{"id":1661,"date":"2020-07-04T14:52:01","date_gmt":"2020-07-04T14:52:01","guid":{"rendered":"http:\/\/blog.einnosec.com\/?p=1661"},"modified":"2022-02-28T11:31:10","modified_gmt":"2022-02-28T11:31:10","slug":"third-party-risk-management-part-iv","status":"publish","type":"post","link":"https:\/\/blog.einnosec.com\/index.php\/2020\/07\/04\/third-party-risk-management-part-iv\/","title":{"rendered":"Third-Party Risk Management Part IV"},"content":{"rendered":"\n<p style=\"font-size:18px\">According to the Opus and Ponemon 2018 report, <strong>59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties<\/strong>. <strong>In the U.S., that percentage is higher at 61 percent<\/strong>. Also noted that many breaches go undetected: 22 percent of respondents admit they didn\u2019t know if they had a third-party data breach in the past 12 months. A third-party breach costs, on average, twice what a normal breach cost.<\/p>\n\n\n\n<p style=\"font-size:18px\">We covered the Major Breaches and Bankruptcy in Part I, and Part II and III were about the Drivers, Alignment, and Governance of <a href=\"https:\/\/www.einnosec.com\/third-party-risk-management.php\"><strong>Third-Party Risk Management<\/strong> <\/a>(TPRM). The series will cover the following topics at a high level to provide sufficient knowledge for professionals to design the program that commensurates with the size, nature, and objectives of the organization. It explores the topics below:<\/p>\n\n\n\n<ul><li>Drivers of Risk Management<\/li><li>Alignment and Governance<\/li><li>Categorizing Vendors<\/li><li>Analyzing Vendor Risks<\/li><li>Monitoring Vendor Risks: The Vendor Management Organization<\/li><li>Communicating Vendor Risks<\/li><li>Optimization and Standards<\/li><\/ul>\n\n\n\n<p style=\"font-size:18px\">Many organizations are not aware<strong> <\/strong>but intellectual property (IP) breaches can be a recipe for bankruptcy.<\/p>\n\n\n\n<p style=\"font-size:22px\"><u><strong><span class=\"has-inline-color has-black-color\">Categorizing Vendors<\/span><\/strong><\/u><\/p>\n\n\n\n<p style=\"font-size:18px\">The vendor categorization helps in determining the focus of risk management efforts based on the business value vendor delivers and how critical is vendor contribution in achieving business objectives. The strategic vendor, for example, represents significant client spending, a high cost to switch, and is expected to deliver a high level of business value. Hence all vendors do not require the same level of scrutiny for risk management.<\/p>\n\n\n\n<p style=\"font-size:18px\">In order to prioritize the risks to be monitored, it is essential to segment the vendors. The chart below provides information about different factors that help categorize vendors. The publications by Forrester, Gartner, ISACA, and other professional organizations provide questionnaires to assist in categorizing vendors based on their criticality to business objectives.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>&nbsp;<\/td><td>  Strategic<\/td><td>  Legacy<\/td><td>  Emerging<\/td><td> Tactical<\/td><\/tr><tr><td>&nbsp; Current Expenditure<\/td><td>&nbsp; High<\/td><td>&nbsp; Medium or High<\/td><td>&nbsp; Low to Medium &nbsp;<\/td><td>&nbsp; Low to High<\/td><\/tr><tr><td>&nbsp; Future Expected Spending<\/td><td>&nbsp; High to Medium<\/td><td>&nbsp; Medium to High<\/td><td>  Medium to High<\/td><td>&nbsp; Low to High<\/td><\/tr><tr><td>&nbsp; Strategic Alignment<\/td><td>&nbsp; High<\/td><td>&nbsp; Medium<\/td><td>&nbsp; High<\/td><td>&nbsp; Low<\/td><\/tr><tr><td>&nbsp; Breadth of Product or Service\/Dependency<\/td><td>&nbsp; High<\/td><td>&nbsp; High<\/td><td>&nbsp; Low to Medium<\/td><td>&nbsp; Low<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p style=\"font-size:18px\">It is essential to manage the relationship with vendors based on the risk it poses to the organization\u2019s objectives. Below is brief about the different categories of the vendors:<\/p>\n\n\n\n<ul><li>Strategic vendors: They critical to meet the business objectives of the organization, represent high client spending and a high cost to switch.<\/li><li>Legacy vendors: They are essential to meet the business objectives of the organization but not critical thought they represent a likely high level of spending and high cost to switch.<\/li><li>Emerging vendors: These vendors essentially could become strategic in the future as they provide innovative features but at present represent a relatively low level of spending and less cost to switch.<\/li><li>Tactical vendors: These vendors are not critical to meeting business objectives and represent low cost.<\/li><\/ul>\n\n\n\n<p style=\"font-size:18px\">The classification vendors will also help the organization to develop and implement controls to reduce the risk. The business continuity will take into consideration the risks associated with strategic vendors in its continuity planning and risk resiliency program.<\/p>\n\n\n\n<p style=\"font-size:18px\">In Part II we discussed Drivers of Risk Management. Part III is about Alignment and Governance. The four very important considerations for TPRM governance are:<\/p>\n\n\n\n<ol type=\"1\"><li>Alignment of customer and providers goals<\/li><li>A comprehensive inventory of third parties<\/li><li>Accountability for oversight and the overall management of your TPRM Program<\/li><li>Clearly defined roles and responsibilities across the organization<\/li><\/ol>\n\n\n\n<p style=\"font-size:18px\">In Part V we will cover the next topic \u201cAnalyzing Vendor Risks.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>According to the Opus and Ponemon 2018 report, 59 percent of companies said they have experienced a data breach caused by one of their vendors&#8230;<\/p>\n","protected":false},"author":1,"featured_media":2700,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[84,78],"tags":[137],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/posts\/1661"}],"collection":[{"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/comments?post=1661"}],"version-history":[{"count":5,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/posts\/1661\/revisions"}],"predecessor-version":[{"id":2388,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/posts\/1661\/revisions\/2388"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/media\/2700"}],"wp:attachment":[{"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/media?parent=1661"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/categories?post=1661"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/tags?post=1661"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}