The Union

The Future of TPRM

Krista Software

Most third-party risk lifecycles adhere to a similar pattern: planning, due diligence, contract negotiations, ongoing monitoring, and termination. However, the management and responsibility of these processes differ significantly across organizations. Traditionally, the information security department carried this burden, but recent events like Covid, regional wars, political changes, and socially-focused laws have broadened organizations' risk perception beyond just IT. They now include geographical, reputational, concentration, and compliance risks. 

Different departments, leveraging their unique expertise, now seek information from third parties to manage diverse risk types. Third-party risk management expert, Tom Garrubba, practical advice to assist companies in tailoring third-party risk management activities to their size, risk profile, and risk management necessities. Regardless of where the organization situates third-party risk management, the ultimate responsibility rests with the third-party risk manager and the business owner. They must identify the necessities and required documentation for each vendor, enabling a thorough assessment and due diligence or ongoing monitoring. 

The assessment process presents challenges for both the vendor and the risk manager, often requiring over 40 hours to complete and validate. Midsize companies dealing with dozens to hundreds of third parties quickly face the reality of these complications. Additionally, vendors often feel overwhelmed with assessment requests from their many customers and may instead issue a "customer assurance packet" containing broad information sets for you to sift through to identify potential risks. 

Third-party risk management is essential, even for industries not legally required to do so. Those lacking a robust strategy and supporting technology risk overloading their vendors with assessments and distracting internal teams. Furthermore, if you operate in a regulated industry, expect your strategy and technology to face scrutiny eventually.


More at krista.ai

People on this episode