Working with third parties is nothing new for most organizations. By the time leadership decides to start a formal Third-Party Risk Management (TPRM) program, there’s often multiple third-party relationships already in motion. This makes it challenging to create a TPRM program that addresses all vendors, suppliers, and third parties — each posing its own unique risks to the organization.
To help navigate the winding road of third-party risk management, we spoke with six InfoSec and third-party risk leaders from OneTrust and Fortune Global 500 companie about their approach to building a TPRM program and the lessons they learned along the way.
Whether you’re working with one or 1,000 third parties, establishing a TPRM program follows these general steps:
- Scope and get leadership buy-in for your TPRM program
- Identify and understand types of third-party risk
- Implement TPRM across your organization
- Maintain and monitor your TPRM program
In this post, we cover the first step of building your TPRM program: Scoping your program and getting leadership buy-in.
Download our InfoSec's guide to third-party risk management, which covers all the steps in setting up a TPRM program, from planning to monitoring and reporting.
How do you define the scope of your TPRM program?
While every TPRM manager wants a program that actively mitigates all third-party risks, the reality is that not all relationships need to be evaluated at the same level. It takes significant resources to perform security checks, risk reviews, and other due diligence tasks — which aren’t always available, especially at the start of a TPRM program.
Defining your program scope helps establish clear boundaries, deliverables, and timelines, and keeps the focus on efforts that deliver the highest value.
“There are a lot of considerations, but early on, you're trying to knock out the low-hanging fruit and figure out your risk exposure based on the partners you have,” says Tim Mullen, Chief Information Security Officer, OneTrust. "We’re going to have a lot more rigor when it comes to reviewing a security or financial services vendor versus a vendor that provides us with something like paper towels or toilet paper.”
Use these questions to help set the scope for your TPRM program:
- What are the goals of your TPRM program?
- Do you have specific compliance requirements or deliverables (i.e., for publicly traded companies or regulated industries)?
- What risk domains should be managed (i.e., InfoSec, privacy, financial, reputational)?
- What is the organization’s appetite for risk?