Editors note: This article, authored by Alastair Parr, SVP of Global Products & Services, was originally published in securityinfowatch.com
Organizations today work with thousands of third-party vendors, suppliers, and partners, and as any company leader knows, these relationships can be great for business. Third-party partners can source new opportunities, but with opportunity comes risk.
While organizations have thousands of third-party relationships, they manage only a fraction. This situation is becoming untenable because of third-party data breach threats, changing vendor ecosystems and increasing regulatory oversight.
Managing the risks of third-party relationships has become a critical function for organizations in every industry.
Organizations need a robust solution to mitigate various risks, which come from various sources and tend to evolve constantly. However, with various options available, how should they determine, which will best serve their needs?
There are five common solutions in third-party risk management, and in order of least to most comprehensive, they are spreadsheets; cybersecurity risk rating tools; governance, risk, and compliance (GRC) tools; source-to-pay suites; and dedicated third-party risk management platforms.
Organizations must consider each other's strengths and weaknesses before settling on the right solution.
Spreadsheets have been the go-to for third-party risk management. However, every organization using them knows that they have their advantages and disadvantages. While they are a low-cost, flexible, and familiar solution to managing information, they face limits regarding data integrity, scalability, security, collaboration and advanced functionality.
Since virtually everyone knows how to use spreadsheet software, there is a minimal learning curve. Spreadsheets can be easily shared since their formats and functions are so well-known. However, they have nearly no automation or version control, which means plenty of time-consuming, manual work will be involved in creating and maintaining third-party risk assessments.
Perhaps most importantly, spreadsheets seldom have advanced security features, making risk data vulnerable to breaches, especially when shared between different parties.
Cybersecurity risk rating services quantify third parties' cybersecurity posture using data that includes vulnerabilities, exploits, web application controls, and other publicly observable information. These tools shed light on risks posed by third-party vendors and present findings as a numerical risk score or letter grade.
But these tools also have their limitations. For example, they do not conduct detailed internal control assessments. They are also siloed by risk type, which means organizations must purchase different data feeds and integrate them to get a complete picture of third-party risk.
Cybersecurity risk rating services quantify third parties' cybersecurity posture using data that includes vulnerabilities, exploits, web application controls, and other publicly observable information.
Cybersecurity risk ratings tools are a good option for organizations with the resources to stitch together multiple monitoring feeds to address other types of risks. However, they will likely fall short of organizations adhering to regulatory requirements and understanding how effective third-party internal IT security controls are. This is why they are often used to complement more comprehensive solutions for assessing risk.
Sometimes referred to as enterprise risk management (ERM) or integrated risk management (IRM), governance, risk, and compliance (GRC) tools offer a broad approach to risk management. But for many organizations, they will be a mile wide and an inch deep.
While GRC tools often come with robust reporting and analytics, which facilitate comprehensive internal risk analysis and decision-making, they must always be maintained and updated, which can be resource-intensive and require dedicated personnel.
GRC tools are most common in larger organizations with ample budgets, where third-party risk is treated like internal risk. For small and mid-sized organizations, however, a full GRC tool may be like using a cannon to swat a fly—and a costly one at that.
Source-to-pay (S2P) suites cover an organization’s full procurement process, from sourcing products and services to eventual payment. These tools often offer third-party risk management modules as part of their broader procurement capabilities, along with features for contract lifecycle management and other important functions such as RFx.
Because procurement professionals use these tools, they often sacrifice broader risk aspects by focusing on sourcing, evaluating, and onboarding vendors. They are not sophisticated about other important stages of the third-party risk lifecycle or the unique concerns of IT security teams.
Like GRC tools, S2P suites are an option for larger organizations with considerable procurement budgets, which have a procurement focus and the need to manage multiple vendor and supplier relationships but have less focus on risk. Regarding risk, these tools deliver insights through partnerships with data and risk intelligence providers, intended to score supplier risk and enable sound decision-making. However, for organizations where risk management is a more pressing concern, S2P suites are most likely insufficient.
These platforms are a great option for many organizations because they are laser-focused on managing vendor and supplier risks. Their solutions to identify, assess, mitigate, and monitor risks associated with third-party relationships are comprehensive. TPRM platforms boast advanced functionalities tailored to managing risk throughout a relationship lifecycle.
Organizations should be wary of overly customizing risk assessments with these platforms, as this can make comparing and scoring vendors inconsistent. Additionally, TPRM platforms may require integration with other risk management tools such as S2P suites, GRC tools, reporting platforms or other solutions. Fortunately, some are offered with a library of pre-built integrations or an open API that can make the process smoother.
TPRM platforms are ideal for organizations with different teams managing third-party risk. These teams will experience the benefits of unified risk intelligence, lifecycle-based risk remediation, and support for multiple types of risk.
Finding the right approach depends upon every organization's unique and specific needs, the risk landscape it faces and the size of its budget.
Spreadsheets may work perfectly for small organizations with few vendors to manage, while cybersecurity risk rating tools might serve those focusing only on cyber risks. GRC tools are best for large, well-resourced organizations with integrated risk management needs, while S2P suites will be a top choice for those prioritizing procurement processes over third-party risk. Dedicated TPRM platforms serve organizations in various industries well because of their comprehensive and specialized third-party risk management capabilities.
For most organizations, relationships with third parties are proliferating—and so are the risks. Fortunately, there are many good choices regarding tools for mitigating them.