6 Steps to Third-Party Risk Management Program Maturity

Editor’s Note, July 23, 2020: We just released an extensively updated version of this guide and retitled it, “5 Steps to Proactive Third-Party Risk Management.” All links to the guide in this post will automatically redirect to the updated version. Stay tuned for an all-new blog post introducing the new version!

Customers in the throes of maturing their third-party risk management program often ask us, “What’s next?” Whether it is standing up a new program, expanding your existing program’s footprint, or replacing an outmoded competitive tool, having a plan is essential. If the old maxim, “A failure to plan is a plan to fail” is true, then you must begin every third-party risk management program with an end-state in mind. This could include:

• Greater visibility that enables better risk-based decisions to inform compliance, prioritize resources, and remediate risks
• A faster time to value through reduced complexity and greater automation, accelerating vendor on-boarding and re-certification, and minimizing time spent managing operational processes
• A scalable program that simplifies and unifies the end-to-end process of third-party risk management for greater consistency, predictability and agility

In our 15 years working with thousands of customers and vendors, we’ve devised the following 6-step strategy to achieving complete third-party risk management. Be sure to download the full best practices guide that details the 6 steps, discusses how to measure your maturity level, and provides a checklist of best practice-recommended features to look for in a solution. Below is a summary of the 6 steps.

Step 1: Make Foundational Program Decisions

There are several decisions that must be made prior to kicking off a third-party risk management program. Key decisions to make at this step include:

• What factors will you consider in making vendor tiering decisions?
• Which questionnaire will be used to gather information about your vendor’s controls?
  • Will you use industry-standard or proprietary surveys?
• What collection method(s) will be used?
  • Will you manage the collection yourself?
  • Will you take advantage of repositories of pre-completed questionnaires?
  • Will you outsource collection to a partner?
  • Some combination of each method?

As you begin to engage TPRM providers, make sure they have the flexibility to deliver both types of questionnaires, so you aren’t locked into a single, rigid questionnaire, and that they offer multiple collection methods to accommodate your business. Read the best practices guide for a full accounting of these attributes.

Step 2: Monitor for Vendor Cyber and Business Risks

Once you’ve decided how to tier your vendors and selected questionnaire content, the next step to comprehensive third-party risk management is to begin monitoring the cyber and business risks of those vendors. Although periodic assessments are essential to gaining an understanding of how vendors govern their information security and data privacy programs at a point in time, it’s a lengthy process for surveys to be communicated out to vendors – and for vendors to begin submitting completed content and evidence. Plus, you’re likely only assessing vendors yearly, and a lot can happen to a vendor in a year between assessments! Let this monitoring help you inform your tiering decisions and get immediate insights into your hands so you can make better decisions as your internal controls assessments start coming in. The best practices guide reviews what to monitor.

Step 3: Collect Evidence and Perform Due Diligence

The next step toward third-party risk management program maturity is evidence collection and due diligence review on submitted answers. As mentioned in Step 1, collection and due diligence review can take many forms:

• •Do it yourself via a platform that includes built-in workflow for vendor communications, centralized document and evidence management, and a vendor portal
• •Leverage pre-completed standardized assessments of vendors in a network to accelerate your risk identification efforts
• •Outsource the collection of questionnaires and supporting evidence to a provider or partner

Each approach has its pros and cons which we review in the best practices guide.

Step 4: Analyze and Score Results

You’re at the point where you have completed (and perhaps validated) questionnaires and evidence – and now need to analyze and score all evidence so you can prioritize risk migration activity (discussed in the next step). Analysis tends to be a resource-draining exercise – namely performing tasks such as checking red flags in documentation, contextual comments, and considering variations in services vs. risks. The best approach to analyzing and scoring is to first centralize results into a risk and compliance register. Then, have flexibility in how you weight those risks – for example a on a 5×5 matrix of likelihood and impact – since not all risks are created equal. Read more in the best practices guide.

Step 5: Remediate Findings

Remember the vendor tiering we discussed in Step 1 (plus how it’s informed by scanning in Step 2) and the risk register we covered in Step 4? Those attributes will be extremely important during this step and will help you dynamically categorize vendors based on risk levels and criticality to the business. They will also enable bi-directional remediation workflow and document management on the risk register. The key here is to look for capabilities that demonstrate how risk levels can change over time once recommended remediations are applied. That will be very important to the auditors.

Step 6: Report to Internal and External Stakeholders

It ain’t over until the auditor says so! One of the ways to speed compliance reporting is to gain visibility into each vendor’s level of compliance. Start by establishing a compliance “pass” percentage threshold against a risk category (e.g., X% compliant against a particular framework or guideline). All reporting will tie back to that percent-compliant rating and your team can focus on subareas where compliance pass rates are low. And since it isn’t *just* about compliance reporting, look for cybersecurity reporting capabilities in your chosen solution as well – areas like trending risk over time, risks per business impact area, highest risks by vendor, etc. The best practices guide details this.

Next Step: Download the Best Practices Guide

Prevalent explained what an enterprise TPRM deployment looks like and described key features to look for in the solution evaluation process. Prevalent is the epitome of a complete third-party risk management solution, offering a holistic, automated TPRM program unified by a single, easy-to-use platform. If you would like to learn more on how to construct your complete third-party risk management strategy, check out our best practices guide.