The Gaps in The Fence – Addressing Your TPRM Programme’s Blind Spots
by Nick Swallow
There are gaps in your Third Party Risk Management (TPRM) defences.
You may have updated your policies and procedures, listened carefully to the regulators, put tools and technologies in place, trained SMEs and marshalled your suppliers but there are still gaps in your TPRM defences.
An industry focus in the last few years has rightfully been on the content of assessments and the technologies which facilitate them, but there have been fewer conversations around ensuring that ‘fringe risks’ are addressed. The effectiveness of a world class TPRM program can still be undermined by the unaddressed risks which slip through the net.
The Scope of Third Parties
When you talk about this subject are you using the words ‘vendors’ and ‘suppliers’ rather than ‘third parties’? This shift in thinking represents a fundamental question we should all be discussing – what is a ‘third party’ and who should we be assessing?
Traditional suppliers, distributors, partnerships, alliances and intra-company relationships can all pose significant risks but often companies are not able to demonstrate that they have applied proportionate risk assessment to all their relationships.
In 2018 Yahoo! UK was fined £250,000 by the ICO for a third party breach of customer data, but that third party was their own USA division – Yahoo! Inc. Would your processes have considered a relationship like this to be in scope of your TPRM processes?
Other breaches occur where a third party was assessed appropriately at on-boarding, but three years down the road they are offering very different services in a very different threat landscape and the original assessment is no longer valid. Establishing a required frequency of review along with continuous monitoring can help ensure no perennial relationships evade assessment.
Triggers and Compliance
So let’s say we update the policies and procedures to make it clear what a third party is, and what assessment processes are required – how do we know they are being followed? Poor process compliance, rogue departments and time pressures can all result in working with third parties without completing an appropriate risk assessment.
While a fully workflow driven process can ensure compliance, for many organisations deploying a full TPRM platform is not a feasible route. In these scenarios, manual triggers and checks will need to be built into the process flow. Contract Request forms are a great place to add a process trigger, but think carefully about any third party relationships that might not start via this form. The contracting process is also a great place to put checks in place – a simple tickbox for that team to confirm they’ve seen a completed risk report and are happy to proceed.
A “Commensurate” Response
By widening the scope of your TPRM programme, you may be concerned about the impending workload, but with an appropriate methodology many departments find they are simply refocussing their efforts to where they are most needed. This methodology will guide your practitioners to where deeper levels of due diligence is required – and where less is required. This is where we start considering what level of due diligence is proportionate (or as the regulators prefer, “commensurate”) to the level of risk identified. A phrase I’ve heard is “widen the hopper, narrow the funnel”.
While I won’t cover the core TPRM process and the different approaches in this blog, I will highlight that a system driven automated review of the commodity code will often establish that the proportionate response is to simply allow the business to proceed.