When you think about third-party risk management, what comes to mind?
Are you concerned with measuring the effectiveness of your program?
Do you know which third-party providers to focus your risk management efforts on?
How are you evaluating your providers during the due diligence process?
If you are like 36% of respondents in a recent Nemertes Research Study1, then you are probably using a documented checklist or questionnaire that third-party providers must complete before you engage with them, and you re-assess it annually.
But how confident are you that the provider is properly managing risk? These third-party relationships are your organization’s biggest vulnerability — shouldn’t we be assessing them as such?
Where Traditional Third-Party Risk Management Falls Short
If you’re still using these 3 antiquated approaches, then your third-party risk management program could be plagued by inaccuracies and inefficiencies.
Sign #1. Annual Third-Party Questionnaires
In the past, organizations utilized questionnaires to document a provider’s compliance posture. However, with annual third-party questionnaires, responses can become outdated immediately — as soon as an incident occurs.
On top of that, questionnaires provide little to no actual evidence that the answers provided are accurate. As a result, questionnaires lead to a false sense of security as you outsource the work to third parties, but the responsibility still rests with you.2
Sign #2. General Third-Party Assessments
Additionally, many organizations focus on the third party as a whole and don’t assess the individual services they provide. This doesn’t give you the full picture of the provider’s risk profile and opens the door for gaps and vulnerabilities.
Another outdated technique is performing third-party risk assessments on all providers in your supply chain without a ranking or tiering process. This method leads to time wasted on assessing low-risk providers or those that don’t have access to your data. Alternatively, if you rank your third parties according to the type of data they access and the services they provide, you can focus on the critical and high-risk providers, giving time back to your team.
Sign #3. Manual Third-Party Risk Management Processes
Only 7% of respondents in the Nemertes Research Study were using automated risk assessment tools to evaluate their third parties. Relying on manual efforts, such as email, spreadsheets and paper checklists takes up valuable time and resources. That is time that could be used on more strategic initiatives.
How to Rethink Your Third-Party Risk Management
So, let’s rethink how to manage your third-party risk, so you can better protect your company (with fewer resources). Start with these tips:
Treat Third Parties as Another Asset
My first tip is to think of your third parties as an asset to your organization and manage them accordingly. These relationships can impact your organization’s ability to meet its business objectives, similar to other assets, such as your revenue-generating business processes and cloud infrastructure. And just like any other asset, you need to assess the risk of that provider relationship.
Assess Providers and Services
Included in that relationship is not just the third party but also the services they provide. So, as mentioned earlier, assess each service that the third party provides to get a complete picture of the risk they present to your company.
An essential component of third-party risk management is preparing a risk profile for each provider in use, asserts the Forbes Technology Council. For every service provided, a trust level must be defined3.
The most effective way to gain that trust is to conduct more evidence-based information requests, such as independent compliance reports for both the provider and their applicable services. With the ZenGRC, we give you the ability to evaluate the provider – PLUS map and assess each of their services to determine the impact they have on your business.
Rank Your Third Parties
Let’s be smart about which third parties and services to assess. Recall that evaluating all your providers is inefficient and unnecessary.
Instead, rank your providers and their services by determining what type of data they have access to and whether the service is business critical. Best practices suggest classifying providers according to their risk profile using a rank or tier rating, such as Critical, High, Medium and Low.
A great way to start the risk profiles and rankings is to review your critical assets and your Business Continuity Plan. Let’s walk through an example: you may be focused on Enterprise, Cybersecurity and Privacy risks. In that case, do you need to vet the landscaping services company? Unless they are creating a garden in your data center, you can probably skip them or leave the due diligence to another department. The landscaping services company would be classified as low risk.
Simply rank the providers and their services as critical or high if they have access to your critical assets/data or if the service is mission critical. By focusing on the critical and high-risk providers and services, you are making strides in creating a more efficient and effective risk management program.
Follow Best Practices for Modern Risk Management
Treating your third parties as another asset is just one way to update and improve your program. Follow the “7 Best Practices to Modernize Your Third-Party Risk Management” outlined in this FREE guide for more.
Resources:
1 Nemertes Research Study reported by TechTarget
2 7 Best Practices to Modernize Your Third-Party Risk Management
3 Risks and Vulnerabilities When Using Third-Party providers – Forbes Technology Council