Why You Need a Third Party Risk Management (TPRM) Program

What entity or industry does not engage with a third party in some way? Not a lot. The reality is that outsourcing, outsourcing, and contracting out happens all the time and is the norm as companies continue to embrace the baseline/contextual mentality and division of labor. The more you outsource, the more you need to have a robust third-party risk management (TPRM) process in place, also known as supplier risk management.

Risk management isn’t new, but the current iteration of TPRM logic typically focuses on three parts:

  • Risk assessment and analysis
  • Risk assessment and
  • Risk treatment.

I had the pleasure of chatting with David Medrano, Director of Third Party Risk Management at Morgan Franklin, who shared his perspective on the importance of TPRM and vendor monitoring. Medrano explained that many corporate entities may have more than 1,000 separate engagements with third parties and, therefore, must have a methodology to measure the risk of each of those engagements.

Medrano said that while many entities know their subcontractors, they may lack visibility into the contractor’s contractor; thus, a daisy chain of outsourced work can take place which places the data at an unknown level of risk as the third party shares it with a fourth party and so on. The most important thing an organization can do, in this case, is to categorize suppliers in the planning/strategy phase. Suggested risk groups may include critical vendors, physical vendors, and technology vendors.

“Classify them by how and what they do and how their third-party actions pose a risk to you,” Medrano said. The risk of the coffee seller, for example, is not the same as the risk provided by an MSSP. He advised caution about accepting risk in excess of the value to the seller or the value to the business.

Medrano also advised keeping the methodology used consistent, as this can help manage risk while showing customers, regulators and compliance entities that the company has a methodology in place to measure and address risk and explains the company’s thought processes regarding its actions.

MEPC Tools

Ironically, there are a plethora of vendors (yes, third parties) that are willing to provide you with tools to create your TPRM program, there are also standardized methodologies available from the US government. For example, the The National Institute of Standards and Technology (NIST) has created a TPRM framework to help businesses create a cohesive and consistent TPRM plan that fits their unique needs. The NIST framework can help you:

  • Prepare – Essential activities to prepare the organization to manage security and privacy risks
  • Categorize – Categorize the system and the information processed, stored and transmitted based on an impact analysis
  • Select – Select the set of NIST SP 800-53 Commands to protect the system based on one or more risk assessments
  • Implement – ​​Implement the controls and document how the controls are deployed
  • Assess – Determine if controls are in place, working as intended, and producing the desired results
  • Authorize – A senior official makes a risk-based decision to authorize the system (to operate)
  • Monitor – Continuously monitor the implementation of controls and the risks to the system

In summary, every business unit should use a TPRM system, whether its engagement with third-party vendors is centralized or decentralized. Additionally, uniformity of valuation is of paramount importance, Medrano said.

Ryan H. Bowman