Third-Party Risk Management programs need to support the requirements from both the Procurement and the CISO (Chief Procurement Officer and the Chief Information Security Officer). It is essential that these individuals along with their teams understand the risk that comes from vendors and their services, but for different reasons. John Tondreau (Senior Director Customer Success, ProcessUnity) and Tom Garrubba (Vice President, The Santa Fe Group, Shared Assessments Program) discussed how to balance Third-Party Risk Management processes to support both procurement and information security priorities.
Beginning by examining the Third-Party Risk process in an organization, the presenters identified the important players are in this process, . When organizations begin the on-boarding process of a new vendor or service there are a series of necessary steps taken, but the key is that both procurement and risk organizations are participating in these parallel activities because the process requires insight from both groups. Additionally, it’s important for both these groups to have an understanding of the roles and responsibilities within an organization of ongoing monitoring of vendors. Several personas exist within a TPRM Program such as the line of business, subject matter experts, vendors/ third parties, procurement, and the CISO. The goal of a program is to have all the different components and parts of the process work together in harmony.
Next, the presenters went over how the majority of TPRM Programs operate within a procurement group or a risk management function. Procurement is an important part of the vetting process of vendor risk assessment; but when it comes to IT security, risk management programs can contribute their knowledge on risk. The objective is to have an integrated approach where there is communication all across the risk and procurement functions. The pros and cons of risk management and procurement balance each other out and show that they are stronger together.
Having a strong and centralized TPRM Program covers more than just information security issues – risks extend far beyond just that. When an organization is working with a third-party, it should be positive that the third-party is taking certain risks into consideration such as compliance, privacy, the ‘nth’ party, identity, and financial risk. The vendors one works with are an extension of their organization, so it’s best to make sure they comply with policies, procedures, and know how to properly handle data. It is also important to take into consideration the identity the vendor one is working with as well as monitoring the safety and security of data down the supply chain of multiple parties.
Another aspect of risk to be considered is business continuity. Do the vendors have proper continuity plans in place in the event of a disaster or pandemic? Many organizations question the resilience of these plans, which is why it is important to understand that this continuity can be tested by looking at the geography, concentration, and corruption risk.
In conclusion, a strong TPRM Program comes from a united and cohesive procurement and risk management team. The collaborative efforts from both groups will improve the relationship between an organization and its vendors, and develop solid plans for promoting better risk management and vendor relationships moving forward. The webinar recording can be viewed here.