Prepare to Assess: Your Third-party Risk Assessment Checklist

You can’t do it all on your own. That’s something my friends and family have wisely reminded me, and it holds true in business, too. We constantly decide whether to make, buy, build, or partner in order to enhance our company’s efficiency and provide greater value to our customers.

When we choose to partner with third parties to handle an ancillary service or provide additional skills that aren’t part of our core business, it can bring high value and efficiency. But it also introduces critical risks.

Managing that third party risk effectively can not only protect you from operational risks, but it can make or break your business reputation. My best advice? You must go beyond the standardized questionnaire templates during procurement processes or contracting. That’s the minimum. The optimized way to manage third parties is through a tailored, third-party risk assessment based on the types of engagements you’re entering with that potential vendor. Then, ongoing monitoring of the third party gives you up-to-date information for decisive action, if an incident occurs.

Here are some points to keep in mind to effectively manage your third-party risk management (TPRM) program.

a couple of men shaking hands over a desk
Photographer: Amina Atar | Source: Unsplash

5 Steps of the TPRM Lifecycle

Effectively managing third-party risk is a continuous process that requires a structured and strategic approach. The TPRM lifecycle encompasses several stages, each designed to ensure comprehensive oversight and control over the risks associated with critical third-party vendors and your engagements. By working through these stages, organizations can systematically identify, assess, mitigate, and monitor risks throughout the entire relationship with their vendors. This kind of proactive vendor risk management program not only safeguards your business reputation and security posture but also ensures compliance with regulatory requirements while enhancing overall operational efficiency.

Need help implementing a strong-yet-flexible TPRM system? Read how to get started.

Let’s explore the five essential steps of the TPRM lifecycle to understand how they contribute to robust risk management practices.

Identification

During the Identification stage of TPRM, organizations pinpoint and document all third-party relationships to understand their scope, purpose, and potential risk exposure.

  • Document the Third-Party profile and the Engagement details in a repository
  • Identify which risk domains are relevant
  • Segment your Third-party Engagements into risk tiers to align with pre-defined due diligence requirements

Assessment

During the Assessment stage of TPRM, organizations evaluate the identified third-party risks through comprehensive risk assessments, due diligence exercises, and tailored questionnaires to gauge their potential impact on business operations.

I always recommend assessing risk at the engagement level with a multi-step assessment. This allows for the use of industry standard templates and/or industry-supported certifications to reduce the question set and provide a more efficient questionnaire experience.

Analysis

In the Analysis stage of TPRM, organizations systematically review and interpret the data gathered during assessments to identify specific risk areas and determine the appropriate mitigation strategies. This includes:

  • Review and analyze survey responses collected as part of the Engagement Risk Assessment
  • Request additional information, document observed deficiencies
  • Determine overall risk domain scores (using the information gathered during the assessment) and leverage any security ratings services data, which may help confirm or challenge the assessment results

Remediation

The objective of this phase is to ensure that all deficiencies (a.k.a. “observations”) identified in the assessment analysis are reviewed and a decision is made to address the risk. Observations which require a full remediation and action plans may be escalated to be tracked as a finding within your GRC solution.

Your specific task during this phase? Initiate a business review and responses to documented observations that resulted from the due diligence activities performed.

Monitoring

Of course, you’ll want to monitor the engagement through the selection process, and if the engagement is contracted, it’s time to enroll the engagement into a recurring assessment schedule, periodic performance surveys, and security rating service monitoring. As time goes on, you’ll also want to maintain open lines of communication with your third parties through regular meetings and updates. This helps in promptly addressing any concerns or changes in their operational landscape that might affect your risk exposure.

stack of books on table
Photographer: Wesley Tingey | Source: Unsplash

Your Third-party Risk Assessment Checklist

Preparing for and properly conducting the assessment portion of your TPRM program can have great impact on safeguarding your business against potential risks associated with third-party engagements. It’s about getting granular here. Rather than a fill-in-the-blank survey, healthy assessments are meant to faciliate critical evaluation of identified risks, due diligence processes, and tailored questionnaires. A thorough and well-executed assessment not only provides a clearer picture of potential vulnerabilities but also lays the foundation for effective risk management throughout the entire lifecycle of third-party relationships. Here is a checklist of tasks set you up for assessment success.

Pre-assessment

  • Implement a complete software solution to manage third-party relationships and engagements. If you’re still trying to manage this in spreadsheets, this will be a gamechanger.
  • Ensure a formal onboarding process for new external partners is established for the organization and is operationalized in a central solution.
  • Identify all third parties in use and catalog in a single interconnected source of truth, such as your chosen software solution.
  • Define all unique engagements are in place with each third party.

Note: Assessing only the vendor is insufficient. If a vendor provides multiple products or services, each should be independently assessed to ensure a complete profile of the third party’s impact on the organization.

Assessment

  • Obtain all relevant audit opinions or certifications based upon engagement type (SOC, ISO, HITRUST, etc). This can be expedited through a shared portal.
  • Obtain policy and procedure documents related to data and security through a shared portal.

Note: Some third parties may consider these documents confidential. If so, ask to view them online during a video conference instead.

  • Ensure third-party employees attest to policies and procedures.
  • Send appropriate tailored engagement questionnaire covering remaining domain scope not already satisfied through document collection.
  • Determine any 4th parties (or beyond) with whom the third party may share data and assess those.
  • Ensure an incident management plan is in place for each high-risk third party in the event of an incident or breach.

How do you manage third-party security audit management in light of GDRP compliance? Watch the PROS case study.

Post-assessment

  • Collaborate with your third party on remediation of domains that remain unsatisfied.
  • Establish continuous monitoring of third party for incidents to address them immediately. Leverage solutions for cybersecurity risks, like Black Kite or SecurityScorecard.
  • Send targeted, follow-up assessments on a schedule based on risk tier of third party.
  • Implement periodic reporting on each third party to monitor performance and compliance throughout the engagement.
  • Create unique reports for each stakeholder in the organization to ensure they have the data and KPIs they need.
  • Establish formal offboarding process of third parties when engagements end and ensure it is operationalized with centralized solution.

Effectively managing third-party risk isn’t just a best practice. It’s a measurable way to maintain operational excellence. By utilizing engagement-based assessments, you can reduce potential vulnerabilities and enhance your organization’s resilience. As always, if you want to discuss automating TPRM in detail, just put time on the calendar with us.

About the author

 

Share This Story. Choose Your Platform.

Related Posts