- 22 June 2023
Cyberattacks and the accelerating speed of digital capabilities have changed the way organisations approach third-party risk management (TPRM). Moving away from a reliance on manual processes is one of the most obvious examples of this shift. Weaving automation into TPRM provides valuable insights that can improve efficiency, even if resources are limited.
These measurable operational benefits – including savings on time, money and expert resources that could be better used elsewhere – will only be achieved by organisations that harness the right TPRM solution. This will enable them to identify the opportunities to improve productivity and output, strengthen the supply chain and minimise serious risk throughout every stage of the third-party relationship.
The stages of a third-party relationship
Each organisation will have its own way of structuring its approach to its third parties. This will depend on things like the sector, number of jurisdictions, complexity of its operations, regulatory obligations and specific environmental, social and governance (ESG) requirements. In addition, careful thought must be given to the way these third parties will interact within the organisation’s own environment, as this will have the biggest impact on the way the third-party relationship is structured. For example, does the organisation have a centralised approach to TPRM? Or does it rely on its various departments to manage its own specific relationships?
In general, however, there are usually eight stages in the creation of a third-party relationship:
- Discovery, or identification, and screening
- Consideration and selection
- Inherent risk assessment
- Risk minimisation
- Reporting and recording
- Continuous monitoring
Note that onboarding comes in the middle of the process, not at the start of it.
1. Discovery and screening
An audit of existing relationships will identify potential conflicts with new vendors. Find a TPRM tool that will provide a centralised way of tracking all of your third parties, and will allow you to thoroughly screen them with a combination of questionnaires and threat intelligence assessments.
External information, like risk ratings and the chance of the vendor appearing on a sanctions list, can be woven into the discovery and screening process to save time during risk assessments.
2. Consideration and selection
This is where your organisation will test the suitability of its request for proposal (RFP) and request for information (RFI) processes. With the right automated tools, you can create clear side-by-side comparisons of potential suppliers and generate evaluation reports that will help your board to make the best decision for the organisation. It will also help to avoid an over-reliance on one particular vendor (or ‘concentration risk’).
3. Inherent risk assessment
Inherent risk basically describes unmitigated risk – nothing has, as yet, been done to address the vendor’s identified risk and bring it down to a level that the organisation considers to be acceptable.
At the inherent risk assessment stage, organisations are therefore examining the vendor to gauge the vendor’s impact on the organisation’s own risk profile. How material are the risks posed to the organisation by the vendor? How big of an issue would it be for the organisation if the vendor suddenly ceased operations?
The answers to questions like this give organisations clarity over how mission-critical – or not – each of their vendors are. In this way, they can categorise their suppliers/vendors into criticality tiers (or importance levels). Critical third parties (CTPs) can then be monitored at more rigorous levels than other third-party suppliers.
Again, automation is key to ensuring that all aspects of the vendor’s risk profile are covered.
4. Risk mitigation
The only real way to mitigate against risk is with ongoing monitoring of all your third parties, which should begin now whether you decide to proceed to onboarding or not.
There are things that can and should be handled by automated processes because they are impossible to track effectively through manual means. Consider, for example, the amount of time and effort that would go into manually tracking:
- risk score and rating evaluations;
- continuous cyber risk monitoring; and
- conducting regular reviews to measure your third parties against your organisation’s own ESG goals and risk tolerance levels.
Sometimes described as the ‘contracting and procurement’ stage, onboarding often happens as part of the risk mitigation process. Whichever method or terminology your organisation uses, it’s important to incorporate onboarding into your overall TPRM. Even though much of the onboarding stage presents no immediate or obvious risk (contract negotiations, setting KPIs and delivery dates etc.), there will be opportunities for risk to creep in and make itself known at a later date.
6. Reporting and recording
For organisations in regulated industries, there are ways to automate reporting – especially around CTPs and operational resilience requirements – that will demonstrate ongoing best efforts to remain compliant.
This function is also useful for presenting reports and feedback to key stakeholders and senior people. A good TPRM platform will allow you to tailor your format so that crucial details are not overlooked, and create targeted alerts when any of your third-party risk levels increase.
7. Continuous monitoring
Every relationship needs maintenance work to stay healthy, and those between an organisation and its third-party suppliers are no different. If you are only relying on your onboarding process, what happens when changes occur during your relationship with a service provider or third party.
This is where automation really comes into its own. The ability to react and adapt the minute a new risk arises is vital in an ever-changing risk environment, but is only possible with real-time monitoring and instant alerts.
It can be tempting to simply turn the page at the end of a project or contract and never think about the other parties involved again. But this “move on and forget” approach is a gift to threat actors, because it creates a network of unmonitored access points that should have been closed during the offboarding phase. Checklists and assessments, used as part of a properly considered relationship termination plan, will close the loopholes and provide your organisation with greater security.
While risk minimisation and operational resilience lie at the heart of TPRM, those organisations that are harnessing the power of automated TPRM tools are also giving themselves a distinct advantage.
As technology creates greater efficiencies and drives demand for swifter delivery, the organisation that can move its projects from inception to completion without compromise or delay during the TPRM process will be the organisation that outpaces its competitors.
Talk to us to find out more about how we can help you to move your TPRM to the next level.