Third Party Risk Management (TPRM)
November 17, 2017
A third-party vendor is an ancillary process—outside the control of your organization—which performs a function or provides a service; for example, a third-party payroll company or an IT provider. Third-Party vendor breaches are still a major cybersecurity risk management issue in 2017, and often times an organizations weakest link in their cybersecurity management.
Although your organization may rely on third-party service providers, your management team carries the ultimate responsibility for maintaining an effective internal control system. Taking ownership of this third-party responsibility has become one of the biggest hurdles for organizations as more and more processes move to third-party providers.
TPRM is the process of analyzing and mitigating risks to your organization by parties OTHER than your own company. Due Diligence is the process by which the vendor is reviewed to determine its suitability for a given task. Due Diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle. Having a TPRM program helps reduce likelihood and impact of data breach costs, operational failures, vendor bankruptcy, and reputation damage. No one remembers the name of the HVAC vendor that lead to the Home Depot hack. Your organization holds the bag when a breach occurs to your data.
To pinpoint third party risks, you first need to assess your current environment and develop a third-party framework based on your organization’s context—no two organizations are alike. Then develop risk stratification guidelines to highlight risks by vendor and to conduct more intense vendor assessments based on need. For example:
Tier 1: Critical vendors (10%)—private data, plus critical systems
Tier 2: Major vendors (40%)—private data, OR critical systems
Tier 3: Vendors (50%)—commodities/low risk purchases
Items to include in your vendor assessments are:
- Overall risk assessment
- Financial projections
- Insurance review
- Background check
- Legal contract review
Don’t have a TPRM program yet? Below are some suggestions on how to implement internal controls now:
- When engaging vendors, ensure your evaluation process and/or request for proposal (RFP) includes consideration for meeting your organization’s baseline internal controls standards.
- Periodically evaluate key performance indicators (KPIs) of service providers with respect to service requirements indicated in the service level agreements (SLAs).
- Request and review Service Organization Control (SOC) reports and determine whether follow-up actions are necessary.
Final take away—don’t decide on a vendor too early in the process; best price does not equal best vendor, you should be focused on meeting your baseline control requirements. Employ your internal audit department or outside consultant to audit your TPRM process. This is not just a one-time deal—you must audit this critical process again and again to ensure compliance with your program and evolve the design in this rapidly changing environment.
Got questions? Connect with an experienced Aprio advisor today.
Schedule a Consultation