J U N E 2 1 , 2 0 1 6 B Y B R YAN S T R AW S E R

8 Things to Look At When Assessing Third Party

Risk
By this point, your company should know why its important to
manage risk and invest time and money into business
continuity. What many businesses fail to realize, though, is how
vulnerable they are due to the third parties and vendors they
work with.
Here is some important information that you need to be aware
of regarding third-party risk:

Most companies rely on third parties. A

recent survey found that two-thirds of all companies rely
extensively on third parties, and another 34% rely
moderately on them. In fact, only 1% of all companies
operate independent of third-party vendors.

Most global data breaches occur due to a vendor.

An investigation was conducted on 450 major data
breaches that happened in 2013, and researchers found
that 63% were a third-partys fault.

We dont have a clear consensus on why this happens.

A study completed by the Ponemon Institute regarding the
main causes of data breaches came back inconclusive.
Malicious attacks, negligence and human error, and system
glitches all caused about one-third of the breaches, which
means that you need to equally focus on all three.

Its clear that managing your third-party vendors is just as

important as managing your own internal risk. The problem is
that its much more difficult to assess and manage the risk of
another company than it is your own. To help you out, we have
put together eight important things you must ask at when
assessing third-party risk.

1. What Do Our Service Agreements Say?

Managing your contracts is one of the most important aspects
of managing your vendors. Avoid using lower end solutions, as
theyre usually difficult to pull and often incomplete usually,
they highlight the most important information, like renewals
and expiration dates.
Youll want to initially review your contracts to see how they
store and secure your valuable information, and whether or not
theyre liable for breaches that affect you. You should continue
to review these every year or two to ensure that theyre
keeping up to date with the latest security standards.
2. Are Our Solutions Intuitive For Vendors?
If your risk management solution confused your vendors, its
not going to produce the results you want. Your company can
figure out how to use a convoluted system, but your vendor is
managing many different clients. Theyre not going to have the
chance to master your processes if theyre too involved.
For best results, include your vendors as you implement a thirdparty risk management solution. Make sure theyre onboard
and know how to handle everything and youll have a much
more reliable and efficient solution.
3. Are We Focused on the Most Important Relationships?
Before taking the time to measure the risk factors for every
single third-party vendor, you need to prioritize a bit. Managing
all of your vendors is a monumental task, so its better to focus
on the most important third-parties first. Do this by taking a
look at your most critical business processes, and identifying
which third-parties are closely involved in them. Get started by
investing most of your efforts with these vendors before
branching out and managing the less involved ones.

4. How Do We Measure Third Party Risk?

Since there are many different factors that lead to third-party
breaches, you need to measure every risk factor for each
vendor. Your assessment needs to include a wide variety of
metrics, compiling a score for each third-party to see how risky
or safe they really are. Some of your metrics should include:

How risky each vendor is as a business. This includes

traditional geopolitical risk factors.

The information that each vendor is exposed to.

Who has access to your information in their organization.

How your information is stored by their organization.

5. Do I Know How Each Vendor Secures Our Information?

Its not enough to know how risky your vendors are, or what
theyre contractually obligated to do. You need to know their
specific controls and processes. Speak with your vendors to find
out what controls they have already implemented, and how
effective they are. See if theyre willing to collaborate with you
to find a way to mitigate risk even further.
Get started by having each third-party cover how they handle
risk prevention, detection, and response. The conversation
should flow naturally from there.
6. What Are Our Escalation and Governance Processes?
Your company has many different departments and employees
managing their third-party vendors, so its important to have a
centralized governance for third-party risk. Typically, this is
handled by your IT department. Give them the power to make
important risk decisions, including whether or not a vendor is
too risky to deal with. By providing a single team ownership of
the process, manageability will be simple and accountability
will be clear.

7. Do We Have the Tools We Need?

A clear risk management process with thorough assessments,
clear governance, and third-party buy-in can only be as
successful as the tools supporting it. Make sure your
organization has everything it needs to track and maintain risk
analysis data, make the workflow easy to manage, and help
your management by providing them with up-to-date,
actionable recommendations. Usually, this is handled by several
different solutions, but your best bet is finding a risk
management partner who can assist you with all three.
8. Have We Developed Processes That Enable Constant
Improvements?
Like any other business process, you need to make sure your
third-party risk management is scalable, sustainable, and open
to continual improvements. Make sure that you are constantly
evaluating each vendors risk score and the effectiveness or
your program. Speak with your vendors regularly about any
potential threats to their business or yours, and bring in a risk
consultant to help you review everything once every couple
years.
If you need assistance assessing and managing your third-party
risk, were here to help. Make sure to secure your workplace
from internal and external threats by reaching out to us today!

Can we help you?

Weve developed the Third Party Risk Management programs
used by many members of the Fortune 500, helping to reduce
their risk from disruptions many werent even previously
monitoring. We can do the same for you.

Contact us or take us up on our offer for a free 30 minute

consultation and wed be happy to talk further about how we
can assist you with your current challenges.

Filed Under: Business ContinuityTagged With: Business Continuity, business

continuity management, third party risk, third party risk management, tprm, vendor
risk, vendor risk management