The focus of a business’s third-party risk management (TPRM) program may look very different from one business unit to the next depending on who owns third-party risk initiatives — information security teams, legal departments, procurement teams and so on. But an evaluation of risk across any domain should tie back to the overall business context, for a complete impact analysis against the objectives that an organization is looking to achieve.
Challenges to TPRM Adoption
What are the challenges keeping businesses from implementing an infrastructure with automation to share information effectively with internal teams?
Learn more about optimizing third-party risk by registering for this upcoming webinar.
Here’s a look at what the current circumstances may contribute to the challenge:
- Most organizations have an extensive third-party dependency across their internal operations and supply chain
- The rapid need for better vendor oversight as businesses have adapted post digital transformation
- Third-party risk management has evolved to require specialized functions and processes, unique to engaging with external stakeholders
- Adopting and adapting new, automated management functions are executed in an ad hoc and as needed manor
- Third-party risk’s primary function is solely vendor assessments to satisfy compliance requirements
What is the Business Context?
Before any business can implement a third-party risk management program, decision makers need to understand the use case, value and organizational need of what is being outsourced.
For instance, the InfoSec team is likely working with a wide net of vendors, from data loss protection providers to mobile device management firms — all of whom may have access to the company’s critical data. Conversely, the legal department may be working with vendors who provide digital signatures capabilities or cloud-based filing resources. However, those third parties also may have access to critical data and pose an equal threat to the overall business if it suffers some kind of breach or security incident. The context of how the broader business is enabled by a third party’s service or products is key to evaluating the inherent risk that any third-party may pose to the business.
Learn more about building a proactive IT & security framework in this blog.
“You can’t do a proper assessment of a third-party without understanding how the functional (business) area is using that vendor,” said Ryan Walker, Third Party Risk Manager for AutoZone. “What you’ll find over a couple of years is that you understand how all the dots connect in that organization. You know exactly how revenue is generated, you know the different spans of business that we have, you have an unbelievable understanding of how the organization is run and put together.”
Obtaining a Desired Outcome
Once individual lines of business grasp that wider understanding of how their third parties impact the wider organization, it can then lean into implementing the proper risk management and automation system for long-term mitigation.
Third-party risk managers like Walker are tasked with engaging with vendors to understand the risk to the business of outsourced services and communicating and collaborating with internal teams to remediate and inform strategic business decisions. One key contributor to elevating an IT vendor assessment program to a third-party security program is having an integrated IT risk management system.
In order to obtain the desired outcome, here are critical questions to ask:
- What is the business risk/value of the asset or service to be outsourced?
- What is the threshold of value/importance of the asset to achieving business goals, and how acceptable is the risk here?
- How can the IT risk management program streamline how prepared you are to evaluate third-party risk management?
An integrated approach to third-party risk can help inform the answers to those questions, and will provide the initial context to properly evaluate how, or what role a vendor may play in reducing or increasing the risk to your business. This will also help business align on the broader risk strategy through information sharing.
Often, we focus on alleviating the burden of communicating with external stakeholders via risk assessments, but Walker points out that, “The difference between a good third-party risk and a great one is that information sharing takes place from you back to the business.”
Having ongoing exchanges and transparent information sharing across adjacent risk teams such as IT, security, and vendor create a more informed team able to make strategic decisions to enhance the business.
How Can OneTrust Help?
OneTrust provides out-of-the-box compliance content in the form of pre-seeded controls, and assessment templates that clients can access and use from day one. Our in-house team of legal and security researchers track the latest changes across regulations, standards, and frameworks and tailor compliance requirements and best practices into pre-configured tools for businesses to streamline time to value and reduce manual, administrative tasks.
Contact our team to learn more about how OneTrust can help streamline information gathering and remediation activities with tailored functionality and automation backed by compliance intelligence.
Further privacy and security compliance reading:
- Blog: Privacy and IT Risk: How Secure Are Your Assets Securing Personal Data?
- Blog: Mature Your Privacy Program with DSAR & Incident Management Automation
- Blog: The Necessary Evolution of Privacy Program Automation
Next steps on privacy and security compliance: