Third-Party Risk Management Part III

What topics are covered in the third-party risk management series?

• Drivers of Risk Management
• Alignment and Governance
• Categorizing Vendors
• Analyzing Vendor Risks
• Monitoring Vendor Risks: The Vendor Management Organization
• Communicating Vendor Risks
• Optimization and Standards

Why do IP breaches increase bankruptcy risk?

Many organizations are not aware but intellectual property (IP) breaches can be a recipe for bankruptcy.

What are the key TPRM governance considerations?

Categorizing Vendors – In Part II we discussed Drivers of Risk Management. Part III is about Alignment and Governance. The four very important considerations for TPRM governance are:

1. Alignment of customer and providers goals
2. A comprehensive inventory of third parties
3. Accountability for oversight and the overall management of your TPRM Program
4. Clearly defined roles and responsibilities across the organization

How does alignment support third-party governance?

Alignment –

The alignment of customer and provider goals is very important especially when the provider's services directly impact the strategic objective of the customer business. The governing of such providers will need a well-defined contract, which includes a detailed list of services, roles, and responsibilities, plus specific Service Level Agreements or Key Performance Indicators

Why is an inventory of third parties essential?

Inventory of Third Parties –

The last thing an organization wants to deal with receiving a breach notification call from the third party who is never listed in the vendor list. A comprehensive inventory of all third parties with whom the firm has a relationship is a very important step in the process. Many firms find it difficult to build this list of third parties. The enterprise-wide surveys and data algorithms to reconcile data are effective tools in building inventory. The important control over the process is having a role with the responsibility to manage a third-party management life cycle.

What roles and responsibilities are required in TPRM?

Roles and Responsibilities –

The term commonly used in the organization is a business owner who is receiving the services of the third party. E.g. if you ask IT as to whom the owner of certain applications used in the organization is, you will hear the name of a business owner is so and so. This role requires a deep understanding of what functions/actions third party performs and the data accessed/processed by third-party on behalf of the enterprise.

In large organizations, this role is performed by a contract manager or relationship manager whose primary responsibility is to control and manage third parties using the master service agreement (MSA). The MSA includes the requirements for cybersecurity, data privacy data sharing, and risk management controls. The other responsibility managed by the relationship manager is access approvals and data access needed by third parties. The role could be performed by administrators tasked with managing procurement, accounting, granting access, etc.

The other important role is a legal team responsible for reviewing contracts and managing privacy obligations through contracts.

What data handling controls are expected with third parties?

Data Handling –

The third-party access to private data of an organization has compliance and security implications. The organizations need to ensure compliance applicable laws such as HIPAA, HITRUST, GDPR, CCPA, etc. This means they are responsible for data processed by third parties on their behalf. Many organizations do not have proper data handling agreements in place with third parties. There has been a lot of changes in the process over the last two years, and the agreements ensure that data are transmitted in the context of appropriate legal and privacy protections and proper information security controls

In Part IV we will cover the next topic “Categorizing Vendors.”