RISK & COMPLIANCETHIRD PARTY RISK MGT

Third-Party Risk Management Part IV

2 Mins read

According to the Opus and Ponemon 2018 report, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is higher at 61 percent. Also noted that many breaches go undetected: 22 percent of respondents admit they didn’t know if they had a third-party data breach in the past 12 months. A third-party breach costs, on average, twice what a normal breach cost.

We covered the Major Breaches and Bankruptcy in Part I, and Part II and III were about the Drivers, Alignment, and Governance of Third-Party Risk Management (TPRM). The series will cover the following topics at a high level to provide sufficient knowledge for professionals to design the program that commensurates with the size, nature, and objectives of the organization. It explores the topics below:

  • Drivers of Risk Management
  • Alignment and Governance
  • Categorizing Vendors
  • Analyzing Vendor Risks
  • Monitoring Vendor Risks: The Vendor Management Organization
  • Communicating Vendor Risks
  • Optimization and Standards

Many organizations are not aware but intellectual property (IP) breaches can be a recipe for bankruptcy.

Categorizing Vendors

The vendor categorization helps in determining the focus of risk management efforts based on the business value vendor delivers and how critical is vendor contribution in achieving business objectives. The strategic vendor, for example, represents significant client spending, a high cost to switch, and is expected to deliver a high level of business value. Hence all vendors do not require the same level of scrutiny for risk management.

In order to prioritize the risks to be monitored, it is essential to segment the vendors. The chart below provides information about different factors that help categorize vendors. The publications by Forrester, Gartner, ISACA, and other professional organizations provide questionnaires to assist in categorizing vendors based on their criticality to business objectives.

  Strategic Legacy Emerging Tactical
  Current Expenditure  High  Medium or High  Low to Medium    Low to High
  Future Expected Spending  High to Medium  Medium to High Medium to High  Low to High
  Strategic Alignment  High  Medium  High  Low
  Breadth of Product or Service/Dependency  High  High  Low to Medium  Low

It is essential to manage the relationship with vendors based on the risk it poses to the organization’s objectives. Below is brief about the different categories of the vendors:

  • Strategic vendors: They critical to meet the business objectives of the organization, represent high client spending and a high cost to switch.
  • Legacy vendors: They are essential to meet the business objectives of the organization but not critical thought they represent a likely high level of spending and high cost to switch.
  • Emerging vendors: These vendors essentially could become strategic in the future as they provide innovative features but at present represent a relatively low level of spending and less cost to switch.
  • Tactical vendors: These vendors are not critical to meeting business objectives and represent low cost.

The classification vendors will also help the organization to develop and implement controls to reduce the risk. The business continuity will take into consideration the risks associated with strategic vendors in its continuity planning and risk resiliency program.

In Part II we discussed Drivers of Risk Management. Part III is about Alignment and Governance. The four very important considerations for TPRM governance are:

  1. Alignment of customer and providers goals
  2. A comprehensive inventory of third parties
  3. Accountability for oversight and the overall management of your TPRM Program
  4. Clearly defined roles and responsibilities across the organization

In Part V we will cover the next topic “Analyzing Vendor Risks.”

Related posts
CYBERSECURITYRISK & COMPLIANCE

Prevention, Detection, and Recovery from Cyberattacks Part III

2 Mins read
Is Zero Trust a model for effective and efficient security? We are adding a third blog post in the series of Prevention, Detection, and Recovery…
RISK & COMPLIANCE

Everything You Need to Know About DoD CMMC - CMMC Introduction

2 Mins read
In March 2020, Visser Precision Manufacturing confirmed it was “the recent target of a criminal cybersecurity incident, including access to or theft of data.” Visser…
RISK & COMPLIANCE

Everything You Need to Know About DoD CMMC - CMMC Background

2 Mins read
In March 2020, Visser Precision Manufacturing confirmed it was “the recent target of a criminal cybersecurity incident, including access to or theft of data.” Visser…
 

Leave a Reply

Your email address will not be published. Required fields are marked *