What's Inside

Every API, contractor, and supplier adds to your company’s third-party risk. One code exploit or stolen password can expose your company to data theft, litigation, and regulatory sanctions. And with 41% of companies having experienced an impactful data breach, it’s crucial to keep third-party risk under control.

Third-party risk management (TPRM) helps bring your third-party risk under control to improve security and compliance. In this guide, we’ll help you understand what TPRM entails, why it’s important, and best practices.

What Is Third-Party Risk Management?

Third-party risk management is the process of identifying and mitigating risks created when working with outside organizations. 

Third-party relationships are practically unavoidable. However, a more connected world creates IT security risks that could result in data loss or system outages. Growing reliance on third parties for business functions creates a financial risk should a third party’s actions disrupt your business operations. The actions of a third party can also create legal risks for your company. 

TPRM is the proactive solution to risk control, which provides the framework, policies, and procedures you need to evaluate new and existing third-party partnerships. 

Third-Party Risk: Types of Risk Vendors May Introduce

Outside relationships are risky—even contractual relationships. In business, third-party relationships can introduce various types of risk, including:

• Cybersecurity risk: Data breaches caused by weak security systems and ineffective infrastructure can leak customer information and other sensitive data. Many cyber threats can be mitigated through cybersecurity risk management.

• Operational risk: Employee or partner error, fraud, criminal activity, and other events can interrupt business operations. Broken systems, confusing processes, and informal policies between an organization and its third parties can be the catalyst.

• Compliance risk: Leaked information and insecure systems can affect regulatory compliance. Non-compliance, including HIPAA violations, can lead to hefty fines and jail time in serious cases.

• Financial risk: Supply and operation disruptions, including the inability to sell products, caused by third parties can negatively impact an organization's bottom line.

• Strategic risk: Third-party relationship termination or disruption will affect operations, which can halt progress toward organizational goals. Failure to meet internal objectives can impact strategies, which puts project completion at risk.

• Reputational risk: Data breaches caused by weak third-party security can exponentially affect organizational reputations and impact customer perception of your company—even if your organization didn't cause the breach.

To identify your biggest risks from third-party vendors, consider creating a risk register to document and understand the potential types of risk produced by your third-party relationships. Risk registers are extremely valuable tools for all organizations and can help you recognize, mitigate, and remediate all types of risk.

Third Party vs. Fourth Party

Third-party partners are suppliers or vendors you do direct business with. These parties should be under a formal contract with your business. Fourth parties are not contractually related to your business. Instead, they are the third-party vendors of your third-party vendors. 

When designing TPRM and vendor risk management plans, you must consider how you will handle relationships with fourth parties. Any third party with contracted relationships outside your own will pose different risks to your organization. Consider implementing fourth-party risk management strategies into your formal plans:

• Request timely updates to fourth-party changes—additions, subtractions, or adjustments.

• Consider creating formal documentation for fourth-party partners that requires your prior approval to changes impacting your business operations or customer data.

• Read and review your third party’s due diligence, oversight, and partnership protocols. 

Fourth-party relationships may increase risk, but they can also be vital to your business operations. This makes it critical to understand how your third-parties are managing their vendors and partners. 

Why Third-Party Risk Management Is Important

Third-party risk is nothing new, of course. What has changed is the breadth and depth of third-party relationships. Outsourcing has extended beyond basic services to include core business functions, like X-as-a-Service models and corporate network access. These trends expand your exposure to IT security, financial, and legal risks.

An effective third-party risk management framework reduces:

• Cost: Organizations develop proactive measures to prevent or mitigate financial risks.

• Compliance risks: A TPRM framework identifies legal risks and helps develop controls and contingencies.

• Confusion: Risk management increases organizational visibility across all relationship stages.

On the other hand, TPRM increases:

• Security: Regular monitoring keeps third parties in check and security systems up to date.

• Trust: Third-party relationships are built on immediate and continued trust concerning vendor capabilities and intentions.

• Reporting capabilities: Continuous monitoring increases reporting opportunities, and specialized software can provide additional capabilities.

TPRM and Regulatory Compliance

Regulatory frameworks in many industries have evolved from pure enforcement into systems based on risk reduction. These new regimes expect companies to develop policies and systems that prevent or mitigate risks. Regulators still react to violations, but today’s proactive and continuous compliance frameworks methodically integrate risk reduction into complex systems.

TPRM allows organizations to develop compliant risk management processes and adhere to regulatory frameworks, including:

GDPR

The European Union’s General Data Protection Regulation (GDPR) applies broadly. Any company that collects and processes personal information must consider the risks this data processing creates for EU citizens. 

Controllers are organizations that decide what personal information to collect and how to process it. These controllers may outsource processing to third-party processors, which may contract with a fourth-party sub-processor. GDPR expects a risk assessment to include risks created by their processors and sub-processors. This assessment should guide the development of appropriate technical and organizational security measures.

SOC 2

Companies use this compliance framework to create custom processes following a set of Trust Services Categories (TSC) instead of defined controls.

Organizations can use SOC 2 reports as part of their vendor selection process. These reports provide information about the effectiveness of a service provider’s controls and whether they align with the organization’s risk tolerance and security requirements. By choosing vendors with favorable SOC 2 reports, organizations can mitigate potential risks associated with outsourcing services to a third party that does not have the same level of controls in place.

ISO 27001

Companies with Information Security Management Systems (ISMS) use ISO 27001, an international standard of best practices. Correct implementation protects information security and implements internal risk management solutions. 

ISO 27001 emphasizes a risk-based approach to information security. Organizations are required to identify potential security risks and vulnerabilities, assess their potential impacts, and implement appropriate controls to mitigate these risks.

HIPAA

U.S. healthcare organizations are subject to the Health Insurance Portability and Accountability Act (HIPAA), which established protections for patients’ protected health information (PHI)—inside and outside hospital walls. 

Any business associates with access to patient information must be HIPAA-compliant. This includes independent laboratories, medical records processors, and other third parties. Healthcare organizations must diligently and regularly apply risk analysis and management processes to their internal systems and third-party relationships.

FedRAMP

The federal government adheres to the Federal Risk and Authorization Management Program (FedRAMP), which is a compliance program created to ensure the security and privacy of federal information and systems when adopting cloud technologies.

Under the National Defense Authorization Act, FedRAMP provides federal agencies with a structured approach to assess, authorize, and monitor the security of third-party cloud providers. FedRAMP requirements also help federal agencies manage the risks associated with using external cloud services while benefiting from the security controls and practices implemented by authorized providers.

The TPRM Process

Third-party risk management should be part of your company’s overall risk management strategy. Here's a simple three-step TPRM process to ensure your company is mitigating third-party risk when possible:

1. Review and revise existing risk policies. Keep third-party exposure in mind.  Be sure to consider how third parties can impact regulatory and other compliance requirements.

2. Conduct an audit of third-party relationships. Extend this review beyond your formal purchasing contracts. Consider open-source dependencies, workgroup-level relationships, and shadow IT. Understand the risks created by these relationships.

3. Draft internal and external TPRM policies. Supplement these policies with compliance expectations for specific business units.

Once this process is in place, your organization can begin evaluating each third party’s risk profile and take the actions necessary to mitigate their risks. Be sure to address any compliance needs for existing third-party relationships.

TPRM Software Considerations

Streamlined and central TPRM software can be a powerful tool for managing third-party risk. Before investing in TPRM software, consider each tool’s capabilities and your organization’s needs.

Common software considerations include:

• Security practices: Evaluate software security practices by obtaining and reviewing compliance reports or certifications, security testing results, etc.. 

• Questionnaires: Pre-made and customizable vendor questionnaires may be available with some software.

• Scalability: Verify software scalability before investing. If you need to manage hundreds or thousands of vendors, choose compatible software.

• Automation: Simplify the management process with automatic additions, security scans, and more.

• Remediation workflows: Automatically request remediation from specific vendors with built-in workflows. Keep up with requests and response times.

• Reporting: TPRM software should have reporting capabilities for third-party relationships. 

Evaluating Third Parties

Bringing your existing third-party relationships into compliance with your TPRM policies requires a case-by-case evaluation and remediation plan. Every outside relationship needs to be considered—high-risk relationships should be examined more carefully than companies that pose a lesser risk. 

Evaluate your third-party relationships using these tools:

• Risk assessment: Risk assessments and self-reported security questionnaires can help organizations identify how a potential vendor manages its own risks.

• Penetration testing: Automatic and manual penetration testing can identify internal network and system security risks.

• Evaluations: Onsite evaluations can provide objective assessments of a third party’s security and risk management processes.

Based on this due diligence, you can define the remediation steps needed to bring each outside relationship into compliance. These steps could be the third party’s responsibility, or they may involve refinements within your TPRM process. Update your third-party contracts with service-level agreements that specify how each company must maintain compliance.

The TPRM Lifecycle 

Once you've finalized a vendor management policy for new partnerships and your existing third parties are in compliance, your organization’s risk management can settle into regular operations, which typically follows five stages.

1. Evaluation and Risk Assessment

Risk evaluation becomes part of the due diligence process whenever you consider a new third-party relationship. Whether you are evaluating a new or existing third-party partnership, you will use various techniques to assess the new company’s ability to manage risk. Any issues should  be evaluated before bringing the new third party on board.

2. Onboarding

Third parties must adhere to specific onboarding procedures and sign contracts that specify compliance expectations. Be cautious of potential partners that are wary of formal contracting processes, and avoid entering into a partnership with a third party that will have access to your sensitive data without obtaining a signed contract.

3. Monitoring

Periodically re-evaluating third parties confirms the state of their security and risk management processes. Annual reviews may be sufficient for low-risk third parties. Those with access to critical systems and information, however, may require more frequent risk evaluations.

However, TPRM should be a continuous process. Pre-agreement evaluations may not capture every risk a relationship could create, and third-party organizational changes or relationship evolutions could introduce new risks before your next scheduled review. Consider investing in automated monitoring systems, which can flag emerging risks. With early notice, you and the third party have a chance to remediate the risk before it becomes a significant event.

4. Maintenance

Even with powerful monitoring systems, many compliance leaders agree most risks are only uncovered after bringing third parties on board. Maintenance procedures need to follow scheduled and unscheduled reviews. Update policies and respond to risks as soon as they are identified.

5. Offboarding and Termination

Business relationships inevitably end. When they do, you need processes to ensure risk does not linger after contract termination. Handing over the keys—digital and physical—is an obvious step. Offboard partners by securely severing system integrations and removing third-party users from access control systems. Remember to update access codes and collect ID cards. 

However, simply cutting off the third party may not be enough. You must pay more attention to third-party relationships with a high level of integration in your business. If an outside company processed customer information, for example, you must ensure that it destroys all digital records and either destroys or returns any physical records.

TPRM Tips to Keep in Mind 

If you have never assessed your company’s use of third parties, implementing TPRM can be daunting. An internal audit may uncover more third-party relationships than expected, especially since organizational partners can enter third-party agreements with various teams through formal and informal contracting processes. If you’re planning to implement TPRM, keep these tips in mind.

Don’t Adopt TPRM All at Once

Before implementing company-wide TPRM, focus on and assess the business unit or department exposed to the greatest risk. Audit its third-party relationships and prioritize high-risk third parties before bringing medium- and low-risk partners into TPRM compliance. From there, you can expand TPRM further into the organization.

Let Risk Shape Your TPRM Policies

Avoid making blanket TPRM policies. Penetration testing, for example, will not be appropriate for every external relationship. Use your audits to classify third parties based on the risks they could create. Adjust the evaluation process to reflect those inherent risks. Certain remediation actions may be urgent for high-risk third parties but non-essential for low-risk third parties.

Remember TPRM Can Be Challenging

TPRM is not a one-size-fits-all solution to organizational risk. There are some challenges organizations may face while implementing third-party risk management, including:

• Speed: Security reviews and questionnaires can take time. Vendors may not respond in a timely manner, and data collection can make risk assessment lengthy.

• Visibility: Infrastructures may change, which can affect a third-party vendor’s potential risk. Security risks may not be verifiable in real time.

• Consistency: High-, medium-, and low-risk partners do not receive identical assessments. Some vendors may receive more in-depth risk identifications than others. 

• Engagement: Tedious assessments may be ignored by new and existing vendors for weeks or months. 

How Drata Can Help Manage Third-Party Risk

Your company’s many third-party relationships can pose significant information security, financial, and legal risks. Schedule a demo with Drata to learn how you can implement automated continuous compliance monitoring, which will allow your team to focus on other important areas like third-party risk management.