrastructure OCC: Bulletin 2020-94 Operational Risk: Sound Practices to Strengthen Operational Resilience FSB: Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships: Discussion paper There are a range of drivers behind this focus on operational resilience: The threat landscape is growing in complexity and variety (which includes everything from the threats associated with the pandemic, state sponsored cyber supply chain hacks, geopolitical volatility, to extreme weather); A greater reliance on vendors, third parties, and outsourced providers to support organizations’ critical services; The momentum of digital transformation projects, which are in many cases outpacing organizations’ ability to accommodate change; The growing threat of cyberattacks which has also led to a stronger formalization of the relationship between BCM and cybersecurity. All of these factors mean organizations need a comprehensive solution to plan and prepare for continuity of operations and services as well as to monitor threats, prevent incidents where possible, and execute associated response, recovery and restoration plans. A core component of resilience involves the ability to manage the risks associated with third parties, 4th parties and beyond (nth parties), including concentration risks associated with these. The approach to operational resilience also needs to be holistic and cross-functional. 4. Cyber Security and Cyber Supply Chain Risk Management (C-SCRM) When it comes to third-party risk management programs, cyber security is always top-of mind. And this should come as no surprise – more often than not, security breaches stem from a third-party vulnerability. A recent survey by the Ponemon Institute and SecureLink found that over half of organizations (51%) have experienced a data breach caused by third parties that led to the misuse of sensitive or confidential information. And the criminals exploiting flaws in controls are creative and resourceful – from Target’s HVAC breach to criminals hacking a fish tank to steal data from a casino! When there’s a will (and a weakness) there’s a way. Now it’s cyber supply chains that are increasingly under attack. SolarWinds demonstrated that sophisticated state players are targeting digital supply chains (including third-party applications). And, more recently, security researchers discovered a software supply chain vulnerability at Composer, the main tool used to manage and install dependencies for PHP, which could put millions of websites at risk. These types of vulnerabilities, and the attacks exploiting them, hit the headlines every week. This means TPRM programs need to evolve to better manage cyber risks further into their supply chain. To support this, NIST recently published guidance: Key Practices in Cyber Supply Chain Risk Management: Observations from Industry, which sets out 8 key best practices designed to help organizations of all sizes and industries build a robust program. 5. Intelligent Automation Finally, all the above - the growing range of risks to manage, increased regulatory emphasis, the need to manage risks further into physical and digital supply chains - mean that smarter automation for TPRM programs is essential. There is simply too much data and too many complex business processes to manage programs manually. TPRM leaders need to harness the power of technology, and be aware of the tools and technologies that can support their programs. AI and Machine Learning capabilities are now embedded in some of the market’s leading TPRM technologies, which provide added efficiencies to programs, and ensure resources are focused on the more strategic aspects of your program, rather than the administration. Conclusion While TPRM remains dynamic, one thing remains constant – and that’s ongoing expectation by global regulators for robust third-party risk management programs. With the volume and velocity of change, TPRM programs must be agile and adaptable. Having a view of trends that will affect how third-party risks are managed helps you prepare for tomorrow, today, and build greater business resilience in the process.

Guest Author: Tom Rogers, CEO for VendorCentric One of the most important parts of an effective third-party risk management function is creating an effective governance and oversight structure. Doing so drives accountability and ensures that the right ‘tone at the top’ is set by your board and senior management. Plus, in the past decade, regulators across most industries have made this a consistent theme in their communications about their own expectations for third-party management programs. So, what does effective oversight of the third-party risk management function look like? Since complexity can vary based on an organization’s industry and size, I recommend that – as a baseline – a well-designed function should have the following five components. Policy. The starting point is to formally document the third-party risk management policy and obtain board approval (initially and annually thereafter). This provides the framework for the program, and ensures the appropriate tone at the top. Lines of Defense and Accountability. Roles should be defined in all parts of the risk framework from the day-to-day business owners to the various lines of defense and senior management – if possible, placing these into performance goals also helps ensure attention is paid throughout the year. Vendor Management Function. The vendor management function should be clearly defined within the organization and, as importantly, properly resourced and independent from the lines of business. Resourcing goes hand-in-hand with effectiveness, and independence ensures that business needs or “favorite vendors” don’t drown out proper risk decisioning. Data and Reporting. Timely reporting is crucial for effective oversight. This requires three things: leveraging technology to capture and report data, using key indicators to compare against contract standards and trends, and distributing the appropriate reporting segments to each line of defense. Further, reporting should include both quantitative data along with more qualitative “color commentary” on where levels of risk are increasing or decreasing and any inconsistency versus the overall enterprise risk appetite for risk. Documentation and Rigor. Lastly, complete and accurate documentation of risk management activities should be maintained to support oversight by internal audit and regulators. Further, minutes from board, audit committee, and risk committee meetings should also be maintained to evidence discussions and actions, in case of a dispute or regulatory inquiry. Effective oversight also requires buy-in and active support from the senior leadership team. Simply providing direction and passive support isn’t enough – accountability needs to be evident in follow up actions. Their ability to receive and help resolve issues when escalated, and ‘wield the hammer’ when needed, will ensure the function has teeth. Conversely, depending on the size and complexity of your organization, gaining support of the senior leadership team may not be easy. Particularly since third party risk management, and certain vendor relationships, are often controversial in terms of expense, preferred vendors, and missteps that span across multiple business lines. However, building that level of trust and support can help immensely when things go wrong – if the vendor management team knows that they have the backing of senior management, it makes difficult decisions such as terminating a contract or declaring a breach a much more confident decision. Setting aside the regulatory guidance, if that’s possible, remember that third party risk management creates a real strategic business advantage in the form of cost savings, solid contracts and greater confidence that outsourcing a particular product or service will continue to go well. And effective governance and oversight of the third-party management function is necessary to make it all happen. Author: Tom Rogers Job Title: CEO Organization: Vendor Centric Tom is a trusted advisor on procurement and third-party management to organizations across the United States. Having worked with over 120 organizations over his 30-year career, he has a unique ability to bring both creativity and discipline to finding solutions for even the most complex challenges his clients face.