Editor’s note: The following is a sponsored blog post from OneTrust.
Managing third parties is more than a one-time assessment. It’s a relationship that must be managed throughout the third-party management (TPM) lifecycle, from screening, onboarding, assessment, risk mitigation, monitoring, and offboarding.
There are areas for automation throughout the lifecycle that can help your organization streamline workflows and scale their TPM program, saving time, resources, and reducing risk.
Why does the TPM lifecycle matter?
As security and risk management teams spent the last year adapting to rapid digital transformation in the wake of increased, large-scale, successful cyberattacks, TPM has become a key focus for organizations. Security teams are receiving board-level pressure to implement management programs, causing them to assess all aspects of their TPM lifecycle.
When given a closer look, the importance of the role that the third party and third-party risk assessments play in maintaining a strong security posture across the organization is magnified. Despite the vendor ecosystem being critical to mitigating risk throughout an enterprise, many organizations aren’t appropriately assessing their third parties (and in some cases, aren’t at all).
As a result, security teams — unless they own TPM — have little visibility into their organization’s third-party ecosystem, how they’re used, and what measures those third parties have in place to protect their data. This leads to an increased risk in cybersecurity, privacy, ethics and compliance, and environmental, social, and governance (ESG) concerns. So, where should organizations start when pivoting to a TPM program built around holistically understanding the lifecycle?
TPM programs and lifecycle
Organizations must have clear visibility into their vendor ecosystem, and it starts with having a strong working knowledge of the TPM lifecycle.
The TPM lifecycle is a series of steps that outlines a typical relationship with a third party. TPRM is sometimes referred to as “third-party relationship management.” This term better articulates the ongoing nature of third-party engagements. Typically, the TPM lifecycle is broken down into several stages. These stages include:
- Third-party identification and screening
- Evaluation & selection
- Risk assessment
- Risk mitigation
- Contracting and procurement
- Reporting and Recordkeeping
- Ongoing monitoring
- Third party offboarding
Phase 1: Third Party Identification and Screening
There are many ways to identify the third parties your organization is currently working with, as well as ways to identify new third parties your organization wants to use. To identify third parties already in use and build a third-party inventory, organizations take multiple approaches, which include:
- Using existing information
- Integrating with existing technologies
- Conducting assessments or interviews
- Leveraging external risk ratings data
Many organizations screen third parties against sanctions lists and other sources at this point to determine if there are any ethical or compliance concerns that would make the relationship too risky to start.
- Using this information, you can identify unique risks that vendors may pose to your organization and align an appropriate assessment and/or monitoring approach that is better aligned with the inherent risk of the relationship. Not all third parties are equally important, which is why it is critical to determine which third parties matter most. To improve efficiency in your TPM program, segment your third parties into criticality tiers.
Phase 2: Evaluation and Selection
During the evaluation and selection phase, organizations consider RFPs and choose the third parties they want to use. This decision is made using many factors that are unique to the business and its specific needs.
Phase 3: Risk Assessment
Third-party risk assessments take time and are resource intensive, which is why many organizations are using a third-party risk exchange to access pre-completed assessments. Others have focused on automating what once were manual tasks across this portion of the lifecycle. Either way, the primary goal of understanding the risks associated with the third party is the same. These assessments leverage automated risk flagging to identify issues based on third party responses.
When considering a TPM program, many organizations immediately think about cyber risks, but TPM entails so much more.
Phase 4: Risk Mitigation
After conducting a control assessment, risks can be calculated and mitigation can begin. Common risk mitigation workflows include the following stages:
- Risk flagging and score designation
- Evaluation of risk against your organization’s risk appetite
- Treatment and control validation in the scope of your desired residual risk level
- Continual monitoring for increased risk levels (e.g., data breaches)
When a third-party risk is flagged, automatically assign a risk owner to oversee remediation actions. Then, provide remediation advice within any delegated tasks based on regulations, standards and frameworks embedded into your TPM lifecycle.
Phase 5: Contracting and Procurement
Sometimes done in parallel with risk mitigation, the contracting and procurement stage is critical from a third-party management perspective. Contracts often contain details that fall outside the realm of TPM. Still, there are key provisions, clauses and terms that TPM teams should look out for when reviewing third party contracts.
Phase 6: Reporting and Recordkeeping
Building a strong TPM program requires organizations to maintain compliance. Maintaining detailed records in spreadsheets is nearly impossible at scale, which is why many organizations implement TPM software. With auditable recordkeeping in place, it becomes much easier to report on critical aspects of your program to identify areas for improvement.
A TPM program can automatically schedule reports to quickly generate and share key details with critical stakeholders. Additionally, use metrics as automation triggers. For example, when a new high risk emerges, automatically send a notification to the appropriate stakeholder.
Phase 7: Ongoing Monitoring
An assessment is a “moment-in-time” look into a third party’s risks; however, engagements with third parties do not end there – or even after risk mitigation. Ongoing monitoring throughout the life of a third-party relationship is critical, as is adapting when new issues arise. There is a growing field of risk data providers that can greatly enhance real-time monitoring of your riskiest third parties.
Additionally, use contract or security certifications expirations as automation triggers, such as when a third-party security certification expires, automatically trigger an action (create a new risk, send a reassessment, or notify a stakeholder). The same can be said of detected third-party breaches and sanctions.
Phase 8: Third-Party Offboarding
A thorough offboarding procedure is critical, both for security purposes and recordkeeping requirements. Many organizations have developed an offboarding checklist for third parties, which can consist of both an assessment sent internally and externally to confirm that all appropriate measures were taken. Critical, too, is the ability to maintain detailed evidence trail of these activities to demonstrate compliance in the event of regulatory inquiry or audit.
Those who have an ability to leverage data, automate manual tasks and set risk appetites will have an advantage over their peers in the next two to three years, enabling risk-based business decisions at speed.
More About OneTrust
The OneTrust Third-Party Management solution makes it easier to confidently work with third parties by reducing blind spots across trust domains, enabling greater time to value when onboarding new third parties, enhancing business resilience with ongoing monitoring, and embedding data-driven decision-making into the third-party lifecycle.
Learn more about OneTrust’s Third-Party Management solution and how it can help your business build trust by requesting a demo.