Third-party risk management (TPRM) Knowledge Center

Modern Businesses Depend On Rigorous TPRM

What is TPRM?

TPRM stands for third-party risk management — or the processes and utilization of tools meant to monitor and assess the risks posed by working with third parties.

It helps companies understand what potential risks they might take on by engaging with certain partnerships. Ultimately, TPRM is an umbrella term encompassing the management of all kinds of risk posed by third parties. These types of risk include:

  • Cybersecurity risk: The risks that come along with being digitally connected to partners and vendors.
  • Operational risk: Risks that put essential workflows and tasks in a business at a standstill, slashing productivity.
  • Regulatory risk: The threats that third parties pose to an organization maintaining compliance.
  • Reputational risk: Threats to an organization’s good standing and perception in the public eye.

Working with vendors, partners, and suppliers naturally introduces some risk to your organization. With more businesses connected than ever, effectively measuring third-party risk is essential to keeping tabs on your own cyber hygiene.

However, the level of risk your company faces varies depending on a third party’s unique security profile and your risk appetite. Tolerable risk varies from organization to organization, meaning what might be unacceptable to one business could be acceptable to another. Those contextual factors mean there is no one-size-fits-all approach to TPRM.

Therefore, an effective TPRM strategy analyzes vendors’ risk profiles based on an organization’s individual risk appetite, values, and goals.

How Does TPRM Work in Practice?

TPRM encompasses many different types of risk and concerns, which means learning about it can get theory-heavy.

Let’s take a look at a few examples of how organizations apply TPRM in real life:

Worries Over Ransomware

A security team might be worried about susceptibility to ransomware that takes advantage of a specific critical vulnerability exploit (CVE). To assess the risk a vendor poses, that team would deploy third-party risk management strategies or tools to identify whether the vendor had that CVE and whether or not it had been remediated.

This process helps security teams gain a greater understanding of the potential vendor’s risk profile — and therefore make better decisions on whether or not that risk is worth the benefits of working with that vendor.

Concerns About Concentration Risk

An organization might be concerned about whether it faces excess concentration risk — or the risk that accumulates when a considerable amount of value or assets are concentrated with a single vendor. When an organization experiences a breach through a vendor it heavily relies on, it magnifies the effect of the cyber incident, such as downtime or loss of business services.

As such, an organization would use third-party risk management strategies to conduct an audit of its vendors to identify the concentration risk of each, determine which vendors have unacceptably high concentration risk, and identify where diversification of vendors is necessary to mitigate intolerable risk.

The Benefits of Robust TPRM

TPRM encompasses many different types of risk and concerns, which means learning about it can get theory-heavy.

The most imminent threat in today’s threat landscape is connected risk — or risk from working with third-party partners and vendors. In fact, 98% of companies that conduct business with third parties suffer from breaches.

How can modern third-party risk management programs mitigate the blow of third-party risk? By granting security teams access to contextualized insights to ramp up defense against bad actors — and ultimately, save organizations time, resources, and cold hard cash.

The top five benefits of a robust TPRM program are:

  1. Improved Decision Making: Efficient TPRM programs grant stakeholders insight into the quantitative risk — or probable financial impact — that potential vendors pose to their organization.
  2. Proactive Cybersecurity Practices: Modern TPRM programs enact a preventative (rather than reactive) approach to cybersecurity. With proactive strategies, teams can flag early indicators of an attack and take steps to prevent it altogether.
  3. Greater ROI: Robust TPRM programs increase the efficacy, strength, and resilience of an organization’s greater cybersecurity program. An initial commitment to TPRM can save organizations big in the long run — ultimately making TPRM a high-return investment.
  4. Better Use of Resources: By identifying which vendors are in scope of your TPRM program, your teams can more efficiently allocate their forces to where they’re needed most: the vendors that could cause your organization the most damage if they’re breached.
  5. Reduced Losses: Fewer incidents means fewer times your company will have to pay out to money-hungry bad actors.

Traditional Solutions for TPRM

Your teams are likely already familiar with (and probably leveraging) some of the most commonly used TPRM  strategies and tools.

Here are a few popular methods, how they work, and where they fall short.

Questionnaires

To help combat mounting threats from unmanaged third-party risk, organizations often deploy security questionnaires.

A questionnaire is a list of security-related inquiries meant to provide the issuing company with insight into a vendor’s cyber hygiene. These questionnaires help organizations decide whether or not to do business with the vendor in question. Because questionnaires are produced by individual organizations, the questions included may vary from company to company.

While still widely used, questionnaires have faced criticism in recent years that they’ve become outdated and unwieldy in today’s fast-moving threat landscape. Some of these criticisms claim that questionnaires are:

  • Time-consuming: Because these questionnaires differ from organization to organization, they can take a considerable amount of time to fill out. They also inundate security teams with hundreds of different types of answers (and therefore, information) to parse through, which can slow risk analysis.
  • Qualitative, not quantitative: Questionnaires give organizations a qualitative view of risk, which only provides security teams with a surface-level picture of a vendor’s true cyber hygiene. 
  • Too flexible, not enough structure: Questionnaires are customizable from organization to organization. As a result, many enterprises fill them with questions that they think will give them a full picture of risk. However, that means they may not be asking the right questions necessary to give organizations an accurate picture of risk.
  • Rely on vendors to be honest: There is no way to guarantee that vendors fill out questionnaires with an objective, or even truthful, lens. They rely on vendors answering questions in good faith, which may lead to more optimistic rather than realistic data.

Security Rating Services

Security rating services are private entities that devise processes for analyzing an organization’s cyber hygiene. These services then “rate” a company’s cyber health, typically by granting an A to F letter grade.

Today, ratings are closer to credit scores than accurate representations of an organization’s risk profile. Organizations need decent security ratings in order to safeguard their reputation, and more importantly, qualify for cyber insurance. However, these ratings in and of themselves do not necessarily show an objective picture of an organization’s cyber risk profile.

All organizations are susceptible to breaches, even those with high ratings. Some famous examples include:

Curious about their grades? Schedule a demo call.

The top five benefits of a robust TPRM program are:

  • They’re qualitative: Ratings alone lack the context organizations need to make accurate and data-driven business decisions.
  • They’re opaque: Security rating services keep the recipes to their ratings secret. That means organizations can’t know if an SRS is taking all a vendor’s risk factors into account.

Ultimately, this lack of context leads to a letter grade that, while seemingly objective on the surface, ends up being a subjective assessment of how susceptible a vendor might be to breaches, leaks, and attacks.

Why Traditional TPRM Needs A Refresh

Our current understanding of third-party risk management developed over two decades ago – but traditional programs and practices haven’t evolved with the threat landscape. As a result, TPRM programs are long overdue for modernization.

Here’s why traditional methods of measuring third-party risk aren’t cutting it:

Qualitative questionnaires provide an incomplete picture of risk. They cannot obtain an objective view of a vendor’s cyber hygiene because they rely too strictly on good faith and fail to contextualize the insights they collect.

Rating systems are opaque and also lack appropriate contextualization from vendor to vendor. Instead, they reduce risk to static letter grades that make it difficult to facilitate effective decision-making.

Why haven’t more companies moved on to more advanced third-party risk management? Roadblocks in the form of cost, resource strain, and budget prioritization present challenges in modernization — but the real source behind TPRM stagnation is human nature.

People are creatures of habit, and old habits die hard. Organizations have developed approaches to TPRM they’re already accustomed to, making modernization difficult to achieve.

The Power of Quantifying Risk

Here’s the truth about ratings and questionnaires: they don’t work alone.

Although letter grades can provide some idea of a vendor’s cyber hygiene, they fail to paint a full picture of risk because they lack contextualized insights. Without contextualized insights, organizations can only see a surface-level picture of risk. That qualitative risk isn’t enough for organizations to make critical decisions.

An effective TPRM program needs to put risk in quantifiable terms. In other words, it needs to assign risk a dollar value.

Assigning risk a concrete numerical (and financial) value helps executives understand supply chain risk — and therefore, drive practical decisions and policies. Giving risk a dollar value also helps executives concretely see where TPRM strategies are lacking — and what they might pay for it.

To get a quantifiable picture of risk, TPRM programs must:

  • Determine Vendor Scope: Security teams must narrow down which vendors are most likely to get targeted and which are most likely to impact essential business functions.
  • Identify Risk Scenarios: In effective TPRM programs, details make the difference. Organizations must create hypothetical incidents and analyze their impact in order to develop the right plan for that incident should it occur.
  • Calculate Probable Financial Impact: This is where dollars come in. When risk is assigned a concrete number, security teams can arm stakeholders with the right information they need to make better business decisions.
  • Apply Resources to Highest Risk Vendors: Once security teams know which vendors pose the
most risk to their organization, they can better focus and distribute their resources.
  • Monitor for Changes: This is the “repeat” part of “rinse and repeat.” Once a robust TPRM program is built out, organizations must continuously monitor their vendors in scope for changes — and re-hash their analyses accordingly.

Our TPRM Knowledge Starter Pack

Looking to expand your knowledge on building out the right TPRM program but unsure where to start? Check out our starter pack of TPRM essentials: