Extending Integrated Risk Management to Third-Party Risk

As you evaluate your IRM strategy, be sure to consider these key third-party risk management capabilities.
By:
Scott Lang
,
VP, Product Marketing
February 14, 2020
Share:
Blog extending irm jan 2020

In the face of growing numbers of damaging data breaches, organizations are looking to simplify, automate and integrate strategic, operational and IT risk management data and processes to enable better and more holistic decision making. This risk-centric approach extends traditional compliance-driven methodologies of governance, risk and compliance (GRC) programs to meet the inevitable and ever-changing security and privacy compliance requirements that are borne out of these security incidents. This is commonly referred to as Integrated Risk Management (IRM). This discipline isn’t new; rather more of an evolutionary step of GRC to support the trend of organizations looking for solutions that provide actionable insights that are aligned with business strategies, not primarily regulatory mandates.

A key element for organizations to consider as they build out their IRM strategy, however, is the impact that third-party partners, suppliers and vendors have on business risk. This blog is meant to define how third-party risk management (TPRM) can help inform a holistic IRM strategy. IRM aligns processes, technologies and people in an organization with a repeatable framework for risk-based decision-making, and TPRM plays an essential part of that alignment.

Augmenting IRM solutions

IRM solutions are essential to managing organizational risk to acceptable levels, but some may not be tuned to gaining visibility over vendor risks – e.g. the extended enterprise. To ensure IRM programs adequately meet compliance requirements related to third-parties, and to promote a more risk-driven strategy, we recommend a certain set of best practices capabilities to adhere to.

To illustrate how key TPRM capabilities fit into a common model, we’ve mapped them to Gartner Critical Capabilities for Integrated Risk Management in the table below. Use this table as a checklist when evaluating whether your existing IRM toolset can address your third-party risk needs. Be sure to review the entire Gartner IRM report for all the best-practice guidance and context as this table is only a summary.

Key Third-Party Risk Management Capabilities Aligned with Gartner’s IRM Model

Gartner Critical Capabilities for IRMBest-Practice TPRM Capabilities to Augment IRM
Risk & Control Document/Assessment – Document risks and related controls to meet internal/ external audit requirements.

Risk-related content, including a risk framework, taxonomy/library, key risk indicator (KRI) catalog, and legal, regulatory and organizational compliance requirements

Library of pre-built industry standard content/ questionnaires, including specific compliance regulation and vendor performance content, with the capability to build your own assessment customized to your organization’s needs

Risk assessment methodology and calculation capabilities (e.g., bow-tie risk assessment)

Risk matrix that calculates risk scores based on likelihood of occurrence and impact to the business; augmented by a FAIR methodology

Policy documentation and control mapping

A unified risk model that automatically maps the information gathered from controls-based assessments to regulatory frameworks to enable clear and actionable reporting

Documentation workflow, including authoring, versioning and approval

Bi-directional document management with tasks, acceptance, and mandatory upload features

Business impact analysis

Quantify how risks change over time; with and without the application of required remediations

Audit work paper and testing management

Complete audit trail of all communications internally as well as with external parties through documentation workflow capability

Third-party control validation

Library of industry standard control-based assessments that map to whatever controls framework (e.g. CoBiT, ISO, NIST, etc.) is employed

Incident Management – Provide a record of incidents to inform the risk assessment process and facilitate the identification of event causes.

Incident data capture

Continuously monitor cyber and business-related events of third-parties to inform immediate insights and additional assessments

Incident management workflow and reporting

Assign tasks to any one of a number of internal parties to facilitate further investigation

Root cause analysis

Include a number of outside data feeds to augment data gathering for a more complete view of risks

Crisis management

Identify workflow to address in real time any risks that could be business-impacting

Investigative case management

Maintain a record of all communications and documentation related to an identified risk for remediation

Risk Mitigation Action Planning – Develop plans to ensure appropriate mitigation steps are taken to meet the organization’s risk appetite.

Project management functionality to track progress on risk-related initiatives, audits or investigations

Bi-directional remediation workflow to enable discussions on risk registers and completion date/cost definition

Risk control testing capabilities, such as continuous control monitoring

Perform reoccurring assessments and incorporate results from external network cyber scanning

Control mapping to risks, business processes and technology assets

Library of industry standard control-based assessments that map to whatever controls framework (e.g. CoBiT, ISO, NIST, etc.) is employed

Control mapping to legal requirements and compliance mandates

A unified risk model that automatically maps the information gathered from controls-based assessments to regulatory frameworks

KRI Monitoring/Reporting – Aggregate and report on risk levels and key risk indicators.

Risk scorecard/dashboard capabilities

Risk register automatically populates from surveys with full audit trail and ownership of remediation

External data integration (e.g., information security vulnerability assessment data)

Snapshot and continuous vendor monitoring of vendor cyber and business risks, including feeds from outside sources, with intelligent prioritizing and risk registration

The ability to link KRIs to performance metrics

Visualize all vendors and sort by tier, risk score, category, importance to the business for better visibility

Risk Quantification and Analytics – Achieve regulatory-driven quantification and analysis.

Machine learning or other artificial intelligence (AI)-enabled analytics

  • Predictive modeling of risk score over time as recommended remediations are applied
  • Business risk analysis utilizing analysts and inputs to address potential risks from operational, brand, financial, or regulatory changes

“What if” risk scenario analysis capabilities

Statistical modeling capabilities (e.g., Monte Carlo simulation, value at risk and Bayesian statistical inference)

Predictive analytics

Capital allocation/calculation

Fraud detection capabilities

If your IRM strategy fails to address these TPRM best practices, act now. Download best-practice guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage, for a full review of the required capabilities to account for third-party risks in your IRM program.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo