Third-Party Risk Management Framework: How to Select the Right One

By Kasey Hewitt

Posted on Feb 20, 2018

Third-party technology providers can confer huge strategic advantages to a business. It allows each organization to focus on their highest-value activities, but there’s a downside; new cyber security risks come with each partnership. Third-party risk is now an integral part of business ecosystems. A solid risk management framework is required to manage risk and keep you and your customers safe.

Know your cyber threats

More than a quarter of business and technology executives do not know how many cyber security attacks they have suffered in total and a third do not know how they occurred.

Establishing a risk assessment framework is the first critical step an organization can take in order to decrease risk and increase security. The risk assessment should not only be a part of an organization’s internal process, but should also include supply chain and third parties.

Third parties consist of an organization’s vendors, suppliers, business channels, marketing partners, and so on. The choice of a third party risk management framework should be based on the companies’ structures and risk profiles, because no two companies are the same.

You are liable for third parties’ failures

The US Federal Office of the Comptroller of the Currency puts it succinctly in its guidance for banks and savings associations:

“[An organization] should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.”

As the FFIEC notes in its Supervision of Technology Service Providers guidance, using partners in your business processes “does not diminish the responsibility of […] management to ensure that the activities are conducted in a safe and sound manner […] just as if the institution were to perform the activities in-house.”

In other words, a proper third party risk management framework is not a ‘nice to have’. It’s required to limit liability. And liability is a real issue. Deloitte provides an example in its Third Party Risk Governance & Management white paper:

“A non-US headquartered multinational company, with interests in electricity generation and transmission as well as rail transport, was fined US$ 772 million in December 2014 for engaging in conduct in violation of the Foreign Corrupt Practices Act (FCPA). This has mainly resulted from the inappropriate conduct of third parties and ineffective due diligence and corporate controls over such third parties.”

Best practices for third party risk management frameworks

The most popular risk management frameworks are the NIST and the ISO frameworks, both of which can be used in tandem and encourage organizations to assess risks and implement controls based on its needs.

There are several best practices for any risk management framework:

  • Take inventory of all third parties the organization has a relationship with.
  • Catalog cyber security risks that third parties can expose the organization to.
  • Assess and segment third parties by risk and focus on all activities defined as critical activities.
  • Develop rule-based diligence testing to stay focused on third parties with the most critical cyber security risk.
  • Establish a decision-making group to own the governance and framework.
  • Review critical activities to set a benchmark for the third party risk management framework.
  • Define three lines of defense including business owners, third party oversight, and an internal audit team.

A solid third party risk management framework protects an organization's clients, employees, and the strength of their operations. Properly managing cyber security risks can reduce costs allowing an organization to operate at a greater efficiency with quality third party partnerships that can radically change an organization for the better.

Third party risk management frameworks provide standards across the organization, streamlining and focusing on third parties posing the greatest risks. Ultimately this saves money, whether by reducing and eliminating of fines and liabilities, or by protecting reputation and brand perception.

Use intelligent cyber security tools

At an administrative level, managing third party relationships can become a cumbersome task. As a result, many organizations have opted to use intelligent tools that leverage existing data on cyber security risk in order to implement their third party IT risk management processes.

Platforms such as SecurityScorecard’s cyber security ratings help identify and prioritize third party cyber risks. Trusted by the world’s leading brands, Security Scorecard can help you strengthen your risk management framework, reduce risks and increase compliance.

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!