This is part two of a two-part series created in response to an increasing number of member requests for foundational concepts that support Boards and executive managers as they work to define, design and implement evidence-based Third Party Risk Management (TRPM) programs. This second part provides starting-point approaches and essential focus areas for an organization just beginning to implement a TPRM program from scratch.
At the TPRM program level, within an organization the key program activities required for robust program development are:
- Build a Core Team: Establish a core TPRM team that will be responsible for driving all of the key initiative steps listed below, to document an organization third party risk management policy, build an initial organization structure and architect a third party solution adapted to the organization’s operational structure (i.e., centralized versus de-centralized). Decide which additional functionality is required and whether it will reside within a core team or be implemented through staff augmentation can be determined as the team plans evolve. Note that management’s support of the program through hiring of qualified individuals at the core team level demonstrates key senior level commitment to the program’s success.
- Complete a Full Inventory: Seek detailed information to build a complete inventory of all third and fourth parties from, at minimum, Procurement, Accounting, International Operations and the Legal departments. While on the surface this appears to be a straight-forward exercise, it often takes an extended period of time and new vendors may be discovered well into the program implementation phase. Fourth parties (subcontractors of third parties) can be captured as part of the inventory building process or at a later stage; however, they must be recognized as a critical component of the overall program. Key fourth party focus areas include those firms that have access to confidential outsourcer information through third parties or connectivity directly into third party networks where outsourcer confidential information may reside. Implementing a process to capture new third parties as contracts are signed is an important element for keeping the inventory up to date.
- Define a Repository for Contracts Administration: This database is usually held under the supervision of the Procurement function and may already exist. However, it may be incomplete for all contracts, and therefore takes time to research and compile a complete repository database.
- Define a Standard Contract Template: This template must include, among other clauses, a ‘right to audit’ clause that ensures the outsourcer’s ability to perform a security assessment of its third parties. The Shared Assessments white paper “Building Best Practices in Third Party Risk Management: Involving Procurement” discusses sample contract clauses in more detail.
- Define a Security Requirements Appendix: This will be a mandatory attachment for the standard contract template that will address specific company security requirements that third party service providers must meet.
- Identify a Business Unit Vendor Relationship Managers (VRMs) for each Third Party: This individual will be responsible for acting as the third party interface for all communications and ensuring third party performance commitments are met, as well as for maintaining the overall health of the relationship. This role includes managing issues through remediation and any new requirements, as well as project oversight and third party performance.
- Identify a TPRM Risk Management Software Platform: Options include leveraging a common system with Procurement for contracts and third party inventory management or using a separate Governance, Risk and Compliance (GRC) platform. Key components include automated capture of assessment questionnaire responses from third parties and leveraging (as available) automated tools to be used in the review of submitted questionnaires.
- Develop TPRM Training Materials: These should be tailored for each of the key stakeholders in the company and used and updated on an ongoing basis. These materials and associated trainings raise awareness and ensure proficiency in program execution.
- Develop a Third Party Risk Categorization Process: This is required in order to define, identify and document the risk associated with each of the organization’s third parties, as not all represent the same risk to the company, and to ensure that those third parties that represent the highest risk are focused on first and in the greatest depth. It is used to determine the frequency of risk assessments being performed and the type of continuous monitoring that should be implemented.
- Develop or Leverage an Existing Issue Management System: This will serve as the repository of all identified third party issues, including the tracking or remediation plans status, as well as documentation of any risk acceptances signed off by the business where remediation will not occur.
- Implement the TPRM Program in Phases: Initially, focusing on program implementation for new third parties being onboarded can allow the organization to ease into the implementation process and limit the growth of non-compliant, high risk third parties within an organization. After this has been accomplished, establish a periodic assessment process for all existing third parties to bring them in line with TPRM program requirements.
The recommendations in these two articles can be used as a foundational outline for building a TPRM program work plan for your organization. As you implement and track the impact of your program, you can respond to changes in your organization’s risk tolerance and strategies, as well as respond with greater agility to changes in the regulatory and industry environment as it evolves.
Robert Wilkinson, Chief Strategy Officer at The Santa Fe Group and the Shared Assessments Program has provided support to these organizations for more than 15 years, including as an Advisory Board member and Advisory Board Chair with a deep understanding of results-oriented risk management. He has more than 30 years of extensive global experience developing and implementing enterprise operational risk management solutions focusing on Operations and Technology, having worked in 45 countries and various locations throughout the United States. He has extensive experience interacting with government regulators and addressing regulatory findings.