3 Secrets to Building a Winning TPCRM Program
by Jonathan Swanson
Did you know third-party breaches account for over half of all data breaches in the US? Our Director of Client Services, Jonathan Swanson, hosted a webinar about the 5 must-have’s for TPCRM. Here are 3 of his top 5 secrets to building a winning program.
Must-Have #1: Third Party Inventory
This may seem a bit obvious, but with the average organization having over 6,000of third parties to support their business, it can be quite the undertaking to establish all of your inventory. Where do you even start?
Follow the money and work backwards. There’s a good chance that your accounts payable team, likely within your finance department list of vendors that have been paid in the last 6-12 months. This is an easy way to build a list of who your third parties are. You might even be lucky enough to have an organization with a procurement department and contracting database. From there, you can standardize your data, fill in the gaps, and identify your highest risk third parties.
There are also some ways to get creative which I will talk about in the webinar.
Must-Have #2: Stakeholder Relationships
Third party cyber risk management should not be a solo undertaking. You need to establish a list of stakeholders that can support your efforts. How do you even know who should be a stakeholder? Anyone and everyone in your organization who is involved with or impacted by a third-party relationship is a stakeholder. Here’s a quick snapshot of who we’re talking about and why:
- Third-party relationship managers and executive sponsor
a. These people will need to know how your activities will impact them and why they are important – and they need to understand the risk to the company.
- Administrative and Risk Functions
a. This will likely include Procurement, Contracting, Legal, Compliance, Enterprise Risk Management, Audit, Finance
b. These should be your closest allies when it comes to achieving your goals as they relate to third party risk management.
- Executive leadership
a. It’s critical to have support at the top, not only to help drive support for your initiative, but to make it easy for others to help you, take down road blocks.
Must-Have #3 – The Big Picture (Assessments are only part of it!)
That’s right – there’s much more you need besides assessments. In fact, assessments are the easy part. In the grand scheme of things designing your program and the supporting organizational change management will be a huge undertaking in your TPCRM journey.
Once you’ve identified your goals and objectives, you’ll need to develop all of the ‘inputs’ and ‘outputs’ that occur on either side of the assessment, allowing you to achieve those goals. Some elements may include frameworks, processes, risk tolerances, escalation processes, policies, lifecycle, and more. What do we mean by ‘inputs’ and ‘outputs’? Check out this list of examples:
- How will new third parties be identified and put through your assessment process?
- How will you categorize those third parties to determine which assessment or assessments they need to go through?
- Once you identify risks in your third-party ecosystem what are you going to do about it?
- Who ‘owns’ the risk? The action? The authority?
- How will you report on what you’re doing?
And finally, you’ll need to be able to communicate with everyone about what you’re doing, prepare them for it, and convince them that it’s the right thing to do – and get their buy-in, so they can understand your goal and help you when needed. A solid organizational change management plan consisting of training, communications, and other methods of stakeholder engagement will be critical to success.
The journey doesn’t end here! There’s a handful of typical challenges that practitioners endure and there’s a number of ways to avoid or outsmart them. And, since TPCRM is an ongoing journey, knowing what your next move will be is essential to your success. We have countless best practices and pro tips to share with you in the webinar so be sure to watch!