Your TPRM Program: Responsibility and Accountability

January 20, 2022

  • Managing a third-party risk management (TPRM) program requires more than one person or one department – success depends on a team approach that pulls in expertise as required.
  • Try not to reinvent the wheel when creating a TPRM program. Effective ones are often based on a 10+- year-old well-proven lifecycle originally developed for the financial industry.

Part two in a series.

 

Third-party risk management solutions aren’t a one-department solution anymore. There’s no one-size-fits-all approach and it’s vital that organizations recognize how effective TPRM extends beyond a simple consideration of each third party by the procurement department. Managing third-party risk that may impact an organization’s data or information necessarily includes the whole company.

 

Organizations with a mature TPRM program may have a third-party risk or vendor management team, but many organizations do not. Therefore, there is little commonality of job titles and departments that “own” third-party risk. They may include:

 

  • Chief Information Security Officer (CISO)
  • Chief Procurement Officer (CPO)
  • Chief Information Officer (CIO)
  • Chief Privacy Officer (CPO)
  • Information Technology (IT)
  • Sourcing and Procurement
  • Internal Audit
  • Information Security
  • Risk and Compliance
  • Supply Chain Manager
  • Third-Party Risk Manager
  • Vendor Risk Manager
  • Vendor Management
  • Contract Manager
  • Legal Team

 

This list isn’t exhaustive; however, the diverse variety of titles and departments show who some organizations engage with when managing their third parties and third-party risk. As organizations and the number of third parties they work with grow, the necessity of working with and across functional areas/boundaries increases. Eventually, most areas of management within an organization will be involved in some form or other during the TPRM lifecycle.

 

 

TPRM Lifecycle

There are multiple versions of the TPRM lifecycle, but one that has proven successful over many years can still be applied today: the US Office of the Comptroller of the Currency TPRM Lifecycle (OCC Bulletin 2013-29 - published in October 2013.) Although originally developed to assist banks in practicing effective risk management (regardless of whether an activity is internal or third-party) the basic principles still apply to most organizations, with only a few enhancements required to address business data.

 

Today, instead of using the original five-step lifecycle, Optiv adds a sixth stage to specifically call out the need for off-boarding a vendor should their contract not be renewed. This step was contained in the termination phase of the OCC model but was often overlooked. Today, because of newer privacy and data protection laws, formal off-boarding of a third party with access to your data or your customer data can no longer be omitted.

 

Organizations often ask versions of the following questions:

 

  • Why do we need a TPRM lifecycle?
  • Why do so many people or teams need to be involved with managing third parties?

 

Adoption of a TPRM lifecycle approach benefits an organization because it formalizes an often-complex set of interdependent third-party management processes. Typically, these processes engage with multiple third parties that provide ongoing services or services portfolios. Assuming current outsourcing trends continue, the number of third parties contracted to a given organization will increase, and there are no signs of this trend slowing.

 

The formalized TPRM lifecycle enables an organization’s management to:

 

  • Complete appropriate due diligence activity before establishing a formal contract with a third party, and then periodically during the contract, and finally as part of the renewal cycle for long term contractual engagements;
  • Understand the third party’s risk profile and how it may expose the organization to additional risk (as well as gauging whether it’s within their risk tolerance);
  • Monitor the efficiency and effectiveness of the third party providing a contracted function;
  • Regularly monitor the contractor’s risk profile for red flags that may indicate current and potential issues threatening the organization;
  • Monitor for sudden additions to the third-party company list; this may indicate unauthorized/unapproved additions that can expose the organization to further risk. Often this is a sign of shadow-IT and may suggest more serious issues;
  • Monitor activities of the third party with the organization's data; and
  • Ensure the third party meets its contractual obligations, including secure
  • removal/destruction of any data it acquired from your organization.

 

These tasks are difficult enough even with a formalized program based on a TPRM lifecycle. If you don't use such a lifecycle, you typically won't have auditable processes to check if these tasks are being done. Imagine what your organization may be missing and what risks you may be exposed to that you don't know about.

 

 

Roles and Accountability

From this brief description of the TPRM lifecycle and the scope of activities it involves, it should be clear that an organization cannot simply assign management of third parties with access to your data to a single team or person. It requires a wide spectrum of skills, knowledge and procedures supported by enterprise-wide policies for use of third parties if it’s to work securely and effectively. This doesn't necessarily mean full-time involvement for all stakeholders involved in the TPRM program: a fully dedicated core team to keep processes running smoothly can be augmented by a virtual team that’s called on to perform specific tasks.

 

Depending on the number of third parties employed by an organization, one of the most intensive functions in the TPRM lifecycle is the due-diligence phase of selecting third parties, which is essential for assessing their capabilities and security. Many companies only consider the immediate third-party organization itself. But, just like your organization, they probably use third parties, too. Careful consideration should be given to how a potential security issue facing their providers might affect your organization. Knowing about these issues is paramount.

 

Just think about what would happen if a third party linked to your third party were targeted by a ransomware attack. This could potentially affect your third party. Could it threaten your organization too?

 

 

Conclusion

Optiv recommends a lifecycle approach to TPRM, which includes the appropriate teams across procurement, vendor management, compliance, risk, security and legal. Team composition depends on the organization, but the lifecycle has been proven to work and collaboration is key.

TECHNICAL MANAGER IN STRATEGY and RISK MANAGEMENT PRACTICE | OPTIV
Dr. Broderick is a Technical Manager in Optiv’s strategy and risk management practice and is responsible for development and delivery of multiple security assessment. security program development, and other services to Optiv clients. Having worked in the IT and Information Security industry for over 35 years, he’s deeply experienced in all aspects of information security and how it affects businesses of all sizes and in all sectors.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.