The 7 Essential Disciplines of Third-Party Risk Management Programs
Written by Atul Vashistha & John Bree
1. Clarity of TPRM and Corporate Role
A robust TPRM program requires a governance structure that extends from the board of directors to the front lines with all parties understanding the entire risk picture and the role each plays in risk management. Ensuring collaboration between the corporation’s overseeing entities is enabled through the establishment of a TPRM Committee with a formalized structure, participation, and meeting schedule. The committee should have carefully defined roles and responsibilities with established upstream and downstream communication channels. It is imperative that the committee develop a sourcing strategy framework with risk appetite guidelines that are aligned across the organization and board approved. .
2. Third-Party Integrity: Know Who They Are
Third parties are often engaged without an assessment on how they fit into the overall corporate enterprise risk management picture. Successful TPRM begins with a detailed assessment of every third party during the onboarding process. Without a shared understanding of the third-party’s role and possible risk impact, risk managers are unaware of when they should step in or how specifically they should manage the impending risk, thereby possibly jeopardizing ongoing operations. The same assessment of system integrity used at the corporate level must extend equally to every third party. This includes identifying details about the third party, such as, ownership structure, key officers, financial health, sanctions, foreign operations and other such related matters.
3. Know Your Risks and Compliance: Beyond Cyber and Financial
Successfully management of third-party risks extends beyond cybersecurity and financial risks — the two risks most often identified. There are other often overlooked but potentially significant risks that arise from a third-party’s business operations or even location-based risks from where the services are being provided that should be considered. These risks include third-party employee issues, their other clients, governance structure, regulatory actions, compliance issues, and solutions maturity. Location-based risks include changes in government, corruption and crime levels, natural disasters, ethnic tensions, social unrest, and macro-economic issues. Therefore, an effective TPRM program must account for these areas of risk exposure and monitor them continuously.
4. Life-Cycle Management: Trigger-Based Assessments, Risk Changes and Control-Program Agility
Periodic risk assessments are often costly and time-consuming. Worse, they’re also limited in their value and can be ineffective as risk management should not be a one-and-done process. Appropriate life-cycle management requires continuous oversight and modification as events can happen at any time that cause changes in risk. Curated real-time and continuous risk intelligence not only assures timely responses; it anticipates disruptions and identifies trends that may provide opportunities. Backing up this continuous monitoring with follow-on actions to the risk event trigger can help initiate re-assessments of targeted risk categories. As an example, if a third party has a cyber breach a month after an annual assessment, it’s not prudent to wait 11 months to do the next assessment. An efficient TPRM program would use that risk event trigger to conduct a risk re-assessment of the third-party’s cybersecurity susceptibility. Not only will a TPRM program configured this way help to avoid and mitigate risk exposure, it can enhance risk management productivity, mitigate disruptions and reduce program costs.
5. Proven Risk-Tiering Approach: From Critical to Low
Effective TPRM must include a formalized risk tiering process — the relative risk exposure to which each third party exposes the organization. The common practice is to rank third parties using four tiers from low through moderate and high up to critical. Accurate tier assessment requires the use of a risk grading matrix developed by the TPRM Committee. Assessment at all levels should extend to N-level third parties. Take for example the cyber breach at Target in 2013. Hackers accessed the Target customer service database, installed malware on the system and captured sensitive customer data all by using the credentials of a HVAC and refrigeration services supplier. This third party apparently had access rights to Target’s network for carrying our remote tasks like monitoring the energy consumption and temperatures at various stores. Unfortunately, the hackers exploited weaknesses in Target’s POS system through the network linked HVAC system. A proper risk tiering would have identified the HVAC supplier as a high risk third party because of their access to Target’s network. This awareness could have resulted in a more effective risk management approach. for Target to segregate the HVAC systems from its customer data systems.
6. Governance: Monitoring Aligned to Risk Tiers and Incidents
Although previously understood as risk avoidance or risk mitigation, governance in risk management now extends to managing risk. As an extended Deloitte position paper on the subject observes, good governance and risk-management procedures not only avoid punitive costs and reputational damage, but also provide a competitive advantage. When the TPRM Committee designates the appropriate level of risk monitoring necessary for each risk tier, enterprises can establish real-time and continuous risk monitoring procedures that are aligned with risk management goals. Matching risk monitoring to the relevant risk level —critical, high, moderate or low — enables an enterprise to be both effective and cost-efficient at managing risk.
7. Response Playbook and Learning Loop: Continuous Feedback and Enhancement
Successful TPRM solutions recognize that third-party relationships are always changing, and the related risk exposure is in a constant state of flux. TPRM programs need the ability to respond to these changes with agility and speed. Avoiding or reducing the impact of negative disruptions requires clearly established behavioral analytics and cooperative relationships between teams with different functions at all levels of the enterprise. It should go without saying that a structure that enables both behavioral analytics and cooperative inter-team relationships needs to be firmly established from the beginning. Finally, mechanisms should exist across the entire lifecycle for sharing and collaborating in a learning environment between all stakeholders and third parties so that the TPRM program can be reviewed, modified and enhanced as needed.
Ready to learn more? Subscribe to our blog to be notified when an in-depth look at our first discipline: Clarity of TPRM Structure and Role in the Organization is published. Or request a Supply Wisdom demo to see the Seven Disciplines in action.