The Third-Party Risk Management landscape has changed dramatically over the last decade. The 2008 financial collapse illustrated that even our strongest industries and institutions were at risk. We started to see more regulations for not only the physical handling of data but also cloud-based and digital data management. This really brought third-party risk management to the forefront of organizational leadership.
Over the years, the vendor risk management industry has grown and morphed to tackle the increasingly complex issue of cybersecurity along with constantly changing international regulations. We’ve also seen a rise in the Chief Information Security Officer position - what once was another role/function for the IT department is now a team of experts in most established organizations. One thing we know for sure is that these challenges are only going to get more complicated and a strong vendor risk management program is essential for the longevity of an organization.
So what is next for third-party risk management? How do we evolve as federal involvement increases and we see major breaches and hacks on a regular basis? There are few essential elements to a successful third-party risk management program.
It’s a Program, Not a Project
Organizational leadership must stop thinking of risk management as a one-time (or once a year) project. It’s an ongoing program that requires ongoing monitoring. Your vendors’ practices, your business, and the requirements of your industry are constantly changing. Your third-party risk management program should reflect that. This is why tools like RiskRecon which continuously monitor vendor data are essential on top of assessment solutions like Privva to validate security controls. Risk management can be overwhelming, confusing, and time-consuming so it’s tempting to knock it out in a month and then forget about it, but really this should be a constant movement within the organization. Starting with your vendors with the most data touchpoints down to the smallest vendors who have far less access to your company’s information, every vendor should be continuously assessed.
We all know that a strong relationship goes a long way in any business environment. This is especially true of your vendor relationships. In order to get your security assessments completed in a timely manner so you can effectively assess your risk, you need buy-in from your vendors. With Privva, we took the time to develop an easy-to-use platform for vendors to quickly complete their assessments and save their answers for future use. Over the next few years, vendors are going to be responsible for sharing their processes for handling data to more and more of their clients. By establishing a strong relationship early on, you can set yourself up for success and help your vendors at the same time.
Comprehensive Risk Management
The future of third-party risk management is going to be about connecting the dots and having a truly comprehensive program. A good TPRM will include collecting security questionnaires that ask important questions about how a vendor is handling your data. Based on those questionnaires, you assign the vendor a risk rating and leadership uses that information to make decisions about whom to share data with. But how can you check the vendor’s responses? How can you be certain that their answers are accurate? That’s where Privva’s partnership with RiskRecon comes in - to bridge the gap between security questionnaires and continuous data monitoring. Regardless of what platform you use, it’s critical to have a “due-diligence” process in place. Having a comprehensive, scalable TPRM will no longer be an option as data regulation becomes a top priority for governments across the globe and breaches become more commonplace.
McKinsey reported what managing third-party risk in a growing technological climate should include:
- Segmentation and organization of vendors
- Rules-based due diligence (and evidence of third-party due diligence)
- Post-contract compliance management and transparency
- Clear guidelines for governance and escalations
- Comprehensive technology and modern tools
These elements are true today and we would argue that you should be able to find all of these elements in a single platform. Privva’s expanding partnership with RiskRecon speaks to the future of TPRM and provides one of the most comprehensive risk management programs in the industry today. Check out our round-table webinar with Jon Ehret, VP of Strategy & Risk for RiskRecon and Ishan Girdhar, CEO of Privva discuss where third-party risk management is going in the next few years.