- French Caldwell
Getting Started With an Effective Third-Party Management Program
When a single ship aground in the Suez Canal rattles financial markets, it's easy to attribute rising interest in third-party risk management to supply chain disruptions. And in the IT supply chain, It seems that the stakes in the battle for control of our information are ever higher. Ransomware is a seemingly unstoppable threat, and IT supply chain hacks are sponsored by advanced persistent threats (APTs), aka nation states. It’s no longer just criminal threats, many private enterprises find themselves caught in crossfire of cyberwar. These and other risks are driving corporate boards and government overseers to demand ever better third-party risk management.
Despite the cyber threats and supply chain disruptions, many enterprises struggle with advancing their third-party risk management programs from basic due diligence to true risk management. So, what can be done? Here are three suggestions for alignment, monitoring, and optimization of the third-party risk management program.
Alignment: Align third-party risk management governance to your strategic business objectives
When it comes to third-party risk management governance, there are two goals: to improve business performance and to ensure compliance with regulations and standards. Alignment of customer and service provider goals is always an important element third party governance and is even more important when the vendor is more closely tied to the customer's strategic business objectives.
The challenge for the customer is that the governance of the provided goods and services must be managed through the provider, and, therefore, it's doubly important for alignment to be maintained. Maintaining that alignment for strategic vendors essentially is the means available to ensure effective governance. The more strategic the provider, the closer the vendor management will resemble direct governance of the provider's services.
Here's another way to look at this: the greater the chance that the provider could introduce risks into the customer's business goals and objectives, the more the vendor management office will need to control the governance and compliance of the provider's services.
Monitoring: Continuously monitor third-party digital risks
Not all vendors pose high risk, but those with both high business value and high switching cost are strategic and require more in-depth risk assessment and frequent updates. With respect to digital risks, with a short time to onset for risk events, continuous monitoring is required.
Third-party risk management programs do some initial triage on vendor’s and categorize them into three risk tiers. The highest risk tier includes no more than 10% of vendors and usually much fewer than that. It may be further subdivided into levels of scrutiny required. For instance, a handful may require background checks of board members or executives to see if they are politically exposed persons (PEPs) or exposed to governmental sanctions. A significant number of vendors may require site audits.
The second tier includes 20% or fewer and the bottom tier is where most of the third parties are. Essentially the second tier are vendors that could possibly move into the top tier and deserve more frequent assessment. The bottom tier must meet basic service agreement requirements.
Optimize: Conduct assessments of and prioritize improvements to the third-party risk management program
Enterprises with large numbers of vendors cannot advance quickly from due diligence to an advanced third-party risk management program. However, identifying segmenting vendors into tiers can be done relatively quickly.
The basic segmentation above provides an excellent starting point for advancing the third-party risk management program.
Tier 1 –
High Value/High Switching Cost: These are strategic vendors. Comprehensive assessments should include vendor resilience and crisis management, the vendor's risk management program, and the risks the vendor presents to your strategic business objectives.
High Value/Low Switching Cost: Although switching costs for a given vendor low, when considering the amount of business value that will be transferred to a new vendor, in aggregate switching costs may be higher. Assess the effectiveness of the vendor’s risk management and compliance practices.
Tier 2 -- Low Value/High Switching Cost: Financial viability and qualifications that are suitable for purpose are key. Ensure there are contingency plans that can be executed in the event of disruption of the vendor’s goods and services. Frequently reassess vendor viability.
Tier 3 -- Low Value/Low Switching Cost: These vendors offer commoditized goods and services and alternatives are plentiful. However, your enterprise could be subject to reputational risks, or the vendor may not maintain necessary qualifications. Conduct thorough background checks and validate the vendor's qualifications before onboarding and at contract renewal.
To learn more, watch our on-demand webinar "Getting Started with Third Party Risk Management," featuring Archer Chief Strategy Officer French Caldwell, who discusses:
The importance of aligning third-party risk management with your organization's business objectives
How to incorporate third-party risk management within enterprise and IT risk management programs
Evaluating the capabilities of your current due diligence efforts to move towards an effective third-party risk management program
Watch Replay Now
Visit Archer Third Party Governance and Archer Engage for Vendors for more information. Contact us to speak to an Archer Expert.