Third-party management success secrets: mastering the art of due diligence and risk management
Nikki Stoy, GRC Cloud Specialist, OneTrust
Below is an insight into what can be expected from Nikki’s session at Vendor & Third Party Risk Europe 2023.
The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
What are the primary goals of successful third-party risk management (TPRM) and third-party due diligence (TPDD) programs?
In order to define the goals of successful TPRM and TPDD programs, first we must understand what it takes to stand up each of those pillars.
Building a structured third-party risk process involves buy-in from stakeholders across all business units within the organization, with a heavy lean on security teams. The average number of third-party partnerships per company has grown exponentially in recent years, forcing businesses to re-evaluate and protect themselves against the growing scope of threat vectors.
TPRM is designed to give organizations an understanding of the third parties they use, how they use them, and what safeguards their third parties have in place. The scope and requirements of a TPRM program are dependent on the organization and can vary widely depending on industry, regulatory guidance, and other factors.
Once these processes are put in place, the goal for the third-party risk management team would be to ensure any outside business or entity that is given access to your company’s data in any shape or form should be fully vetted for compliance and mitigation strategies. This includes assessing with security questionnaires to see if the third party is following industry-appropriate guidelines and frameworks.
For third-party due diligence (TPDD), while the team and process may look a bit different, the goals are the same as TPRM — keep the company’s data and reputation away from harm.
A TPDD program should be align with ethics and compliance inputs, alongside some legal influence. Those teams keep their fingers on the pulse of regulatory compliance needs for your business as well as those your company works with.
Using due diligence screenings to calculate risks will create a streamlined focus for the ethics and compliance teams working on keeping the brand safe from third-party risks. It’s these checks and balances that are central to TPDD working hand-in-hand with TPRM to mitigate third-party issues.
What are the distinct differences between TPRM and TPDD?
The common goal for TPRM and TPDD programs is to evaluate if a third party is safe to do business with. While TPRM and TPDD programs share that goal, each program defines safe in a very different way and evaluates unique risk domains to make their decision.
Risk management programs prioritize cyber security, privacy, and business resilience risks, while due diligence programs specialize in ethics- and compliance-related risks.
Both, however, are integral to the security posture of any organization.
How can we achieve workflow efficiencies and align TPRM and TPDD?
The simplest way to achieve workflow efficiencies that would align TPRM and TPDD programs is to deploy an automation system that handles the needs and requests of each department at scale between your business and prospective or current partners.
Through automation, your company can holistically manage the third-party management lifecycle stages, which include:
- Third-party identification
- Evaluation & selection
- Risk assessment
- Screening and compliance checks
- Risk mitigation
- Contracting and procurement
- Reporting and record-keeping
- Ongoing monitoring
- Third-party off-boarding
These are time and resource-intense needs that can find efficiencies through automating third-party management.
In doing so, ethics and compliance teams get a partner in the third-party due diligence process. Automating this area includes the ability to:
- Trigger risk management workflows with data source integrations
- Use due diligence screening to auto-calculate risks and observe mitigation recommendations
- Get real-time, contextual alerts and report on risk trends over time
Third-party risk and third-party due diligence are necessities in an ever-growing digital world. Aligning the two domains and deploying tools to create efficiencies will help your business mitigate risk to the best of its ability.