The Top 5 Third-Party Risk Management Compliance Mistakes

I’ve learned some valuable lessons over the course of 20 years working in cybersecurity, data privacy, audit, compliance and consulting. For instance, when rolling out the third-party risk management (TPRM) program at a Fortune 10 healthcare company, I discovered how critical it is to anticipate the needs of program auditors and examiners.

In fact, simplifying compliance initiatives has been a major driver behind every TPRM program I’ve been involved with, and I’ve had to navigate many hurdles along the way. Here are five of the biggest TPRM compliance pitfalls I’ve encountered, plus some advice on how overcome them.

Common TPRM Compliance Mistakes

1. Lack of Documentation

Gathering documented evidence of controls, processes and procedures is at the heart of all compliance audits. However, when working with clients, I often find their documentation to be outdated, obsolete, and/or inconsistent with current regulations and best practices. In many cases, there is no indication of ownership, review or signoff – and evidence of required tools and techniques often isn’t appended to existing procedures. What’s worse, much of the documentation I’ve reviewed is not written well enough for new team members to take ownership when necessary.

2. Ignorance of Corporate Policies and Standards

Most TPRM programs do their best to follow regulatory requirements and industry standards, but many are out of alignment with corporate or organizational policies and standards. Examples include:

• Forgoing background checks for new vendors or suppliers (e.g., reviewing recent breaches, financial status, operational issues, etc.)
• Not establishing connectivity standards based on data sensitivity (e.g., when to allow access through VPNs or via secure gateways)
• Failing to wall off “No Go” zones, or areas in the network that should be segregated (e.g., through privileged access)
• Using non-approved contracts when buyers “go rogue”
• Bypassing the TPRM process altogether to get a new vendor onboarded ASAP

Going outside approved corporate policies exposes your organization to unnecessary risk and could result in your project not receiving the funding it needs to be successful.

3. Lack of Meaningful Metrics

Failing to measure progress toward risk objectives will slow the audit process. Take an honest look at your existing metrics. For instance, are they:

• Accurately reporting on business and vendor risks?
• Uncovering potential data and information adjustments?
• Representative of the true assessment environment?
• Providing relevant, contextual risk reporting to management and key business units?
• Providing support and value to all stakeholders?

4. No Centralized Vendor Inventory

One major challenges for new TPRM programs is getting a handle on who their vendors and suppliers are. Some may be managed by the IT security team, while others are handled by procurement or another department. Not having an authoritative vendor list can bog down your TPRM project. That’s why it’s important to determine who owns and maintains your organization’s vendor inventory “Book of Record.”

Ensure your TPRM policy documentation either reflects your group’s ownership or references the owner’s policy. Also, periodically sync up with any teams involved in maintaining vendor inventories, such as sourcing/procurement, business owners, legal and (as a last resort) accounts payable.

5. Always in Reactive Mode

Too many TPRM programs operate in reactive mode and are constantly on their heels. This is a culmination of the previous four compliance mistakes, where programs lack documentation, policies, metrics and/or a central vendor inventory. Taking a more proactive approach to TPRM compliance will streamline your operations, enable you to update documentation as changes are made, and open the lines of communication with stakeholders around metrics and other program needs.