TPRM oversight supplies an organization with a strong foundation and the requirements needed to develop and steadily support their overall TPRM program. This then allows the program to address third party risks at the highest level, while ensuring governance structures are in place to run the program effectively. TPRM oversight will also ensure key stakeholders are aware of program requirements and assist with the implementation of said requirements.
But what does good TPRM Oversight provide to your program?
Accountability
Consistency
Support
Value
Let's take a look at the benefits noted above individually to determine what governance activities would be required to achieve each benefit.
Accountability - Is the benefit from clear expectations and defined roles & responsibilities. Activities related to this benefit include, but are not limited to:
Program Governance – Determine how your TPRM program will run. Will it be Centralized (one team/department is responsible for the majority of program activities) or De-Centralized (multiple teams/departments are responsible for pieces/parts of your TPRM program).
Roles & Responsibilities - Clearly define all of the different roles each person/team/department will play. Chances are your entire organization will be impacted by your TPRM program as third party products/services are used by many. Key roles/responsibilities to define may include, but not be limited to, the Assessors, TPRM Program Leads (who will own/maintain the TPRM program policies and procedures), Procurement, Legal, Information Security, Business/Relationship Owners.
Third Party Risk Committee – It is best practice to set up and maintain some type of risk committee where third party risks are discussed. This ensures your organization can make informed decisions regarding third party risk, as well as accept risk at the highest level. Business Owners should not be the only ones to accept High risk on behalf of the organization.
Education & Training – Create a TPRM education and training program for not only business owners and key stakeholders within your organization, but also third parties. Training may include a summary of how your TPRM program is structured (what assessments are performed and when, the process to validate, follow up on, and remediate findings, and the risk escalation process), as well as what evidence you will be collecting, when, and why. It's also important to communicate business owner and third party expectations and support requirements.
Consistency - Is the benefit from defined TPRM program requirements and structured metrics.
Policies and Procedures - Document program policies and procedures, to include TPRM lifecycle activities (Planning & Oversight, Pre-Contract Due Diligence, Contracting, Continuous Monitoring/Post-Contract Due Diligence, Disengagement, & Continuous Improvement), handoffs between departments, escalation procedures, and reporting.
Metrics & Reporting – Creating program metrics that evaluate program maturity, third party risk trends, and assessment workflow can help you accelerate program performance and reduce third party risk impact on your organization.
Continuous Improvement – At least on an annual basis, perform a gap analysis of program activities and controls by comparing them to more mature programs or leveraging TPRM maturity models.
Support - Is the benefit from executive-level support and sufficient resources.
Budgeting – Develop a comprehensive TPRM program budget that includes resources, operations, maturity model (for future enhancements), travel (for onsite visits), training, and tools. The TPRA held a meeting in October 2021 that reviewed what a comprehensive budget should include. Playback is available to TPRA members on our website.
Resourcing – Develop and implement a resource strategy for attracting and retaining talent. In response to the pandemic, a higher volume of regulations, cyber threats, and technology advancements, TPRM is growing in demand and practitioners are becoming more specialized. It is important to ensure your staff is knowledgeable, communicates well, and understands business needs.
Tools – If your program has reached a certain level of maturity (at least has documented policies and procedures, as well as a good support system), you may wish to purchase TPRM tools to reduce constraint on your resources and allows you to focus on mitigating third party risk at the highest level. The majority of programs use a TPRM Platform & Continuous Monitoring Tool(s). TPRA is working to create an exhaustive list of TPRM tools. Disclaimer: This list does not include affiliate links and the TPRA does not receive any monetary value from the list.
Board Support – Your Board should already be asking your Executives third party-related questions. They have a duty to ensure appropriate action is taken to mitigate third party risk. Ensure you are updating the Board on third party risk trends at a minimum on an annual basis. You may want to work your way up to providing a Board update per quarter.
Executive & Business Support - It is imperative to have the support of your executives, which then drives the support you receive from the business. Ensure your executives and business understand the value of having a comprehensive TPRM program in place.
Value - Is the benefit of having TPRM program outcomes lead to the mitigation of cyber, financial, and reputational risk.
Business Case – It is best practice to have a strong business case documented for why TPRM is important & what value you bring to the organization. This ensures future TPRM program enhancements can be obtained.
Responding to Third Party-related Incidents - Studies have shown that the more mature your program is, the less of an impact third party incidents will pose to your organization. Ensure your program contains a plan to respond to and address third party-related incidents and that your Legal and Information Security teams are included within the plan.
Holistic View of Risk Landscape - A mature TPRM program can also show your executives, as well as the Board, a more holistic view of your organization's risk landscape, to include fourth and fifth party risk. This then allows the Board and Executives to make better and more informed decisions on strategic initiatives.
Overall, good TPRM program governance can not only set your program up for continuous success, but also save your organization from significant business disruption by proactively mitigating third party risk.
For more information on TPRM topics and to participate in the many discussions on third party risk, join the community of TPRA Practitioners by visiting www.tprassociation.org/why-join. Standard Practitioner Membership is FREE and Premium Membership (which includes your ticket to our annual, in-person conference) is $199.
Comments