Managing third-party risks involves multiple stakeholders — InfoSec, privacy, procurement, finance, legal, and many other teams may need to regularly interact with third parties. This makes it even more important to build a third-party risk management (TPRM) program that’s user-centric and easy to implement.

“I've been at companies where different teams, whether it's legal, privacy, or security, built a process that addressed all their needs and worked for them. But they didn’t think about the experience of the user — the employee, the procurement team, or whoever has to participate in the process. That ends up with a very convoluted and confusing process people don't want to use,” says Ruo Xie, VP of Source to Pay at OneTrust. “It has to be easy for the end-user to understand. They have to want to use it.” 

In this article, we bring you advice from six InfoSec and third-party risk leaders from OneTrust and Fortune Global 500 companies on how to implement a TPRM program across your organization. This is the third post in our series on building a TPRM program.  

Download our InfoSec's guide to Third-Party Risk Management, which covers all the steps in setting up a TPRM program, from planning to monitoring and reporting.

What tools do you need to start a TPRM program? 

Organizations with existing GRC programs often don't need a big investment to start their TPRM program. In many cases, existing tools and resources can be leveraged to manage third-party risks. 

For example, you can start with your GRC platform and build some of the functionality yourself or use a risk management solution to facilitate third-party scoring. While these won’t deliver the full capabilities needed in more mature TPRM programs, they can populate some of the data you need to kickstart your TPRM program.  

“If your goal is to build the capability from scratch and don't have a ton of resources, you just have to onboard using what exists in the environment today,” explains Matthew Solomon, VP of Technology and Cyber Risk Management at Humana. 

“However, if your goal is to create really robust capabilities and a lot of the organization's procurement decisions hinge on the vendor’s cyber risk rating, then you probably need new or add-on capabilities to your existing tools that can seamlessly gather the required vendor risk data, analyze it, and then report on results in a way that helps the ultimate decision-maker.”

Return on investment is another consideration when it comes to TPRM tooling. Can one person do the job, or do you need three people to do it? As more third parties are onboarded, a centralized tool may actually lower staffing costs and make the TPRM process easier, faster, and more scalable in the long run. Teams also won’t need as much formal training because they’re able to leverage the guidance within the tool. 

“If we can automate what’s needed from a security or privacy posture perspective, we shouldn't need a human to review it. The only time a human should be required to come in is if it deviates from the requirement or needs a business decision,” adds Xie. “Automation saves time and allows the security team to focus on the riskier, more complex vendor reviews.”

Do you need a dedicated TPRM team?

Security is just one part of the whole third-party management process. TPRM programs also deal with contract reviews, assessments, and other due diligence activities. 

“A lot of risk professionals have a “Swiss Army Knife”, broad range of security knowledge. Not super in-depth in any one area because they have to piece everything together, but they know enough to ask the right questions,” shares Tim Mullen, Chief Information Security Officer at OneTrust. 

“If there are certain questions — for example, about API keys or personally identifiable information (PII) data — it will involve a more formalized review that brings in our architecture team. So not only do you need risk-based individuals, sometimes you need technical individuals to have those more deep-dive conversations.”

There are two main resourcing paths an organization can take: Building partnerships and allocating resources from existing teams, or hiring new individuals dedicated to TPRM.

“If your goal is deep engagement with your vendors to understand and remediate related risks, then your resourcing approach probably involves hiring people with contracting and negotiating skills to help develop an information security agreement. Someone with deep cybersecurity expertise who can look at vendor controls and draw useful conclusions about whether or not those are appropriate. And someone with a program management or communications background who has the ability to really affect the outcome of vendor relationships in a way that effectively manages risk,” advises Solomon. 

“Ultimately, resourcing success depends on your ability to package all that information into a presentation to get the right funding and be able to compete for the scarce talent that can do the work effectively.”

How do you implement a TPRM program throughout your organization?

TPRM implementation is a different experience in every organization. It depends on the types of third parties contracted, their access to internal data, any legal or regulatory requirements, and how different the new program is from any existing third-party management.

“I look at the overall experience. What do employees experience when you go through this process? And what do we, from the security professional side, have to do to protect OneTrust?” explains Xie. Finally, how much can we automate so we achieve those two things with as few touch points as possible for the employee, and for security, privacy, and compliance teams.” 

Aside from building an automated and intuitive process that only involves teams when necessary, providing adequate documentation and training is also critical to TPRM success. 

“We do roadshows, we have a distribution list for emails, and we have different support channels — a general channel, a procurement support channel, an accounts payable channel. etc.,” says Xie. “We also built a home page that guides people through the TPRM process, includes important links, and shares our procurement policies to give a little bit more coverage. For our high-use teams that work with vendors a lot, we provide training on how to go through the process, what to expect, and who to contact.”

The path to managing third-party risk 

Even the best laid TPRM plan can fail without proper implementation. To help onboard your organization to a new TPRM program, it’s important to put together the necessary resources, assemble a dedicated team, and provide sufficient training so all stakeholders can help safeguard against third-party risk. 

Reduce risk, build trust, and enhance business resilience by unifying third-party management across privacy, security, ethics, and ESG. Book a demo today.