Managing 3rd Party Risk – The View Depends on Where You Sit
The sheer volume of third parties and suppliers that corporations now engage has manifested an unduly complex system of vendor security assessments. Additionally, more stakeholders, especially Senior Management and Boards, require insight into the risks and vulnerabilities that come from using outside suppliers. With different performance demands, varying regulatory obligations, and diverging levels of risk tolerance, the challenge of transparency and reporting can become a large administrative burden.
Despite the overhead, the quantified analysis and insights generated from vendor security assessments is relied on throughout the organization to reduce risk and support sound decision-making. But the use of that data varies considerably across organizational roles.
The Three Levels of Reporting in Vendor Risk Management
Detailed Data for the Risk Team. The rubber meets the road with the corporate security and GRC teams. Those on the front lines of risk management are required to review hundreds of responses across their vendor ecosystem with a fine-tooth comb. It’s crucial for them to be able to view vendor risk by question and by risk objective (e.g. does a vendor lack security policies), and to identify trends across the company (e.g. what % of vendors have a third-party pen test). Granular level reporting will help identify risks on a vendor by vendor basis but also at the company level. When vendors respond, their answers need to be scored so the risk team can see every situation where a vendor is not compliant, and assign a remediation action to resolve it. The large amount of vendors and remediations typically in play mandates careful notations on status, and an automated way to stay on top of both specific resolutions and cross-ecosystem trends. This ever-growing workload keeps security and GRC professionals in most organizations stretched.
Summary Reporting for the Managerial Team. Both line of business and security leaders need a consolidated view of that granular data with regards to the collective vendor ecosystem. Simply put, they need the answer to “what's our score?” to make educated, fact-based decisions about how much risk is acceptable in the context of the business return. The security and GRC teams get tasked with summarizing and presenting the right amount of high level information to these leaders, while being able to access the drill down if and when it’s requested. The additional complexity for leadership comes from keeping the risk assessment program performing well, and even justifying its existence and structure. That involves attracting, developing and retaining the best talent, and demonstrating the value of the Third Party Risk Management (TPRM) program to the top level of the organization. And that requires data.
Strategic Insights for the Board. The senior executive team and board-level leaders own responsibility for setting the company’s risk appetite. The regulatory, legal and reputational buck stops with them, so they demand clear, reliable and current insights into where their business risks and vulnerabilities lie. With no time (and usually no patience) for details, they expect top level data snapshots presented in business context. They also own the decision to fund, defund or revamp the organization’s TPRM program, imposing accountability on the business and security leaders who own it—so those leaders better get it right.
Privva delivers accurate insights for each role at the right reporting level
From risk scores to remediation, Privva delivers the targeted layers of reporting for all of those organizational levels.
Founded and built by experts in security and risk management, our first-hand knowledge of TPRM challenges is reflected in our rich yet simplified platform. For example, Privva’s extensive, easily configurable question library means you have flexibility to create inherent risk questionnaires that map to your unique requirements. Privva also offers a premade risk tier calculator for clients who need a jump start. On Privva, you can catalog your entire vendor inventory, adding demographic information and relevant security files as necessary.
We provide a risk score for every assessment question so you can create a remediation ticket for every issue found, then track its status. Because a vendor’s attestation of a fix may not always include documented proof, Privva’s centralized platform provides an audit trail of communication for an extra level of assurance.
The real elegance lies in our comprehensive dashboard and reporting capabilities. Look at dozens of risk indicators, rolled up or drilled down to the specifics. Meta-tag particular kinds of issues to identify gaps and risks across your entire vendor set, then set risk thresholds by vendor criticality around well-defined data access. That also helps the GRC team troubleshoot the quality and efficacy of your vendor questionnaire.
Then, Privva lets you export your data or integrate via API to manipulate it in whatever business intelligence tools you already use.
It’s just reality that TPRM is a complex, often onerous but necessary corporate activity. Whether you need reporting that is detailed, managerial, strategic, or all of the above, Privva provides the right information and insights to everyone across your team, lightening the administrative burden and ultimately enabling you to lower your company’s third party risk.