Tips to Build a Stronger Third-Party Risk Management Program

Across industries teams are struggling to manage risk volatility throughout their supply chains. Here are four practical tips to advance a program as third-party networks grow larger and more complex.

John Wheeler, Senior Advisor, Risk and Technology, AuditBoard

July 18, 2022

4 Min Read
building blocks with Risk spelled out
Andriy Popov via Alamy Stock

With as many as 51% of businesses experiencing a third-party related data breach, the risks of working with external partners has never been clearer. What’s more, third-party ecosystems only continue to expand, according to the Institute for Collaborative Working, and as much as 80% of direct and indirect operating costs of a business comes from third parties.

As vendor and supplier vulnerabilities continue to plague nearly every industry, teams are struggling to manage the associated risk volatility throughout their supply chains. The good news is, a strong third-party risk management (TPRM) program, built on a sturdy workflow for onboarding along with ongoing monitoring, can help alleviate the impact of related risks.

Here are four practical tips to advance your TPRM program as our networks of third parties grow ever larger and more complex:

1. Understand inherent risk and how it should be incorporated into programs

Inherent risk, or the amount of risk that exists before controls are put in place, should be an ongoing assessment throughout the third-party risk lifecycle. So how exactly can you quantify inherent risk and embed it into your TPRM program?

There are two essential elements. First, it’s important to evaluate inherent risk at the outset of any vendor relationship, with riskier third parties necessitating further due diligence. Risk factors to consider include what data the third-party will have access to, whether they operate in another country with different compliance standards, does the company outsource to others (or fourth parties), etc. With these factors in mind, you can assign a third party an initial “risk score,” and be sure to include the right intake questions within your onboarding process.

Second, it’s important to categorize third parties according to tiers of inherent risk -- from those that pose low risk, to ones that present moderate risk and should be monitored, to those critical to your business operations and pose a higher risk. With these risk tiers in place, you’ll be better positioned to monitor and assess your third parties throughout their lifecycle, ensuring you're putting focus in the right places to mitigate the most damaging risks.

2. Complete threat and risk-based control mapping for critical third parties

Once you’ve identified your critical third-party relationships, the next step is control mapping. Here is where a single source of truth and real-time information becomes essential: With unified data governance, organizations can effectively and efficiently track data across the third-party lifecycle. What’s more, by integrating data ownership and accountability, automated system controls and monitoring, and regular audit cadences directly into your risk program, you’ll gain visibility into key third-party risks before they impact your organization.

And, in the event of any incidents that do arise, you’ll be prepared to mitigate them, quickly and with limited business disruption. The key here is to take a truly integrated approach -- involving not just risk and security teams, but legal and procurement as well to ensure the contracts you have in place with vendors leave room for remedy.

3. Calculate residual risk and use it to determine ongoing review cadences

A residual risk score, calculated through a combination of previous risk assessments as well as inherent risk, can be a helpful metric for determining how frequently you’ll need to conduct third-party audits.

Your review cadence will vary, of course, depending on your team size and objectives. However, for example, you might choose to conduct quarterly reviews for high-risk, semi-annual reviews for medium-risk and annual reviews for low-risk third parties.

Once you’ve determined your review schedule, one helpful best practice to help foster positive relationships (and achieve better audit outcomes) is to communicate the schedule to the auditees so they understand when your organizations will be testing them and what you’ll be testing against.

4. Integrate external ratings and service offerings into your program

In addition to your internal risk assessments and ratings, you may also want to consider external ratings when determining which third-parties to work with and how to conduct your monitoring processes. Provided by a trusted, independent source, these objective ratings can help you benchmark a third-party and flag any changes in their risk and compliance posture once you’ve begun working together, allowing you to remediate any gaps. In other words, they provide added perspective and strengthen your TPRM program.

To effectively analyze these external ratings, organizations need to integrate data from independent sources directly into their TPRM technology solution. In particular, cloud-based technology is a must for risk programs. Not only does it offer robust integration capabilities, it also provides a single, unified source of truth; continuous, real-time data; and the ability to conduct top-to-bottom risk assessments and testing, all without the risk of manual error.

Today, third parties are seen as an extension of an organization and need to act in alignment with the company’s organizational principles. As third- (and fourth- and fifth-) party networks continue to grow, and supply chains become ever more complicated, TPRM is essential to reduce costs, meet regulatory compliance requirements, and conduct business ethically.

What’s more, a good TPRM program actually has the power to add tremendous value to an organization. With a truly functional, transparent, and integrated risk program, businesses can make better decisions, compete more effectively, and satisfy the needs of key stakeholders including board members, investors, customers, regulators, and auditors.

About the Author(s)

John Wheeler

Senior Advisor, Risk and Technology, AuditBoard

John A. Wheeler is the Senior Advisor, Risk and Technology for AuditBoard, and the founder and CEO of Wheelhouse Advisors, a global risk management strategy and technology advisory firm. John is a recognized expert, frequent speaker, and author on the effective use of risk management practices and technology in large and midsize businesses. His major areas of specialty include enterprise/operational risk management, integrated risk management (IRM) technology, executive leadership, and corporate governance. Prior to joining AuditBoard, he was senior director, analyst, and global risk management technology leader at Gartner.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights