#442 – HOW TO MANAGE THIRD PARTY RISKS – BILL POMFRET PH.D.

The Third-Party Risk Management landscape has changed dramatically over the last decade. The 2008 financial collapse illustrated that even our strongest industries and institutions were at risk. We started to see more regulations for not only the physical handling of data but also cloud-based and digital data management. This really brought third-party risk management to the forefront of organizational leadership.

Over the years, the vendor risk management industry has grown and morphed to tackle the increasingly complex issue of cybersecurity along with constantly changing international regulations. We’ve also seen a rise in the Chief Information Security Officer position – what once was another role/function for the IT department is now a team of experts in most established organizations. One thing we know for sure is that these challenges are only going to get more complicated, and a strong vendor risk management program is essential for the longevity of an organization.

So, what is next for third-party risk management? How do we evolve as federal involvement increase and we see major breaches and hacks on a regular basis? There are few essential elements to a successful third-party risk management program.  It’s a Program, not a Project.

Organizational leadership must stop thinking of risk management as a one-time (or once a year) project. It’s an ongoing program that requires ongoing monitoring. Your vendors’ practices, your business, and the requirements of your industry are constantly changing. Your third-party risk management program should reflect that. This is why tools like RiskRecon which continuously monitor vendor data are essential on top of assessment solutions like Privat to validate security controls. Risk management can be overwhelming, confusing, and time-consuming so it’s tempting to knock it out in a month and then forget about it, but really this should be a constant movement within the organization. Starting with your vendors with the most data touchpoints down to the smallest vendors who have far less access to your company’s information, every vendor should be continuously assessed.

Strengthening Relationships

We all know that a strong relationship goes a long way in any business environment. This is especially true of your vendor relationships. To get your security assessments completed in a timely manner so you can effectively assess your risk, you need buy-in from your vendors. With SPI Inc., we took the time to develop an easy-to-use platform for vendors to quickly complete their assessments and save their answers for future use.

Over the next few years, vendors are going to be responsible for sharing their processes for handling data to more and more of their clients. By establishing a strong relationship early on, you can set yourself up for success and help your vendors at the same time.

Comprehensive Risk Management

The future of third-party risk management is going to be about connecting the dots and having a truly comprehensive program. A good TPRM will include collecting security questionnaires that ask important questions about how a vendor is handling your data. Based on those questionnaires, you assign the vendor a risk rating and leadership uses that information to make decisions about whom to share data with. But how can you check the vendor’s responses? How can you be certain that their answers are accurate? That’s where Safety Projects partnership with Risk Management Inc. comes in – to bridge the gap between security questionnaires and continuous data monitoring. Regardless of what platform you use, it’s critical to have a “due diligence” process in place. Having a comprehensive, scalable TPRM will no longer be an option as data regulation becomes a top priority for governments across the globe and breaches become more commonplace.

McKinsey reported what managing third-party risk in a growing technological climate should include Segmentation and organization of vendors.

  • Rules-based due diligence (and evidence of third-party due diligence)
  • Post-contract compliance management and transparency
  • Clear guidelines for governance and escalations
  • Comprehensive technology and modern tools

These elements are true today and we would argue that you should be able to find all these elements in a single platform. Safety Projects International Inc. expanding partnership with Risk Management Inc. speaks to the future of TPRM and provides one of the most comprehensive risk management programs in the industry today. Check out our Webinar on Strategy & Risk for and Dr. Bill Pomfret, CEO of Safety Projects International Inc, who will discuss where third-party risk management is going in the next few years.

Bio:Dr. Bill Pomfret of Safety Projects International Inc who has a training platform, said, “It’s important to clarify that deskless workers aren’t after any old training. Summoning teams to a white-walled room to digest endless slides no longer cuts it. Mobile learning is quickly becoming the most accessible way to get training out to those in the field or working remotely. For training to be a successful retention and recruitment tool, it needs to be an experience learner will enjoy and be in sync with today’s digital habits.”

Leave a Reply

Your email address will not be published. Required fields are marked *