APRIL 2020

White Paper/Guide

10 Essential Steps to Streamline Third-Party Risk Management (TPRM)

10 ESSENTIAL TIPS TO STREAMLINE TPRM | 2

Third-party risk management (TPRM) isn’t a new concept, however, recent events have brought the discipline into the forefront like never before. Organizations in all industries rely on third parties, whether they be cloud service providers, suppliers, contractors, and other vendors. Crucially, when the supply chain is interrupted, or third parties can’t deliver, there can be devastating and long-lasting impacts. In this short whitepaper, we’ll outline 10 essential steps that organizations can take to build a streamlined TPRM program.

Essential Steps to Streamline Third-Party Risk Management ( T P R M )

101

2

3

4

5

6

7

8

9

10

INTRO

PHASE ONE

PHASE ONE

PHASE FIVE

PHASE FIVE

PHASE FOUR

PHASE THREE

PHASE TWO

PHASE TWO

PHASE THREE

PHASE FOUR

10 ESSENTIAL TIPS TO STREAMLINE TPRM | 3

PHASE ONE: ESTABLISH PROGRAM FUNDAMENTALS

1. De ine Your Risk AppetiteThe Institute of Risk Management describes risk appetite as “the amount and type of risk that an organization is willing to take in order to meet their strategic objectives.”

Risk appetites will vary from company to company, and a great way to define yours is to develop a risk appetite statement. Gartner’s Peter Firstbrook offers the following advice:“To avoid exclusively focusing on issues related to IT-decision making, create simple, practical and pragmatic risk appetite statements that are linked to business goals and relevant to board-level decisions.” Firstbrook tethers risk appetite statements directly tobusiness outcomes.

So, to understand what risk your willing to accept, first develop a risk appetite statement.

2. Rethink Your RisksThere are two common risk-related terms that you’ll hear most often associated with TPRM.

Inherent risk is often used to classify vendors based on criticality, which we’ll talk about in phase three of this whitepaper. But at the end of the day, residual risk is one of the most important metrics for any TPRM program. However, tracking residual risks can be complex and should be thought of in layers, including:

Only by drilling down to the business process level can you truly understand the risks associated with your vendors. Remember, it isn’t necessarily the vendor that presents the risk, but rather, how the vendor is used and what data is involved.

The potential risk or untreated risk without any controls in place

The risk that remains after security controls are put in placeR E S I D U A L R I S K :

I N H E R E N T R I S K :

The individual engagement for how the assets, apps, products, or

services are used

The individual business processes involved

The vendor or supplier itself The assets, apps, products, or services the vendor provides

1

2

3

4

5

6

7

8

9

10

PHASE ONE

PHASE ONE

PHASE FIVE

PHASE FIVE

PHASE FOUR

PHASE THREE

INTRO

PHASE TWO

PHASE TWO

PHASE THREE

PHASE FOUR

10 ESSENTIAL TIPS TO STREAMLINE TPRM | 4

PHASE TWO : BUILD THE FOUNDATION

3. Choose Your Standard or FrameworkThe standard that makes sense for your organization is completely dependent on your internal risk program, as well as industry, region, and other contributing factors. Many organizations will select a standard, and then customize it to meet their requirements. Some of the most common standards and frameworks used to assess third parties are:

4. Understand the Risks You Care About There are many different types of risks to consider when building your TPRM program. Companies will often classify risks to better report on the potential threats posed by a vendor. Common risk classifications include:

REPUTATIONAL

GEOGRAPHICAL

GEOPOLITICAL

STRATEGIC

INDUSTRIAL

PERFORMANCE

FINANCIAL

TRANSACTIONAL

OPERATIONAL

CYBERSECURITY

PRIVACY

COMPLIANCE

1

2

3

4

5

6

7

8

9

10

PHASE ONE

PHASE ONE

PHASE FIVE

PHASE FIVE

PHASE FOUR

PHASE THREE

INTRO

PHASE TWO

PHASE TWO

PHASE THREE

PHASE FOUR

10 ESSENTIAL TIPS TO STREAMLINE TPRM | 5

PHASE THREE: BUILD YOUR INVENTORY

5. Know Your Third PartiesThere are several ways to discover which third parties your organization works with. This process can take time, however there are tactics you can use to streamline the process.

Use Existing Information Many organizations maintain their list of service providers in a spreadsheet or database; however, these lists are often disorganized, out-of-date, and incomplete. Still, we can use this information as a starting point by bulk importing it into a central inventory. Leverage DataDiscovery to Identify Third-Party Technologies Identify the existing service providers in use by looking to existing technologies, such as CMDBs, SSO providers, contract, procurement, and other tools to pull in and centralize all information relating to service providers. Conduct Assessments or Interviews Conduct internal assessments and interviews to identify the third parties in use. Many organizations will send a short assessment to business owners across the company, such as marketing, HR, finance, sales, research and development, and other departments. These business leaders can provide valuable details on the tools in use across your organization. Leverage Self-Service Portals With a self-service portal, you can enable the business to help build your inventory. Link to the portal within your intranet or SharePoint for easy access, and use a short threshold assessment to identify vendors and gather preliminary information about the third party, such as:

1

2

3

4

5

6

7

8

9

10

• Personal information involved

• Hosting information

• Privacy Shield and other certification

• Business context

• Scope of engagement

• Vendor Name

• Expexted procurement date

• Business purpose

• Primary vendor contact (email, phone, address)

• Data type involved

• Prior security reviews or certifications, if applicable

PHASE ONE

PHASE ONE

PHASE FIVE

PHASE FIVE

PHASE FOUR

PHASE THREE

INTRO

PHASE TWO

PHASE TWO

PHASE THREE

PHASE FOUR

10 ESSENTIAL TIPS TO STREAMLINE TPRM | 6

6. Classify Your Third PartiesClassifying vendors helps streamline your TPRM program by enabling you to direct your focus to the third parties that present the most risks. To classify third parties, companies often determine the inherent risk of their vendors. To determine inherent risks, organizations will send a quick questionnaire to understand details, such as:

Using inherent risk, TPRM teams can bucket vendors into tiers, with tier one vendors usually designated as the most critical.

1

2

3

4

5

6

7

8

9

10

• Prior engagements with vendor

• Data transfers

• Location (of operation & data storage)

• Strategic value to your business

• Length of relationship

• Service provided

• Access to data

• Data type/sensitivity

• Security and privacy expectations

• Financial standing of the vendor

• Value of contract

PHASE ONE

PHASE ONE

PHASE FIVE

PHASE FIVE

PHASE FOUR

PHASE THREE

INTRO

PHASE TWO

PHASE TWO

PHASE THREE

PHASE FOUR

10 ESSENTIAL TIPS TO STREAMLINE TPRM | 7

PHASE FOUR: STREAMLINE ASSESSMENTS & DUE DILIGENCE

7. Perform Assessments and Mitigate RisksAssessments take time and are resource intensive. Instead of sending a detailed assessment via a spreadsheet, many TPRM programs are taking advantage of new trends in the market, such as:

If you opt to perform the assessment yourself, one of the primary goals is to understand what controls a vendor has in place. When critical controls (or the lack thereof) are identified), risks can be calculated, and mitigation can begin. Common risk mitigation workflows include:

At this stage, risks are flagged and given a risk level or score.

When treatment occurs, a risk owner must validate that the required controls are in place to reduce the risk to the desired residual risk level.

I D E N T I F I C A T I O N

T R E A T M E N T

During the valuation phase, organizations will determine if the risk appetite.

E V A L U A T I O N

M O N I T O R I N GAt this phase, organizations monitor risks for any events that may increase the risk level, such as a data breach.

T R E A T M E N T M O N I T O R I N GE V A L U A T I O NI D E N T I F I C A T I O N

Pre-completed assessments made available through

a Cyber Risk Exchange

Vendor chasing services to order

assessments as a service

Assessment automation technology to

streamline questionnaire completion

1

2

3

4

5

6

7

8

9

10

PHASE ONE

PHASE ONE

PHASE FIVE

PHASE FIVE

PHASE FOUR

PHASE THREE

INTRO

PHASE TWO

PHASE TWO

PHASE THREE

PHASE FOUR

10 ESSENTIAL TIPS TO STREAMLINE TPRM | 8

8. Manage Key Contract TermsContracts are often long and extremely detailed, with some aspects falling outside the realm of TPRM. Still, there are key provisions, clauses, and terms that TPRM teams should look out for when reviewing vendor contracts. Some of these include:

• Defined Scope of Services or Products

• Price and Payment Terms

• Term and Termination Clauses

• Intellectual Property Ownership Clause

• Deliverables or Services Clause

• Representation and Warranties

• Confidentiality Clause

• Disclaimers or Indemnification

• Limitation of Liability

• Insurance

• Relationship Clause

• Data Processing Agreement

• 4th Party or Subprocessor Change Clauses

• Compliance Clause

• Data Protection Agreement

• Service Level Agreements (SLAs), Product Performance, Response Times

Many TPRM professionals will extract key terms in a structured format to determine if key contractual clauses are adequate, inadequate, or missing. This “structured” and simplified tracking method makes executive-level reporting possible and offers clarity when it comes to contracts.

1

2

3

4

5

6

7

8

9

10

PHASE ONE

PHASE ONE

PHASE FIVE

PHASE FIVE

PHASE FOUR

PHASE THREE

INTRO

PHASE TWO

PHASE TWO

PHASE THREE

PHASE FOUR

10 ESSENTIAL TIPS TO STREAMLINE TPRM | 9

PHASE FIVE: MAINTAIN AND MONITOR

9. Generate Reports and Maintain Records for ComplianceTo build a defensible and audit-ready TPRM program, organizations must maintain records for demonstrating compliance. This step is often overlooked – until audits occur – and is one of the most significant aspects of a well-oiled TPRM program. Maintaining these records in spreadsheets is nearly impossible at scale. Purpose-built TPRM software can automate recordkeeping and leave you with detailed activity trails to simplify audits. With detailed records maintained, it becomes much easier to report on the things that matter most to your organization. In practice, we see organizations create dashboards that show:

1

2

3

4

5

6

7

8

9

10

• Total supplier count

• Suppliers sorted by risk level

• Status on all supplier risk assessments

• Number of suppliers with expiring or expired contracts

• Risks grouped by level (high, medium, low)

• Risks by stage within the risk mitigation workflow

• Risks to your parent organization and risks to your subsidiaries

• Risk history over time

PHASE ONE

PHASE ONE

PHASE FIVE

PHASE FIVE

PHASE FOUR

PHASE THREE

INTRO

PHASE TWO

PHASE TWO

PHASE THREE

PHASE FOUR

10 ESSENTIAL TIPS TO STREAMLINE TPRM | 10

10. Monitor Vendor, Market, and Regulatory Changes Over TimeTPRM is far from a static discipline. With new regulations, emerging threats, high-profile data breaches, and evolving standards, organizations have their work cut out for them – which is why the industry is pushing for ongoing third-party risk monitoring. Assessments offer “moment-in-time” glimpses of a vendor’s risk posture, however, risks can drastically change at any time. Beyond cybersecurity, significant risk-changing events to monitor include:

If you don’t have a tool in place to constantly monitor your vendors, consider re-evaluating your vendors on regular schedule. This schedule may be determined based on the inherent or residual risk of the third party, on a time-based schedule, or when contracts are up for renewal.

Want to see how OneTrust Vendorpedia can help you mature and manage your third-party risk program? Request a demo today.

• Mergers, acquisitions, or divestitures

• Internal process changes

• Negative news or unethical behavior

• Natural disasters and other business continuity triggering events

• Product releases

• Contract changes

• Industry or regulatory developments

• Financial viability or cash flow

• Employee reduction

• And much more…

1

2

3

4

5

6

7

8

9

10

PHASE ONE

PHASE ONE

PHASE FIVE

PHASE FIVE

PHASE FOUR

PHASE THREE

INTRO

PHASE TWO

PHASE TWO

PHASE THREE

PHASE FOUR

About VendorpediaOneTrust Vendorpedia™ is the largest and most widely used technology platform to operationalize third-party risk, security, and privacy management. More than 5,000 customers of all sizes use OneTrust, which is powered by 75 awarded patents, to offer the most depth and breadth of any third party risk, security, and privacy solution in the market. OneTrust Vendorpedia is purpose-built software designed to help organizations manage vendor relationships with confidence and integrates seamlessly with the entire OneTrust platform, including OneTrust Privacy, OneTrust GRC, OneTrust DataGuidance™, and OneTrust PreferenceChoice™. Backed and co-chaired by the founders of Manhattan Associates (NASDAQ: MANH) and AirWatch ($1.54B acq. by VMware), and supported by a $200 million Series A funding from Insight Partners, the OneTrust leadership team has significant experience building scalable, enterprise software platforms. OneTrust is also guided by an external advisory board of renowned privacy experts and an in-house global privacy and legal research team. OneTrust is co-headquartered in Atlanta and in London, and has additional offices Bangalore, San Francisco, Melbourne, New York, São Paulo, Munich, Hong Kong, Bangkok.

To learn more, visit Vendorpedia.com or connect on LinkedIn.

DISCLAIMER

No part of this document may be reproduced in any form without the written permission of the copyright owner.

The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. OneTrust LLC shall have no liability for any error or damage of any kind resulting from the use of this document.

OneTrust products, content and materials are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue. OneTrust materials do not guarantee compliance with applicable laws and regulations.

Copyright © 2020 OneTrust LLC. All rights reserved. Proprietary & Confidential.