Managing third-party risks involves multiple stakeholders — InfoSec, privacy, procurement, finance, legal, and many other teams may need to regularly interact with third parties. This makes it even more important to build a third-party risk management (TPRM) program that’s user-centric and easy to implement.
“I've been at companies where different teams, whether it's legal, privacy, or security, built a process that addressed all their needs and worked for them. But they didn’t think about the experience of the user — the employee, the procurement team, or whoever has to participate in the process. That ends up with a very convoluted and confusing process people don't want to use,” says Ruo Xie, VP of Source to Pay at OneTrust. “It has to be easy for the end-user to understand. They have to want to use it.”
In this article, we bring you advice from six InfoSec and third-party risk leaders from OneTrust and Fortune Global 500 companies on how to implement a TPRM program across your organization. This is the third post in our series on building a TPRM program.
Download our InfoSec's guide to Third-Party Risk Management, which covers all the steps in setting up a TPRM program, from planning to monitoring and reporting.
What tools do you need to start a TPRM program?
Organizations with existing GRC programs often don't need a big investment to start their TPRM program. In many cases, existing tools and resources can be leveraged to manage third-party risks.
For example, you can start with your GRC platform and build some of the functionality yourself or use a risk management solution to facilitate third-party scoring. While these won’t deliver the full capabilities needed in more mature TPRM programs, they can populate some of the data you need to kickstart your TPRM program.
“If your goal is to build the capability from scratch and don't have a ton of resources, you just have to onboard using what exists in the environment today,” explains Matthew Solomon, VP of Technology and Cyber Risk Management at Humana.
“However, if your goal is to create really robust capabilities and a lot of the organization's procurement decisions hinge on the vendor’s cyber risk rating, then you probably need new or add-on capabilities to your existing tools that can seamlessly gather the required vendor risk data, analyze it, and then report on results in a way that helps the ultimate decision-maker.”
Return on investment is another consideration when it comes to TPRM tooling. Can one person do the job, or do you need three people to do it? As more third parties are onboarded, a centralized tool may actually lower staffing costs and make the TPRM process easier, faster, and more scalable in the long run. Teams also won’t need as much formal training because they’re able to leverage the guidance within the tool.
“If we can automate what’s needed from a security or privacy posture perspective, we shouldn't need a human to review it. The only time a human should be required to come in is if it deviates from the requirement or needs a business decision,” adds Xie. “Automation saves time and allows the security team to focus on the riskier, more complex vendor reviews.”
Do you need a dedicated TPRM team?
Security is just one part of the whole third-party management process. TPRM programs also deal with contract reviews, assessments, and other due diligence activities.
“A lot of risk professionals have a “Swiss Army Knife”, broad range of security knowledge. Not super in-depth in any one area because they have to piece everything together, but they know enough to ask the right questions,” shares Tim Mullen, Chief Information Security Officer at OneTrust.
“If there are certain questions — for example, about API keys or personally identifiable information (PII) data — it will involve a more formalized review that brings in our architecture team. So not only do you need risk-based individuals, sometimes you need technical individuals to have those more deep-dive conversations.”
