We rely heavily on them, yet we are ignorant about the risk exposure from them. We know them, yet we do not know them when it comes to risk assessment and management. We often call them business partners, but we do not know our share in their risk universe. We are talking about vendors, suppliers, service providers and all such business partners collectively referred to as third parties.
So, what are the options for risk identification, measurement and mitigation? Based on the risk appetite and related cost appetite, there are multiple methodology, assessment and technology options for managing this risk. Some of the available options are standards, e.g., Statement on Standards for Attestation Engagements (SSAE) 16 and ISAE3402; best practices-driven programs, e.g., Shared Assessments; and integrated technology platforms from leading governance, risk and compliance (GRC) companies.
The first step in managing risk is identifying the right risk tier of the third party so that risk management efforts are commensurate with the risk exposure. One of the important aspects to consider while determining the risk tier is the inherent risk of the entire engagement with the third party. A combination of the third-party risk profile and engagement risk profile provides a much better risk-based approach for the entire third-party risk management (TPRM) program.
Once you have determined the risk tier of the vendors, then the next logical step is to determine the risk management approach commensurate with the risk tier. There are multiple risk management approach options such as contract clauses, service level agreements, dynamic risk profiling based on financial and nonfinancial data, risk questionnaires, on-site assessments, service organization controls reporting through an independent auditor, utility platforms providing shared risk profiles of third parties, and many other similar options. Effective and efficient risk management is comprised a combination of these options with a suitable technology-enabled platform to manage risk and end-to-end life cycle of the third party.
Our recent ISACA Journal article discusses the finer aspects of third-party risk management with details on available risk management options. What are the challenges you face in selecting and implementing a third-party risk management program? We look forward to your questions, suggestions and inputs on alternative approaches.
Read Vasant Raval and Samir Shah’s recent Journal column:
“The Practical Aspect: Third-party Risk Management,” ISACA Journal, volume 2, 2017.