Third-Party Risk Management is a Program, Not a Project
Third-Party Risk Management is now a mission-critical topic among most organizations.
Regulations are getting tighter, boards are closely scrutinizing risk, and breaches are happening more frequently. The problem is--most people don’t know exactly how to tackle cybersecurity in a way that truly gives them a sense of exposure and risk. Apart from the “how”, is the time. TPRM takes. It’s not just a one-time project you complete in a month. It takes continuous monitoring and assessments. While it is easy to get overwhelmed, the good news is there are technology solutions that cut both of these problems out of the equation.
How to Implement VRM as You Grow
When starting from scratch, one should begin by looking at the highest priority vendors. These are the vendors with the most access to your data or access to your most sensitive data. It’s not about how much money you are spending with the vendor. It is about access. Asking questions like the ones below are good places to start.
What security processes do we already have in place?
Are vendors handling the data in a way you are comfortable with it?
Do my vendors have vendors I should be concerned about?
Now that you have scratched the surface--the hard work begins.
The Hard Work: Questioning, Weighting, and Organizing Your Vendors
There are plenty of standard security frameworks already: pre-built questionnaires, spreadsheets, and the staff to monitor both. But, the best TPRM programs will customize a questionnaire and the spreadsheet input to their specific organization. When writing the questionnaires yourself, you should also be weighting answers based on how important they are to your risk levels. The bottom line is every organization has a different appetite for risk--so you much consider--what is yours?
Once you get a holistic understanding of your highest-priority vendors, it is time to start scrutinizing your broader spectrum of vendors. Make a list of anyone you have paid within the last year and order them by their access. Follow the same process as you did with your high-priority vendors. You should be sending out questionnaires to all these vendors and tracking their responses.
Monitoring Your Vendors for Risk is an On-going Task
After you have a comprehensive view of all your vendors, it’s time for continuous monitoring. At Privva, we always start with the highest-priority vendors first before bringing in the rest of the third-party vendors. When doing it yourself keep in mind, the goal is to have seamless monitoring of all vendors who have access to your data. A lot of experienced information technology professionals will stop after that initial questionnaire, but continuous monitoring is where the real risk assessment happens. The way your vendor handles data is likely changing therefore, to have a true sense of risk, you absolutely need to keep up with the monitoring processes. On top of this, security assessments should be done at least once every 12 - 18 months (more frequently for higher-touch vendors).
The Anatomy of A User-Friendly TPRM Program
A TPRM program that will actually lower risk and work within your organization includes reporting for every level from management to board level. Each stakeholder will want to view the information through a slightly different lens. Being able to call out the biggest risks and the value of that risk will be important to the board while management might just want to know at a glance where they need to remediate. On top of this, it requires the right people, in the right positions to implement the program continuously. This is why we say it is a program, not a project
The Privva VRM Solution
At the end of the day, DIY Vendor Risk Management (done right) is expensive and time-consuming. It requires constant cultivation and easily requires a full-time, highly-skilled employee dedicated to the cause. While it is true you can do your entire TPRM program using spreadsheets and emails--why would you? The Privva third-party risk platform is designed to take the “project” of TPRM and turn it into a robust, cost, and time-efficient program. We partner with tools like RiskRecon that bridge the gap between the security assessments by providing continuous monitoring of vendors which gives you the most current view of your exposure. A good continuous monitoring tool like RiskRecon can help verify the answers you are getting from the security assessments and more importantly, alert you when something doesn’t match up. As scrutiny and risk grow, we expect to see this industry explode in the next 24 - 36 months and well beyond.
Connect with us today and prepare for tomorrow! Between our industry-changing partnership with Risk Recon and our intuitive VRM dashboard, Privva will make your Vendor Risk Management program robust and customized to your organization, saving you time and money.