Posted on Aug 20, 2020
While Vendor Risk Management (VRM) and Third-Party Risk Management (TPRM) are often used interchangeably, they’re not always the same thing. And what about Enterprise Risk Management (ERM)?
Risk management is extremely important when it comes to information security, and especially where third parties are concerned. According to Deloitte’s Extended enterprise risk management (EERM) TPRM global 2020 survey, 84% of respondents said their organization had experienced a third-party incident in the last three years.
Vendors and other third parties are often a point of concern for organizations who are worried about risk, because third parties tend to exacerbate the cost of a data breach, raising it by more than $370,000, according to the Ponemon Institute. While the average cost of a data breach is $3.92 million, the cost of a data breach caused by a third party is amplified, according to the Ponemon Institute.
This can be extra concerning because you don’t have direct control over the measures put in place by your third parties to ensure their own (and your) cybersecurity. That’s where various risk management programs come into play.
Vendor Risk Management, or VRM, is the process of vetting your vendors, suppliers, and service providers, to ensure that they do not pose an unacceptable risk to your organization, such as the threat of a data breach, the potential for a disruption of your business or some other negative impact on your organization’s business performance.
Vendor risk management is specific to the third parties you buy from — your vendors and suppliers. Vendors can include any third party you regularly purchase from, from the companies who provide parts to a manufacturer to cloud storage providers or other Software as a Service (SaaS) providers.
While VRM is specific to vendors, TPRM is the process of vetting all your third parties.
Most organizations do business with a number of third parties, and those third parties fill many roles. Some are vendors, but others fall into different categories, such as partners, contractors, and consultants. Therefore, TPRM is an umbrella that covers VRM as well as other kinds of third party risk management, such as Supplier Risk Management, IT vendor risk, anti-bribery/anti-corruption (ABAC) compliance, and contract risk management, among others.
The goal of a TPRM program is to identify, classify, and categorize the risk associated with every external party with which an organization has a relationship. Third-party risk management is conducted to assess the ongoing behavior of each third party as well, and to monitor the risk they may pose to your organization.
While VRM is focused on vendors and TPRM has a wider focus, ERM is an even broader concept.
Enterprise Risk Management, or ERM, is the process of identifying and addressing any potential risks or threats to an organization. TPRM and VRM fall under its umbrella. It’s a growing field, according to Deloitte; 45% have increased investment in ERM because of growing pressure from regulators, and 52% of organizations say that ERM is turning into a broader concept that includes contract management, performance management, and financial management.
Rather than simply buying cybersecurity insurance to cover all risks, ERM is plan-based; an organization that has implemented ERM has assessed the risks and responded in one of a variety of ways:
Once plans are made, they are often shared among stakeholders.
Like most risk management techniques, ERM requires leadership to look at the negative sides of risk, but it also asks decision-makers to find the competitive advantage within risk as well, seeking opportunities that might arise out of risk management.
You can never eliminate risk, but you can manage it. To reduce the amount of administrative time and effort spent managing third party relationships, consider an intelligent tool that automates parts of the process.
SecurityScorecard’s Atlas uses advanced artificial intelligence to streamline the third-party (and vendor) risk management process. Using our platform, your organizations can upload vendor responses to questionnaires. Our machine learning compares those answers to previous questionnaires and our platform’s own analytics, verifying vendor responses almost immediately. Our easy-to-read security ratings, based on an A-F scale, enable you to provide your leadership with the necessary documentation to prove governance over your vendor risk management program.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.