What is ‘third party risk management’? A complete guide to TPRM
Third party Risk Management – also known as TPRM – is the process of assessing and mitigating the risks that arise from working with third party vendors and suppliers. TPRM typically refers to the broad discipline of managing all types of third party risks, including financial, operational, strategic, compliance and cyber security risks.
Information security third party risk management, in particular, is a growing area of concern for organisations of all sizes. A recent Gartner survey, for example, shows that 89% of organisations experienced a supplier security risk event in the past five years, yet business awareness and plans to mitigate this risk lack maturity.
Here, we will explore the meaning of third party risk management in the context of cyber security, offering advice that will help you understand this discipline in more detail and build your own supplier assurance programme.
You can get visibility of security risks and build confidence in your supply chain with our supplier security risk management services.
What is a third party in the context of third party risk management?
A third party is any entity outside of your company that provides services or products to your organisation or acts on behalf of your business. Third parties can be sole traders or organisations, including contractors, consultants, software vendors, distributors and suppliers.
Your organisation likely liaises with a range of third parties, from software-as-a-service solutions providers to logistics companies responsible for delivering your products to customers.
It is also worth remembering that the third parties you work with will have their own suppliers, vendors and partners. The relationships that exist here are commonly referred to as fourth-party relationships, where you are indirectly connected to organisations due to your supplier interactions.
While these relationships are often opaque in nature, fourth-party relationships can also trigger cyber security incidents. So, as your third party vendor risk management programme becomes more robust, it is well worth putting provisions in place for fourth-party risks too.
Why is third party risk management important for my organisation?
The TPRM process is crucial because outsourcing to or taking services from third parties introduces new complexities and risks for your organisation’s cyber security posture. Even if you have invested heavily in improving your cyber security defences, you are still vulnerable if you have not considered how the suppliers you work with could impact your IT systems and data.
We advise considering every supplier you work with as an extension of your organisation’s attack surface. The more suppliers you employ, the greater your chance of compromise.
This is not to say, though, that you shouldn’t use suppliers or that all vendors will pose equal risk to your organisation. The level of risk to your business is dependent on factors such as a supplier’s own approach to security and the data and systems of yours it has access to.
What are the foundations of third party information security risk management?
The third party risk management process can be broken down into four steps, as we will explore below. Completing these four steps should not be viewed as a tick-box, one-off exercise. Risk management is very much a cyclical activity, where you assess, review and monitor third party security risks throughout the longevity of the supplier’s contract.
For the below process, we recommend looking first at applying your third party risk management framework to new contracts. Once you and your team are content with the procedures you have implemented, you can scale the model and apply it to existing contracts. The last stage of maturity in this area involves the consideration of the fourth parties we mentioned above, where you look to illuminate your supplier chain beyond the first tier.
- Identification of suppliers
The first step in creating your third party risk management policy is understanding where potential risks lie in your supply chain and what form they take. Here, you should work to gain clarity about who your suppliers are, what data and IT systems they have access to and the potential cyber security risks associated with this access.
In collaboration with procurement, you can then conduct a risk assessment on each contract you have identified. We recommend using established risk measurement tools, such as the Government’s Risk Guidance and CPNI Operational Requirements to do this.
With these tools, you can create a unique identifier for each contract, enabling you to reference each specific cyber risk profile and more easily identify and compare potential risks.
As you consider the risks that could arise from your working relationships, you should also look at potential security controls and mitigation tactics that the supplier could put in place. For example, you could ask suppliers to meet accreditations like Cyber Essentials or undergo penetration testing.
- Due diligence
The next step is to collaborate with your suppliers to understand more about their cyber security controls and what needs to be improved through dedicated third party risk management questionnaires. You can look to resources such as the NCSC’s cyber security questions for suppliers as a guide rail for what to include and tailor these to your organisation’s risk tolerance levels.
As well as the NCSC’s questions, NIST 800-161 is another useful resource. For due diligence, the second stage, ‘Assess’, offers in-depth advice on questions to ask your suppliers.
Remember, too, that a TPRM framework is not about trying to catch your suppliers out or find flaws in their approach to security.
In our experience, the most successful third party security risk management programmes are built on the concept of mutual assurance. By helping your supplier to improve their security and, in turn, committing to enhancing your own security posture, both companies will benefit in the long term.
- Evaluation of supplier responses
Now, you will have responses from your suppliers regarding their security arrangements. You should review these responses and compare them against your pre-defined levels of risk tolerance.
We advise taking a case-by-case approach to this evaluation. A supplier, for example, that provides you with office supplies and does not have access to your IT systems or data will need to put in fewer controls than a provider of financial software.
Then you can ask the most critical or high-risk suppliers to undertake the appropriate mitigation work so that they reach a level of risk tolerance you deem acceptable.
In the long-term, you should aim to make this process become business as usual and embed it into the procurement process so that security is considered from the outset when reviewing and onboarding suppliers.
- Continuous review; the TPRM lifecycle
Your risk management programme is, as noted, a cyclical activity, meaning you should re-assess supplier risk profiles regularly. In particular, if your supplier reports a change to its IT systems or business processes, we advise revisiting the due diligence process.
Harnessing third party risk management software
Given the complex and vast nature of today’s supply chains, using paper-based tools and spreadsheets to keep track of dynamic, ever-changing supplier relationships can prove ineffective and error-prone.
To that end, we are seeing more organisations turn to third party risk management solutions that make the supplier security assurance process seamless and intuitive. Rather than becoming an expert on third party risk management, you can lean on these tools to guide you through the TPRM process while also making the process much easier for your suppliers.
At Evalian, we have developed SupplyIQ as an online third-party risk management dashboard to simplify and improve supplier security. Supplier assessment, risk identification, risk rating and supplier security improvement activity can all be managed through SupplyIQ, enabling you to streamline your vendor onboarding process and shorten your sales cycles – all while enhancing cyber security.
Need help?
Contact us if you’d like help with improving your approach to supply chain security. To learn more about the subject and for more in-depth advice, download our free Guide to Supply Chain Security.
