Authored by:
Eric Chan, Director of Strategy & GRC, Cybersecurity – MorganFranklin Consulting
Third-Party Risk Management (TPRM) continues to be a top emerging risk for organizations of all sizes across all industries, with 81% of executives identifying TPRM as a top priority going into 2022 . This trend is only expected to continue as dependence on third parties grows, and vendor relationships become more complex. We’ve also seen an uptick in client demand for TPRM program implementation and managed services from all types of organizations—and not just those who are heavily regulated or with complex supply chains. The reality is all organizations who rely on third parties for production operations are inherently susceptible to vendor risk exposure, regardless of their size or industry sector, and the lasting impact of a data breach or risk event caused by a third party can be extremely costly.
Organizations are realizing that they are only as secure as their weakest link, but they continue to struggle with how to implement a sustainable TPRM program in a cost-effective manner. The pressure to maintain effective TPRM is also increasing with demand – not just from regulators, auditors, or oversight agencies. We continue to see instances where critical business partners of our clients are requiring them to maintain an effective TPRM program, or risk losing the relationship Many other organizations are facing similar challenges.
We take a catered, risk-based approach to implementing and sustaining effective TPRM programs for our clients. This starts with taking the time to understand and identify their unique risk factors and create a strategic roadmap with clearly defined short-term “quick wins” and long-term goals. Scalability is critical to maintaining a sustainable TPRM program, and part of that is building in the capabilities and metrics for those pieces early on. Organizations must be honest with themselves about their current TPRM maturity levels and set realistic expectations about their targeted maturity. We see many clients struggle because they set unnecessary or unrealistic TPRM program expectations. Most organizations do not need a” best-in-class” TPRM program, yet still set that as their targeted maturity state.
Avoid the common mistake of putting the “cart before the horse” by investing the necessary time in upfront strategic planning to clearly understand the level of program maturity needed (and what milestones must be met to be successful). Set realistic goals and expectations based on your organizations risk tolerance and business obligations. For example, while the need for automation is growing and can provide significant benefit, many companies don’t need to invest in expensive GRC tools to establish an effective and sustainable program. We encourage our clients to avoid taking on excessive technical debt by ensuring they’re leveraging existing technology where they can. Organizations should simplify their approach to TPRM to the extent possible, with clear and comprehensive visibility into vendor enterprises that:
• Align with business and regulatory needs
• Scale as a business grows
• Leverage automation to monitor and mitigate risks
Many of our TPRM clients already have relatively mature ERM processes in place, yet are not applying these same practices to managing vendor risk. When asked why, the answer is almost always a combination of the organization not yet being exposed to a third-party risk event and the perceived high costs and resource commitments needed for sustainable TPRM. This reactive mentality will eventually catch up to you; it’s a matter of when and not if. Organizations must maintain the balance of ensuring their TPRM program is scalable and adaptable, yet also comprehensive by consistently managing vendor risk throughout the lifecycle.
The good news? Establishing a risk-based third-party risk management program and maturing processes over time probably isn’t as expensive as you think, and usually doesn’t require a significant up-front investment in expensive GRC systems. Leverage existing technologies where you can and use proven risk methodologies. Maintain a risk-based approach and focus efforts on your most critical vendors to maximize operational efficiency. And finally, ensure your TPRM program remains adaptive to changes in the risk landscape
Meet Eric Chan!
Director of Strategy and GRC within MorganFranklin’s cybersecurity practice who is passionate about resolving corporate risk management and cybersecurity issues while delivering the best possible customer experience. The first 14 years of my career were dedicated to financial services risk management across all 3 lines of defense, helping build out best-in-class risk programs and methodologies for some of the largest global Fortune 500 banks in the world. I then helped found Vaco Risk Advisory Services in Cincinnati, OH, and served as Practice Leader until joining the MorganFranklin team. My diverse risk management experience has allowed me to serve a variety of clients and industries, including as interim Chief Risk Officer for one of the nation’s largest Credit Union Servicing Organizations where I led the implementation of their Enterprise Risk Management Framework.