What is Third-Party Risk Management?Published March 7, 2020 • 3 min read
Third-party risk management (TPRM), also known as “vendor risk management,” means managing project and enterprise risk posed by an organization’s vendors, suppliers, contractors, service providers, and other entities along the supply chain with whom it has third-party relationships. A third-party risk management program can also examine your third parties’ use of third parties, which are known as “fourth parties.”
Third- and fourth-party risks, should they materialize, could affect your business’ cybersecurity, data security, regulatory compliance, or business continuity. They can also pose reputational risks. In fact, vendor risk management is an integral part of every information security risk management program.
The third-party risk management process is similar to the process used for enterprise risk management, involving risk assessment, risk analysis, risk response, and continuous monitoring. But an effective vendor risk management program includes other processes, as well.
Before onboarding with a vendor or service provider—an example is those providing financial services such as payment processing—it’s important to perform “due diligence,” assessing the security of the vendor’s systems, networks, and processes.
Reviewing your contracts is important, as well. These need to assign responsibility in the event of a data breach and require third-party contractors to comply with the same regulations and industry standards that your organization must meet.
Effective third-party risk management also entails ongoing monitoring for real-time management of third-party risks as vendor circumstances change, throughout the lifecycle of the third-party relationship. Solutions that automate these tasks can help with this and other aspects of managing vendor risk.
Which frameworks and regulators require third-party risk management?
A number of regulatory and compliance requirements affect third-party vendors, and may even serve as frameworks for managing vendor risk.
- The Health Insurance Portability and Accountability Act (HIPAA): Third-party risk management is specifically addressed in this federal law. Under HIPAA, electronically stored Protected Health Information (ePHI) that an organization creates, receives, maintains, or transmits must be protected against threats, hazards, and unauthorized use or disclosure. Under HIPAA, vendor contracts must contain privacy and security assurances.
- System and Organization Controls for Service Organizations 2 (SOC 2): Third-party assurance of adequate risk and security controls are increasingly required by contracting organizations in the form of SOC 2 certification.
- The Payment Card Industry Data Security Standard (PCI DSS): Third-party risk management is an important part of this industry standard. PCI DSS requires compliance from “third-party service providers,” which it defines as any vendor that stores, processes, or transmits cardholder data on behalf of a client organization, and any vendor that could affect the security of the cardholder data environment.
- The Federal Risk and Authorization Management Program (FedRAMP): Third-party assessment organizations are included in this federal program requiring strict security management from federal government cloud providers—third-party service providers, themselves.
- The General Data Protection Regulation (GDPR): Third-party risk management is required under this European Union law that applies to all entities that collect, process, store, sell, or share data belonging to EU residents. It states that organizations must take necessary steps to protect citizens’ data, including information shared with third parties (known as data processors). Third parties must also protect that data and must comply with all aspects of the GDPR.
- Control Objectives for Information and Related Technologies (COBIT). Vendor risk management using COBIT 5 is spelled out in detail in the Align, Plan, and Organize (APO) domain, from identification to monitoring and measuring. Control objectives include Manage Relationships, Manage Service Agreements, and Manage Suppliers.
- The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework. Many organizations use COSO to mitigate third-party risk. The framework helps organizations minimize risk overall with processes and improved controls, and it addresses third-party risk throughout the document.
In addition, the U.S. Office of the Comptroller of the Currency (OCC) provides guidance for financial institutions in its Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance.