If you’re in the process of developing a risk mitigation strategy, the chances are good that you have encountered a third-party risk management (TPRM) framework. But what is this framework? Who was it designed for? And what are its benefits? These are all valid questions. But before delving into the workings of a third-party risk management framework, it is important to understand exactly what TPRM entails.
Stated simply, third-party risk management refers to the practice of risk mitigation for vendors, independent contractors, temporary hires, and other third parties who are affiliated with an organization. A TPRM strategy usually includes the identification of third parties, pinpointing vulnerabilities, risk mitigation, and long-term vulnerability monitoring, among other things.
Third parties span the gamut, ranging from a soda machine vendor or office housekeeper to a freelance ERP consultant or data science engineer contractor. Each of these individuals poses a risk to varying areas of vulnerability within an organization, but a company’s technology is especially significant as you consider risk mitigation.
Technology opens the door to new opportunities, new capabilities, and innovative solutions; those doors can also be accessed by bad actors, hackers, and other unsavory characters. For this reason, IT should be a key area of focus as you develop a risk mitigation strategy. Actually coming up with a comprehensive third-party risk management strategy is much easier said than done, of course. That’s where the third-party risk management framework comes into play because it provides a guide for identifying, assessing, and mitigating risks.
Origins of the Third-Party Risk Management Framework
Third-party risk management frameworks are derived from a more general risk management framework that was originally developed by the U.S. National Institute of Standards and Technology (NIST).
NIST originally created the risk management framework — also known as “the RMF” — with government agencies in mind. This framework proved to be very successful at the federal level so it was promptly adapted to and adopted by the private sector.
Third-party risk management is a priority in the public and private sectors because organizations in both sectors work with independent contractors, vendors, and other third parties. Third-parties offer many advantages from a strategic, financial, and operational standpoint, but these individuals also present a risk that must be mitigated as a matter of best practice. This led to the adaptation of the RMF, with risk mitigation experts creating more targeted third-party risk management frameworks.
What’s in a Third-party Risk Management Framework?
There is some variation among TPRM frameworks, but generally, you are going to have five basic components. These framework components are somewhat formulaic, effectively guiding organizations toward a TPRM strategy.
Risk Identification – Identifying vulnerabilities and risks is the first framework component. An organization must understand the nature of its vulnerabilities, including security and privacy-related, operational, legal, financial or regulatory, and compliance-related. If you don’t know where the vulnerabilities exist, it’s nearly impossible to develop a strategy to eliminate vulnerabilities or minimize risk.
Risk Assessment – Risk assessment is the second component of a third-party risk management framework. This process involves creating a risk profile that articulates the level of risk for each vulnerability.
Many will also assign rankings to help prioritize the vulnerabilities that are addressed in the organization’s risk mitigation strategy. These rankings are often based on the potential losses that could arise if a vulnerability is exploited. Quantifying these potential losses can be challenging, though. For instance, it’s difficult to say how much your company stands to lose if a data engineer steals your data and sells it to a competitor. The same is true of the shady developer who “repurposes” your proprietary software for another one of his clients.
These quantification challenges mean it’s equally difficult to determine what risk mitigation measures would be considered cost-effective — and that leads us to our next point.
Risk Mitigation – Risk mitigation is the third component of a risk management framework and it involves weighing the risks with a goal of determining:
- Which risks are considered “acceptable;”
- Which risks should be actively addressed and/or eliminated; and
- Which risks ought to be monitored and potentially addressed in the future.
Risk mitigation entails a comprehensive analysis of vulnerabilities and the dynamics surrounding those vulnerabilities. You have the potential cost and consequences of an exploited vulnerability. There’s the cost of reducing or eliminating risk. And there are some risks that may be more nebulous, with a potential to evolve — those risks are something that you may prefer to monitor for now. It should be noted that the ever-changing nature of technology means your risk mitigation approach is going to be an ever-evolving part of your third-party risk management strategy. In fact, monitoring is the next component of the NIST RMF.
Risk Monitoring – Risks are not static. Like your business, they are constantly changing and evolving. This means your risk management strategy needs to be dynamic with continual monitoring and periodic revisits. An effective strategy involves creating a third-party risk management framework task force that can meet regularly to revisit vulnerabilities and the related risks posed by third-party associates.
Risk Governance – The fifth component of a third-party risk management framework is risk governance. Risk mitigation measures do little good if they’re not properly deployed and adopted. In fact, this is why many larger companies have full-time risk mitigation experts on staff. But not every organization has the budget or workload to justify the hire of a risk mitigation specialist. In these instances, a TPRM task force can periodically evaluate governance and adoption.
7 Steps for Effective Third-party Risk Management
In addition to the NIST risk management framework’s five components, there are also seven actionable steps that can be applied to third-party risk mitigation efforts.
- Preparation – This step involves identifying risks and determining who will be involved in risk management efforts.
- Categorize – The categorizing phase entails risk assessment, ranking, and prioritization.
- Control Selection – In the control selection step, organizations choose the risk mitigation tools and measures that will be implemented. In the context of TPRM, these controls run the gamut from third-party screening tools, to the development of customized user permissions that allow administrators to minimize third-party access to sensitive data.
- Implementation – This step involves the deployment of tools, policies, and protocols that are intended to minimize TPRM risks. This can include a rollout of TPRM software, upgrading digital protections, and minimizing opportunities for vulnerability exploitation.
- Assessment – The assessment step focuses on evaluating the measures that were implemented in the prior phase. Was everything implemented properly? Are you seeing the desired and expected result? In terms of IT third-party risk management, you must also ensure that you have not introduced any new vulnerabilities.
- Authorization – The authorization phase aims to apprise company leaders of the risk mitigation efforts This is more of a formality whereby the task force seeks stakeholder buy-in.
- Monitoring – The seventh and final step involves continual monitoring of third parties and the associated risks. Risks are dynamic and ever-changing by nature, so your TPRM strategy needs to adapt in kind.
While the NIST framework steps were originally developed with government agencies in mind, it is easy to adapt these concepts to an IT-focused TRPM strategy. At iTech, our experienced TPRM team understands the challenges that organizations face as they seek to maximize benefits while minimizing risks. Contact the iTech team today to discuss your third-party risk management needs.