In a recent article, Datrix partner Prevalent discuss how "it's no secret that third-party risk management can be painful". The article goes on to suggest some ways in which you can eliminate your TPRM headaches. Here’s what they had to say.
Third-party risk, coming at you from all angles
Your organisation likely gets more done today, with fewer internal employees, than ever before. This is thanks in large part to the support of external vendors, suppliers, service providers and other third parties. Of course, while outsourcing brings clear benefits, it can also present immense risk to your business.
A well-trodden path for breaches... and regulations
It’s no secret that each third party you work with increases your exposure to data and privacy breaches. Every day, companies across all industries discover this the hard way, including GE, Marriott, Target, Sprint, and LabCorp to name a just a few. The result? Lost customers, fines, penalties, credit monitoring fees – you name it. And as more third-party breaches are announced by their victims, more regulations are introduced by industry and government watchdogs; specifically calling for third-party risk assessment and/or monitoring.
The pandemic raises new questions
As if data, privacy and compliance challenges weren’t enough to keep you up at night, the coronavirus pandemic has laid bare supply chain exposures to natural disasters and other (sometimes unforeseen) disruptions in unprecedented ways. It’s forcing all businesses to absorb and adjust to the new reality of remote work forces, emergency mandates, health risks, supply breakdowns and other hurdles. How are your third-party partners managing this, and what impact is it having on your business? What’s the potential fallout to come? What policies and procedures do they have in place to handle the next challenge?
So, with businesses becoming increasingly outsourced and virtual, and the global environment becoming increasingly uncertain, how can you foresee and manage third-party risk with any level of confidence?
Third-party risk management can be painful
Doing it the hard way
In the past, most organisations took a manual approach to third-party risk management. It was chaotic, bloody, hand-to-hand combat. Armed only with spreadsheets, assessors had to barrage vendors and suppliers with questionnaires and then chase down their responses. While this was bad for the assessors, it was even worse for the vendors having to field these requests and answer the same questions from different customers; over, and over, and over. No wonder 34% of companies say it takes over a month to complete an assessment of a top-tier vendor.
Unfortunately, a recent study found that 50% of companies are stuck in the past, still relying solely on spreadsheets to manage their auditing and controls. With most enterprises working with hundreds of vendors, it would take an army of assessors using manual methods to gather third-party risk data that is complete, current or useful in any way.
Did it the hard way, but there's more to do
And that’s just the collection problem. Say you’re able to get responses from your most critical vendors. What do you do with the data? How do you score, prioritise and remediate the risks? How do you know if the responses are even accurate? Are they consistent with historical data? Do they correlate with one another? Do they correlate with what vendor exposures are already out in the wild (e.g., known data breaches, customer data on the dark web, legal actions, fines, etc.)? Are you prepared to answer these questions when the board, regulators, and all the other people who haunt your dreams come knocking? It’s stressing us out just to write this!
So, maybe you managed to collect risk data from your vendors, report it to everyone who matters, and actually do something about it. It’s not over. Everything is changing all the time. Vendors come and go. How they handle your data changes. New cyber-attacks and new security exposures surface every day. Your intelligence is already outdated. You’re going to need to do this on a regular basis.
What about Bob?
On the other hand, you may be thinking, “I don’t need to worry about this stuff. That’s [Bob] in [IT]’s problem.” By all means, send this over to Bob, but third-party risk is a challenge for several departments in most organisations. And ownership can vary, depending on who you ask. 37% of companies say information security owns it, 22% say IT, 14% say risk management, 9% say vendor management, and 6% say legal/compliance. With so many departments involved, who really owns the problem? How do you align everyone to make substantive progress in identifying and reducing vendor risk?
Managing third-party risk in a less than perfect world
In a perfect world, we wouldn’t have to worry about the “baggage” of third-party risk. Information systems would be bulletproof and seamless. Vendor staff would be robotic and loyal. Criminals and enemy states wouldn’t exist. Everyone would be friends.
It’s not a perfect world. You clearly need your vendors to get business done, but you need to be smart and aware of the risk at the same time. The reality is that vendor ecosystems are organic and unpredictable, as is the global environment. That makes third-party risk management particularly painful. At times it’s chaotic, and at other times it’s just a grind. That’s why Prevalent exists. We’re here to make third-party risk management a lot less painful and a lot more productive.
The Prevalent approach to TPRM
Prevalent is here to revolutionise how you address the risks of an increasingly interconnected, interdependent and unpredictable world. Every day, we are transforming how our customers view, manage and govern their third-party relationships. We do this by delivering community networks, services and products that enable businesses to better reveal, interpret and reduce third-party risk.
Networks: delivering instant access to vendor risk intelligence
Prevalent customers have access to a vast trove of on-demand risk intelligence for over 10,000 vendors. These libraries leverage the power of the Prevalent community to deliver historical and real-time insights into both cyber and business risks from over 200 sources. With Prevalent Vendor Risk Networks, customers quickly scale their TPRM programs with instant access to vendor risk scores and supporting reports.
For those vendors who aren’t yet in the networks, Prevalent will complete new assessments upon customer request. We’re also building new, self-service capabilities into our platforms, enabling vendors to complete and submit self-assessments that they can easily share with their own customers.
Services: doing the hard work of TPRM for you
Prevalent has been helping customers to identify, understand and reduce third-party risk for over 15 years. What started as a team of consultants, willing to ask vendors tough questions on behalf of clients, has grown into a full-service operation.
The Prevalent platform handles everything from on-boarding vendors and conducting assessments, to identifying risks and tracking remediation. You skip the hard work and get the intelligence and reports you need to focus on vendor strategy and overall risk reduction.
Products: unifying vendor management, assessment and monitoring
The Prevalent Third-Party Risk Management (TPRM) Platform unifies vendor management, risk assessment and threat monitoring to deliver a 360-degree view of risk. The platform makes it easy to onboard vendors; assess them against standardised and custom questionnaires; correlate the assessments with external threat data; reveal, prioritise and report on the risk; and facilitate the remediation process.
The path to TPRM maturity
Wherever you are on the path to TPRM maturity, Datrix can help you create a program with unmatched visibility, flexibility and scalability. We will work with you to find the right combination of platform access and managed service that works for your business. You’ll be amazed how quickly you realise a return on your investment, through improved intelligence and reduced vendor-related risk. Find out more about our third-party risk management services.
On average, Prevalent customers report an 80% reduction in vendor onboarding time and a significant acceleration in vendor assessment times.
Don’t just take our word for it, request a FREE DEMONSTRATION today.