Getting the right ingredients can make or break any recipe you’re making. And certain foods simply can’t exist without certain essential ingredients. You can’t make guacamole without avocados or green bean casserole without, well, green beans. In the same way, while every business will need to work out the precise details of a third party risk management (TPRM) strategy for themselves, some elements are absolutely essential to doing it right.
Whether your organization is working to develop a TPRM strategy anew, or you want to make sure the one you have is covering all the most important bases, Shared Assessments’ experts weigh in on the most important ingredients to include in order to be successful.
1. Vendor inventory
In order to fully understand the risks third party vendors bring to your organization, you first need to be clear on who your third party vendors are. That may seem like a straightforward task at first glance, but as organizations increasingly work with more and more third parties, it’s harder than ever to stay on top of what your third party network looks like.
Gartner reports that 60% of organizations now work with over 1,000 third parties, and 71% say their third party network contains more vendors now than it did three years ago. The bigger those numbers are, the harder it is to make sure you know exactly who your third party vendors are and what level of risk each one poses to you. And in fact, Ponemon research has found that only 34% of organizations have a comprehensive inventory of all their third parties.
Nasser Fattah, Senior Advisor at Shared Assessments recommends creating a vendor inventory as an essential component in your TPRM strategy. Start with the basics, by creating a “vendor definition so that an organization has consensus as to what/whom constitutes a vendor,” says Fattah. Don’t take for granted that your program will all be on the same page about this, define it so there’s no chance for confusion.
Once you have your definition, then you’ll know who all to include in your inventory of vendors, which gives you the visibility you need to perform your assessment of each. Then, Nasser recommends using the inventory you’ve created to perform risk tiering, so you can “have a risk-based approach regarding due diligence.”
2. A configuration management database
How do you organize and manage that vendor inventory and risk tiering? You need the right tool—TPRM’s version of a cookbook.
Ron Bradley, Vice President of Shared Assessments, explains “The cookbook is used to maintain the instructions to pull all of the previous comments together. The cookbook is analogous to a configuration management database (CMDB).”
He adds “This is where all of your assets (ingredients) are referenced. The cookbook helps to describe the way in which recipes (third party relationships) are assembled, cooked, and consumed.”
Your CMDB helps you keep track of your vendor inventory and any notes and insights from the vendor risk assessments you’ve performed. And because the risk assessment for each vendor is never finished, having a central repository of information helps you stay on top of which vendors you need to revisit your scores for, and add any new notes to your entry for them.
3. Risk assessment knowledge
How useful and accurate your risk tiering will be isn’t a given. To get it right, you need experts that understand “how to evaluate the risks associated with the third party services or products,” says Colleen Milazzo, Senior VP TPR Software Products at Shared Assessments.
You’ve got two main stages where you can get this part right: in hiring and in training. Either you need to find people to hire that have a solid knowledge of the main risks to be aware of for different types of third party relationships, or you need to invest in training the people you have to gain that knowledge—or do some combination of both.
4. A documented policy
TPRM does not mean performing a vendor assessment once and you’re done. It’s an ongoing process that requires developing a consistent way of evaluating new vendors and checking in on existing ones. To make sure you develop a solid method for staying on top of TPRM, Tom Garrubba, Vice President of Shared Assessments lists some essential ingredients: “documentation. procedures, standards, policy.”
He describes them as “those extra herbs and spices that Grandma knows keep people raving over how great a cook she is!” If you want your recipes to have flavor, you need herbs and spices. If you want your TPRM strategy to have staying power, getting a clear, documented policy into place is key.
And in many industries, it’s not exactly optional. “From an audit perspective, you MUST adhere to them and revisit them periodically to ensure the program is operating properly,” Garrubba points out.
5. A harmonious program
And finally, Senior Advisor of Shared Assessments, Charlie Miller’s suggestion for an essential TPRM ingredient is “collaboration and, of course, teamwork.” The importance of having skilled employees who can work together successfully isn’t specific to TPRM, but it’s just as important here as in other areas of business. Your TPRM specialists need to be able to communicate effectively with each other, with other departments they work with, and with all the third parties you work with.
In short, they have to be good with people, and willing to do the work of collaboration.
The Ingredients Make the Meal
Any chef knows that the quality of your ingredients is half of the battle for creating a delicious meal. Make sure your team doesn’t forget any of the essential parts of creating a strong TPRM program. Get these five ingredients into place, and your organization will be much safer for it.
