Part 1: Incorporating Continuous Monitoring into Your Third Party Risk Program: Begin with the End State in Mind

Like many organizations today, you have existing processes, tools and people laser-focused on analyzing periodic vendor security questionnaires, documentation, and on-site reviews. Moving to a continuous monitoring program can be daunting.  Our advice: Don’t focus on where to start…think about where you want to end up.  Begin with the end state in mind.

Is today the day you say, “I’m ready”?  Has the growing inherent risk associated with the number of vendors accessing your sensitive data finally convinced you of the need to do more than annual vendor surveys and assessments?  Fantastic. The next question is, “where do I start?”

Many clients ask us how to get started. And I always respond by asking them about their desired end states.  Meaning, what do they want their deliverables, metrics and processes to look like in the future?  And, can they articulate the most significant gaps in their current programs that they want to address and rectify?

Before you take that first step, let’s review some things to help you determine your end goals.  It’s these end goals that will guide you as you incorporate continuous monitoring into your third-party risk management program.

When Thinking About Third Party Cyber Security, Keep Your End Goals in Mind

Generally speaking, organizations aim to move from a manual, one-size-fits-all vendor risk process to one that is scalable and risk-adjusted.  Today, your vendor survey and risk process doesn’t scale to effectively cover all third parties (and fourth parties) and doesn’t obtain sufficiently frequent and actionable security performance metrics.  Ultimately, you want a process that incorporates all vendors and suppliers and allows you to align assessment scope and frequency with your organization’s residual risk tolerance and resources.  

Determining what a risk-adjusted vendor risk management process means to your organization depends on risk appetite, potential exposure, budget constraints, system constraints, and other resource considerations.  Therefore, when getting started, envision a risk-adjusted program that will answer these basic questions:

• Who?Which categories of vendors, suppliers, and 4th parties require coverage or more frequent coverage?
• What?Do you need separate processes for managed vendors, unmanaged suppliers, 4th parties or vendors during the proposal process?
• When?How frequently do you require updated information for each category?
• Where?Into which steps in your process is it best to incorporate this new vendor risk data? Where do you want to remove, enhance or streamline steps?
• Why?Do your defined metrics capture and assess the reasons behind this change?  For example, have you established measurements to capture the number of additional vendors under coverage, increased frequency of coverage, and analyst productivity improvements?

Getting Started with Your Online Risk Assessment 

Jumpstart your program by conducting a 90 to 180-day pilot with a set of vendors already scheduled for their annual assessment during the pilot period. During the pilot, build out your process according to the end goals you established:

• Obtain executive support to build an ad hoc team including security, sourcing, and third-party risk personnel.  It’s this team that will meet regularly, agree on key objectives and metrics, and help to evangelize the new continuous monitoring program throughout the rest of the organization.
• Establish the key pilot objectives and metrics, including impact on risk data quality and analyst productivity, remediation effectiveness, and third-party feedback.
• Select a third-party risk management provider that can provide continuous monitoring of all your third parties.  
• Train your analysts on the new continuous risk scoring data, documenting how to build this data into your vendor engagement model. Shadow your analysts to determine what worked, or didn’t work, during this initial phase and capture that feedback as well as any feedback from the vendors assessed.
• Meanwhile, gather an authoritative list of additional vendors not currently under review by your security team.  Have your third-party risk management solution begin building portfolio and vendor-level risk assessments to prioritize which vendors to engage in phase 2 of your continuous monitoring project.

Be sure to check out our next blog where we will discuss how to go from this pilot phase to your scalable, risk-adjusted program of the future.

If you’d like to explore how RiskRecon can help you kick-off your continuous monitoring program, give us a call today (781-784-2054).