third party risk

Third-Party Risk Management: A Comprehensive Framework for Enhancing Security and Efficiency

Published 25 March 2024

In the increasingly interconnected world of digital business, the security of supply chains is paramount. As a Lead Consultant specialising in third-party risk management, I recognise the complexity and importance of robust Cyber Third-Party Risk Management (TPRM). This blog post outlines a comprehensive framework for managing these risks effectively, leveraging best practices and the latest technology.

What Is Third Party Risk and Why Is It a Concern?

Third-party risk refers to the potential risks associated with partnering with external entities, such as vendors, suppliers, contractors, and service providers. When your organisation relies on third parties, those third-party environments become part of your extended attack service, and therefore can introduce vulnerabilities that impact your operations, data security, and overall business health.

Why is it a concern?

  • Increased Volume: Organisations are increasingly outsourcing more services to third parties to reduce internal costs, provide efficiencies and to benefit from new opportunities provided by technology and automation. However, higher volume can lead to higher risk.
  • Regulatory Scrutiny: Regulators now closely examine how companies manage third-party risk. Non-compliance can result in substantial fines.
  • Reputational Impact: When third-party failures affect millions of consumers or lead to security breaches, the reputation of involved organisations suffers.
  • Global Impact: Information spreads globally, making local disruptions a potential worldwide issue.
  • Lack of Clear Accountability: Despite recognising third-party risk as a top strategic risk, organisations often lack clear ownership for oversight.

What Is Third-Party Risk Management (TPRM) and What Are Its Objectives?

Third-Party Risk Management (TPRM) aims to:

  • Understand the supplier landscape: Know your supply chain and create an “single source” inventory of suppliers 
  • Identify risks: Continuously identify, analyse, and control risks posed by third parties.
  • Ensure compliance: Ensure third parties comply with security standards and regulatory requirements.
  • Protect reputation: Safeguard your organisation’s reputation by managing third-party risks effectively.
  • Inform decision making: Allow business to make risk-based decisions on who and how they do business with suppliers and third parties

What Is a Third-Party Risk Assessment?

A third-party risk assessment helps you to understand your supplier's security practices and evaluates risks introduced by external parties (vendors, suppliers, etc.) along the supply chain. The assessment is usually in the form of a standardised questionnaire sent to a supplier during onboarding, or as part of a periodic review, then reviewed by a subject matter expert to determine risk.

An assessment helps you understand risks related to cyber security, reputation, operations, regulatory compliance, and strategic alignment. It also allows you to perform due diligence when selecting suppliers, and strengthen relationships with vendors aligned with your security goals and standards.

Best Practices for Third Party Risk Management

1. Know Your Suppliers: The Foundation of TPRM

The first step is to establish a detailed inventory of your suppliers. This process involves understanding who your suppliers are, the services they provide, and the nature of your relationship with them. A comprehensive inventory is crucial for gaining visibility into your supply chain and laying the groundwork for further risk management steps.

2. Categorising Suppliers: A Risk-Based Approach

Once your suppliers are identified, the next step is categorising, or “Tiering” them based on the risk they pose to your organisation. This categorisation should consider several factors, such as:

  • The volume of data being shared
  • Types of data shared (personal, sensitive personal, commercial, financial etc.)
  • How data is accessed/shared (network connection, FTP, Onsite, email etc)
  • The impact to your organisation should the supplier (service) becomes unavailable
This tiered approach helps in prioritising efforts, focusing on suppliers who pose highest risks.

3. Assessing Suppliers: Beyond the One-Size-Fits-All Methodology

Risk assessment is not a uniform process. It is vital to tailor questionnaires to the specific services provided by each supplier and the unique risks they present. Standardising these questionnaires, perhaps using frameworks like ISO 27001 or NIST CSF, can bring uniformity and efficiency. This approach also addresses the questionnaire fatigue many suppliers experience, faced with varied and frequent requests from multiple clients.

4. Risk Remediation: Collaborative and Continuous

Post-assessment, the focus shifts to managing and mitigating identified risks. This phase involves:
  • Prioritising and tracking risks
  • Maintaining open communication with suppliers
  • Assisting suppliers in enhancing their security posture
This collaborative approach not only mitigates risks but also strengthens the overall supply chain.

5. Continuous Monitoring: The Key to Ongoing Security

Reliance on one-time assessments is no longer sufficient. Continuous monitoring of high-risk suppliers is essential and can be achieved through:

  • External attack surface scanning
  • Data breach alert monitoring
  • Dark web activity tracking
  • Regular performance reviews, including discussions on incidents and the results of penetration tests

6. Embracing Technology: The Path Forward

To enhance efficiency in the assessment process, organisations should consider technological solutions. Utilising automation and AI can streamline processes and foster better relationships with suppliers. Moving away from traditional methods like Excel spreadsheets to more sophisticated tools can lead to significant improvements in managing supply chain risks.

How Bridewell Can Elevate Your Supply chain risk management

Effective Cyber Supply Chain Risk Management is a multifaceted and ongoing process. It requires a balanced approach that combines knowledge, assessment, technology, and continuous monitoring. For organisations looking to enhance their supply chain risk management, we offer comprehensive solutions.

From assessing the current maturity of your Third-Party Risk Management (TPRM) program to building a roadmap towards greater maturity, managing risk remediation activities, or assisting with tool evaluation, RFP, and Proof of Concept (POC) processes for onboarding a SaaS (Software as a Service) TPRM tool, we're equipped to support your journey towards a more secure and efficient supply chain. 

For further information or assistance in managing your supply chain risks, Bridewell is here to guide and support your organisation's needs.