There’s a huge misconception in our industry today that a GRC platform is the end all be all to Third Party Risk Management (TPRM). This is so not true! The key to an effective, results driven, TPRM Program is to take the time to lay a solid risk-based foundation. History has shown, that if you just go purchase a tool and haven’t laid a solid foundation, the tool will not give you the results you’re looking to achieve. Regulatory bodies and Industry standards are embracing this philosophy as well. This process can be tedious and time consuming in the beginning but once complete, your result is a mature TPRM program that is ready to be transitioned into any GRC platform.
At Lynx Technology Partners, we recommend a balanced approach that combines people, process and technology. First you need to understand the make-up of your team and the level of expertise and experience you have in-house. Do you have the subject matter experts with direct experience developing and monitoring a TPRM program? Can you achieve your goals unassisted, with the aid of a trusted advisor or do you need to consider a fully outsourced solution to manage the full Vendor Risk Management (VRM) lifecycle?
Process is also a very important element. There are 5 steps you should consider as part of your methodology and approach. These include prescreen, plan, assess, mitigate and monitor.
- Pre-screen - Understand and assess the inherent operational and jurisdictional risk to the organization prior to performing due diligence.
- Plan - Determine the processes and methodology to be used for the execution of vendor assessments.
- Assess - Best in-class Screening process that provides a comprehensive view into complete enterprise risk – financial, regulatory, reputational, and governance.
- Mitigate - Dictates mitigation activities that must be taken by both the third party and you.
- Monitor - Periodic re-screening process that identifies change in enterprise risk, ensures information is kept current, and continue compliance to client policies.
Starting off with a somewhat manual process gives you the ability to perfect your process before investing in a tool. When you are ready, the right software solution can provide efficiencies and a polished and mature look to your overall program. Let’s face it, spreadsheets are not pretty or as professional looking as a tool generated report can be; however, the goal is to work smarter not harder. So, don’t be afraid to start with spreadsheets, you don’t have to stay there for long.
Once your TPRM foundation is established, you are ready to consolidate information in a unified technology solution to effectively manage, document and report on each third part relationship. According to Michael Rasmussen of GRC 20/20 Research, Vendor Risk Management solutions provide capabilities to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.
Your technology solution should provide:
- 3rd party management of onboarding, approval, due diligence, communications, assessment, evaluation, issue management, and off-boarding. This includes workflow, task management, and content management capabilities.
- 3rd party portal for 3rd parties to be able to submit and share information, take assessments, provide attestations, and other related requests and forms, to complete tasks.
- Provide evidence to provide a system of record and audit trail of all interactions, assessments, audits/inspections, and interactions with 3rd parties.
A mature program also has a continuous monitoring element as well. There are many definitions floating around of what continuous monitoring means. Here’s the Shared Assessments Program’s definition, Continuous third-party risk monitoring is an uninterrupted real-time (or near real-time) risk management approach designed to improve awareness for an organization related to their third-party risks and potential control weaknesses as those risks emerge. This approach allows an organization to enhance its awareness of cybersecurity, privacy, technology, operational, and strategic third-party risk exposure.
With this in mind, there are many ways this can be accomplished. Tools that provide real-time data feeds, platforms that provide analysis of assessments performed on service providers in combination with your ongoing monitoring efforts can really assist in the foundational elements of a robust and mature TPRM Program.
Finally, surround yourself with the resources and guidance necessary to support your efforts. Lynx Technology Partners is a Member and Licensee of The Shared Assessments Program. The Shared Assessments Program is the trusted source in third-party risk assurance. It is a member-driven, industry-standard body with tools and best practices, that injects speed, consistency, efficiency and cost-savings into the control assessment process. The Shared Assessments Program members work together to eliminate redundancies and create efficiencies, giving all parties a faster, more rigorous, more efficient and less costly means of conducting security, privacy and business resiliency control assessments.
If you have questions or concerns around your Vendor Risk Management Program, contact Lynx Technology Partners today to schedule a consultation with one of our Third Party Risk experts.