An organisation needs to do a lot of complex and repetitive work to manage the risks it faces from the third-parties it does business with. Naturally enough, the more third-parties used, the greater the volume of work.
Like most things, there isn’t a single best way to conduct third party risk management (TPRM). Ideally, an organisation should have just a single way to do it across the board.
Familiarity with the process increases the competence of the people charged with doing it. It makes things go faster in the field. It becomes simpler to remain fit for purpose in the face of constant change. It’s easier to demonstrate its effectiveness to anyone with a need to know, both inside and outside the organisation.
This article explains the need for adopting an established framework-based approach to third party risk management covering:
- Processes and frameworks
- Third Party Risk Management frameworks
- The value of Third Party Risk Management frameworks
- Some relevant TPRM-related regulations
Processes and frameworks
Processes form the foundation of much that an organisation does in its quest to achieve its purpose. The span of applicability of those processes ranges from a single person up to the entire organisation, with the bulk usually found in groups relevant to each business function.
Some processes, possibly too many, are completely or largely performed manually in any organisation. There are many reasons why this is so: resourcing constraints, organisational and technological immaturity, the impossibility of automation, and other priorities, to name just a few.
The problems associated with manual processes are well-known and legion, including:
- High cost and low speed
- Invisibility of process steps, progress status and the currently responsible person
- Marginal policing of adherence to the process
- Little process ownership and lots of rework
- Performance of unnecessary and illogical activities because that’s what’s always been done
Other processes, probably too few, are completely or partially automated. This can address a number of the inherent problems of manual processes, but only if care is taken to optimise the activities to take advantage of the technologies available.
Automating a bad process pretty much as-is without addressing its apparent faults does not constitute progress."
There will be a common set of processes that most organisations use because they need to do many of the same things at some level. The operational similarity of these processes will likely be limited to intent because organisations will differ in many aspects. Variations will occur in such processes, with lots of divergence in the ways and means used to deliver the intent.
Certain activities, particularly those with many moving parts in terms of independent and interdependent processes, are receptive to standardisation of what they deliver and how they do it. The benefits flowing from that become available to all involved in such activities.
A generalised bundle of processes assembled for such purposes is commonly described as a business process framework. This is a collection of possibly-customisable best practices, standards and operating models designed to help achieve a specific purpose."
It’s a sophisticated form of paint-by-numbers, where all care is taken but no responsibility accepted because freedom of choice is allowed.
The automation of such processes becomes crucial as their usage increases, allowing their progress to be visible at all times and their outcomes to be delivered when needed, if not before.
Third Party Risk Management frameworks
It has been long recognised that Third Party Risk Management is one of those activities that will benefit from the availability of frameworks to help get the job done properly.
The increasing regulatory scrutiny of many organisations’ TPRM effectiveness has focussed a lot of organisational attention on such frameworks, and a number are available.
The US National Institute of Standards and Technology (NIST) provides:
- NIST SP 800-161 Supply Chain Risk Management Practices
- NIST SP 800-53 Risk Management Framework
- NIST CSF v1.1 Cybersecurity Framework.
The International Standards Organisation (ISO) provides:
- ISO 27001 Information Security Management
- ISO 27002 Information Technology Security Techniques
- ISO 27018 Code of practice for protection of personally identifiable information
- ISO 27036 Guidance on implementing ISO 27002
The Shared Assessments Program provides a TPRM framework focussed on assessment of controls for cybersecurity, IT, privacy, data security and business resilience. It also publishes a standardised information-gathering questionnaire that can enable organisations to employ a third-party risk assessment that is pre-mapped to other standards such as NIST and ISO.
The value of TPRM frameworks
Knowhow is a hard-won thing, especially for its originators. Deducing things from first principles, through insight, experimentation and persistence, is generally the domain of a very select few.
Millions can benefit afterwards, through widespread dissemination of knowhow and its adaptation in the light of new information and changing circumstances.
TPRM frameworks provide an organisation with the knowhow for managing third party risks that attend its use of third-parties in achieving its purpose."
This means the organisation won’t have to reinvent that wheel itself. A framework’s developers will also regularly update it to cover new risks, regulations and approaches. This provides the organisation with guidance about how to modify the requirements it places on its third-parties.
In turn, that knowhow helps the organisation’s third-parties themselves to better understand and manage the risks they represent. They will know what the organisation requires from them and why. They can take the necessary steps to address issues revealed by doing what the organisation requires. Both sides benefit from doing so.
An organisation’s reasonable and practical adherence to a TPRM framework should:
- Increase the maturity and reach of its TPRM approach
- Help businesses to understand the risk profile of third-parties
- Allow verification that its third-parties are meeting its risk management needs
- Reduce the burden of risk-managing the third-parties it uses
- Provide a boost to its overall risk management effectiveness
- Limit the scope and impact of threats from its third-parties to its data privacy, IT security and reputation
- Give it a fighting chance of achieving compliance with applicable regulatory regimes.
This can make a difference to the organisation's surviving or thriving, and give it an advantage over any of its competition that haven’t committed to a TPRM framework approach. It will also help businesses to nurture their third party relationships.
Some relevant TPRM-related regulations
The regulations listed below require the use of internal, control-based third party risk assessment processes to meet compliance requirements. Some also require the organisation to actively monitor their third-parties’ compliance with the regulations.
- EU European Corporate Due Diligence Act
- European Banking Authority Guidelines on Outsourcing Arrangements
- New York 23 NYCRR 500 Cybersecurity requirements for financial services companies
- UK Bribery Act 2010
- US Financial Conduct Authority FG 16/5 Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services
- US Office of the Comptroller of Currency Bulletin 2013-29: guidance for assessing and managing risk associated with third-party relationships.
Many organisations might not, or not yet, be subject to any current regulations with respect to their TPRM activities. This doesn’t imply that they aren’t subject to third party risk. It likely means the relevant regulators just haven’t got around to dealing with the matter yet.
Common sense, self-interest and a self-preservation instinct should dictate that such organisations choose to deal with their TPRM issues as soon as reasonably possible, and not wait to be forced to do so by regulatory mandate. Remember the early bird and the worm.
An organisation’s need for a TPRM framework to help it effectively manage the risk it faces from its third-parties can be calculated back-of-an-envelope style based on:
- The number of third parties it uses
- The number of TPRM-related regulations it is subject to
- How often those regulations change
- The breadth, depth and efficacy of the organisation’s current TPRM approaches.
Setting up a comprehensive approach for TPRM is made easier by the availability of a range of TPRM frameworks. These provide important guidance about what needs to be done in general, and for some specific needs like risk assessment questionnaires and information security
TPRM frameworks are generally considered to showcase industry-standard best practices. They represent the collective wisdom of many practitioners, and have a tendency to leave no stone unturned. Capitalising on that wisdom might cost, but ignoring it might cost more."
As Fastball once sang: ‘Where were they going without ever knowing the way?’. That could be generally applied to a whole lot of organisations when it comes to TPRM. A quick review of the available TPRM frameworks can help show the way.
If you would like more information about how to take advantage of a TPRM framework, or how Gatekeeper can assist with that activity, then contact us today.