Trends We’ve Seen
Over the past 4 years, Security Risk Advisors has been helping define, create, and manage Third Party/Vendor Risk Management Programs for clients across financial, healthcare, and security industries. In that time, we’ve observed several trends that plague organizations when it comes to organizing and publishing a Third-Party/Vendor Risk Management (TP/VRM) Program.
Trend 1: Struggle to Achieve Repeatability
One of the challenges for organizations is creating a repeatable process for determining inherent risk, assessing vendors, and monitoring vendor relationships throughout their lifecycle. This is typically a result of a new TP/VRM process or vendors are not properly managed as a result of poor vendor record keeping.
Trend 2: Lack of Ownership
These issues also relate to a secondary trend when developing TP/VRM Programs: a lack of defined ownership for TP/VRM processes. Without an executive stakeholder overseeing the program, escalation of low-level issues become tedious and lead to endless requests with third parties. Poor ownership can lend itself to further issues such as potentially leveraging non-compliant third parties for critical business processes which may expose your organization to additional risk.
With these potential pitfalls in mind, SRA has developed new functionalities to better handle the TP/VRM lifecycle including creating vendor risk profiles, developing notification workflows, and conducting vendor risk assessments. SRA has assisted clients in implementing a methodology to move organizations from a manual, decentralized process to an automated, scalable process. Through the use of GRC tools (e.g., RSA Archer, Prevalent, ServiceNow) and industry-recognized questionnaires (e.g., SIG 7) SRA has also built custom applications to develop dashboards, executive metrics, and assessment progress reports. A robust TP/VRM program is pivotal to categorize, assess, and monitor risks over an entire third-party/vendor lifecycle. As automation increases through advanced workflows, workloads are reduced for end users while also centralizing reporting functions.
Through developing multiple TP/VRM programs SRA has created a robust methodology that can be used to both mitigate risks associated with Third-Party/Vendors as well as increasing efficiencies in an existing program. The methodology has four primary components: Vendor / Risk Profiling, Assessment Planning and Execution, Assessment Reporting, and Continuous Monitoring.
What does this mean?
|Vendor / Risk Profiling Process||A vendor risk profile is a quantitative evaluation of an organization’s risk based on defined criteria. Risk profiles are derived from a set of standardized questionnaires to tier vendors based on risk level which is translated to qualitative risks based on thresholds (for example: Low, Medium, or High).|
|Assessment Planning and Execution||Vendor assessments are performed to validate that security controls are in place for an organization. Assessment execution should include the following at a minimum:
|Assessment Reporting||Assessment Reports are a culmination of the results throughout the Vendor Risk Assessment process. Reports should include gaps associated with the completed vendor questionnaire, corrective action plans, results from on-site interviews, and the review of technical scans and/or security documentation.|
|Continuous Monitoring||Ongoing monitoring of Vendor/Third-Party relationships is important when dealing with compliance and/ or legal requirements. Improved operational and security efficiency benefits of continuous monitoring include:
Current security frameworks often require a process to manage and oversee third parties/ vendors on a regular basis; implementing a defined TP/VRM process such as Security Risk Advisors’ methodology enables an organization to more effectively manage external risks while simultaneously meeting compliance requirements and providing valuable insight to senior leadership.
For more information on how Security Risk Advisors can assist in TP/VRM program development or execution, contact us at firstname.lastname@example.org.