Working with third parties is nothing new for most organizations. By the time leadership decides to start a formal Third-Party Risk Management (TPRM) program, there’s often multiple third-party relationships already in motion. This makes it challenging to create a TPRM program that addresses all vendors, suppliers, and third parties — each posing its own unique risks to the organization. 

To help navigate the winding road of third-party risk management, we spoke with six InfoSec and third-party risk leaders from OneTrust and Fortune Global 500 companie about their approach to building a TPRM program and the lessons they learned along the way. 

Whether you’re working with one or 1,000 third parties, establishing a TPRM program follows these general steps: 

1. Scope and get leadership buy-in for your TPRM program
2. Identify and understand types of third-party risk 
3. Implement TPRM across your organization 
4. Maintain and monitor your TPRM program  

In this post, we cover the first step of building your TPRM program: Scoping your program and getting leadership buy-in.

Download our InfoSec's guide to third-party risk management, which covers all the steps in setting up a TPRM program, from planning to monitoring and reporting. 

How do you define the scope of your TPRM program?

While every TPRM manager wants a program that actively mitigates all third-party risks, the reality is that not all relationships need to be evaluated at the same level. It takes significant resources to perform security checks, risk reviews, and other due diligence tasks — which aren’t always available, especially at the start of a TPRM program.

Defining your program scope helps establish clear boundaries, deliverables, and timelines, and keeps the focus on efforts that deliver the highest value. 

“There are a lot of considerations, but early on, you're trying to knock out the low-hanging fruit and figure out your risk exposure based on the partners you have,” says Tim Mullen, Chief Information Security Officer, OneTrust. "We’re going to have a lot more rigor when it comes to reviewing a security or financial services vendor versus a vendor that provides us with something like paper towels or toilet paper.”

Use these questions to help set the scope for your TPRM program:

• What are the goals of your TPRM program? 
• Do you have specific compliance requirements or deliverables (i.e., for publicly traded companies or regulated industries)?
• What risk domains should be managed (i.e., InfoSec, privacy, financial, reputational)?
• What is the organization’s appetite for risk?

Next, take inventory of your current suppliers, contractors, partners, and other vendors, and determine which of the third parties will be included in the scope of your TPRM program.

The following questions can help determine if a third party is in or out of scope for your TPRM program:

• What type of services are they providing?
• What data do they have access to? 
• Will they process or host any of your data?
• What functions or teams rely on the third party to operate?
• What are the costs and terms of your relationship (i.e., contractual, subscription, one-time project)?
• Are there any integrations between your systems? 
• Will they be embedded into your product?
• Can they show certification or compliance with security regulations?
• What type of risks do they pose?  
• How critical are they to your organization?

This inventory serves as a single source of information and helps organizations better categorize third parties according to risk. Therefore, it’s important to update third-party inventories with any new, terminated, or revised vendor contracts.

“Third parties are just another asset you're trying to manage. And with any asset, there’s always a level of risk or a threat that comes with it,” says Kevin Liu, Senior Director of Information Security at OneTrust. 

“Identify third-party risks and understand their potential exposure and impact to the organization. Then, once you have those things, you can create an assessment process and assign a criticality to the third party.”

Once the scope and other details are defined, it’s time to present the TPRM program to the leadership team.

What’s the best way to get buy-in from leadership? 

All the experts we interviewed aligned on one universal tenet: Getting buy-in from leadership is critical to the success of your TPRM program.

“Start from the top. Management needs to understand that third-party risk really matters, what the impact could be, and how it could affect the company,” says Zuzana Rebrova, Head of Third-Party Cyber Risk Management at Swiss Re.  

This involves presenting the program objectives and strategies for achieving them, as well as the business case for how a TPRM program effectively protects the organization against risks and potential losses.

Whether it’s the board, C-suite, or other key stakeholders, having top-level support goes a long way in fostering a risk culture. Leadership can not only champion the program, but also help establish governance for how TPRM activities integrate into day-to-day operations. 

“The more you coordinate and socialize your intended outcome with the leaders and stakeholders in the organization, the more you’re able to set resource levels, measure whether you're actually achieving the value you want, and structure your program accordingly,” says Matthew Solomon, VP of Technology and Cyber Risk Management at Humana.

Ultimately, TPRM is an organization-wide exercise requiring involvement from multiple teams. While InfoSec or compliance typically oversees TPRM, anyone who deals with third parties — including privacy, procurement, finance, and legal — needs to be aligned and in agreement with the program. 

Getting started with your TPRM program

Taking the time to plan your third-party management program sets you up for success in the long run. The best way to start your TPRM program is to get leadership and stakeholder buy-in early on and then define the program scope in a way that mitigates the highest risks and aligns to strategic objectives.  

Reduce risk, build trust, and enhance business resilience by unifying third-party management across privacy, security, ethics, and ESG. Book a demo today.