Aug 28 2022

Why You Need a Third-Party Risk Management (TPRM) Program

Category: Vendor AssessmentDISC @ 9:56 am

What entity, or sector doesn’t engage with a third party in some way, shape or form? Not many. The reality is that outsourcing, contracting and subcontracting happen all the time and is the norm as businesses continue to embrace the core/context mindset and division of labor. The more you outsource, the more you need to have a robust third-party risk management process (TPRM), also known as vendor risk management, plan in place.

Risk management is not new, but the current iteration of TPRM logic typically focuses on three parts:

  • Risk assessment and analysis
  • Risk evaluation and
  • Risk treatment.

I had the pleasure of chatting with David Medrano, director of third-party risk management at Morgan Franklin, who shared his insight on the importance of TPRM and vendor oversight. Medrano explained that many enterprise entities may have over 1,000 separate third-party engagements and, therefore, must have a methodology to measure the risk each of those presents.

Medrano said that while many entities know their contractors, they may lack visibility into the contractor’s contractor; thus, a daisy chain of outsourced work may be taking place which places data at an unknown level of risk as the third party shares it with a fourth party and so on. The most important thing an organization can do, in this case, is to categorize vendors in the planning/strategy phase. Suggested risk buckets may include critical vendors, physical vendors and technology vendors.

“Bucket them according to how and what they do and how their third-party actions present a risk to you,” Medrano said. The risk from the coffee vendor, for instance, is not the same as the risk provided by an MSSP. He advised caution with regard to allowing more risk to be accepted than the vendor’s worth or value to the enterprise.

Medrano also advised keeping the methodology used uniform, as that can help manage risk while also showing customers, regulators and compliance entities that the company has a methodology in place to measure and address risk and explains the company’s thought processes with regard to its actions.

TPRM Tools

Ironically, there are a plethora of vendors (yes, third parties) who are prepared to provide you with tools to create your TPRM program, there are also standardized methodologies available from the U.S. government. For example, the National Institute of Standards and Technology (NIST) has created a TPRM framework to help companies create a consistent and uniform TPRM plan which is adaptable to their unique needs. The NIST framework can help you:

  • Prepare – Essential activities to prepare the organization to manage security and privacy risks
  • Categorize – Categorize the system and information processed, stored and transmitted based on an impact analysis
  • Select – Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)
  • Implement – Implement the controls and document how controls are deployed
  • Assess – Determine if the controls are in place, operating as intended and producing the desired results
  • Authorize – Senior official makes a risk-based decision to authorize the system (to operate)
  • Monitor – Continuously monitor control implementation and risks to the system

In sum, every business unit should be using a TPRM system, regardless of if their engagement with third-party vendors is centralized or decentralized. Additionally, uniformity in the assessment is of paramount importance, Medrano said.

Third-Party Risk Management: Driving Enterprise Value

Cybersecurity and Third-Party Risk: Third Party Threat Hunting

IT Vendor RISK Management Toolkit

Tags: Third Party Risk, Third Party Threat Hunting, Third-party risk management, TPRM, Vendor Security Assessment

Leave a Reply