Third-Party Risk Management Part IV

2 Mins read

According to the Opus and Ponemon 2018 report, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is higher at 61 percent. Also noted that many breaches go undetected: 22 percent of respondents admit they didn’t know if they had a third-party data breach in the past 12 months. A third-party breach costs, on average, twice what a normal breach cost.

We covered the Major Breaches and Bankruptcy in Part I, and Part II and III were about the Drivers, Alignment, and Governance of Third-Party Risk Management (TPRM). The series will cover the following topics at a high level to provide sufficient knowledge for professionals to design the program that commensurates with the size, nature, and objectives of the organization. It explores the topics below:

  • Drivers of Risk Management
  • Alignment and Governance
  • Categorizing Vendors
  • Analyzing Vendor Risks
  • Monitoring Vendor Risks: The Vendor Management Organization
  • Communicating Vendor Risks
  • Optimization and Standards

Many organizations are not aware but intellectual property (IP) breaches can be a recipe for bankruptcy.

Categorizing Vendors

The vendor categorization helps in determining the focus of risk management efforts based on the business value vendor delivers and how critical is vendor’s contribution in achieving business objectives. The strategic vendor, for example, represents significant client spending, a high cost to switch, and is expected to deliver a high level of business value. Hence all vendors do not require the same level of scrutiny for risk management.

In order to prioritize the risks to be monitored, it is essential to segment the vendors. The chart below provides information about different factors that help categorize vendors. The publications by Forrester, Gartner, ISACA, and other professional organizations provide questionnaires to assist in categorizing vendors based on their criticality to business objectives.

  Strategic Legacy Emerging Tactical
  Current Expenditure  High  Medium or High  Low to Medium    Low to High
  Future Expected Spending  High to Medium  Medium to High Medium to High  Low to High
  Strategic Alignment  High  Medium  High  Low
  Breadth of Product or Service/Dependency  High  High  Low to Medium  Low

It is essential to manage the relationship with vendors based on the risk it poses to the organization’s objectives. Below is brief about the different categories of the vendors:

  • Strategic vendors: They critical to meet the business objectives of the organization, represent high client spending and a high cost to switch.
  • Legacy vendors: They are essential to meet the business objectives of the organization but not critical thought they represent a likely high level of spending and high cost to switch.
  • Emerging vendors: These vendors essentially could become strategic in the future as they provide innovative features but at present represent a relatively low level of spending and less cost to switch.
  • Tactical vendors: These vendors are not critical to meeting business objectives and represent low cost.

The classification vendors will also help the organization to develop and implement controls to reduce the risk. The business continuity will take into consideration the risks associated with strategic vendors in its continuity planning and risk resiliency program.

In Part II we discussed Drivers of Risk Management. Part III is about Alignment and Governance. The four very important considerations for TPRM governance are:

  1. Alignment of customer and providers goals
  2. A comprehensive inventory of third parties
  3. Accountability for oversight and the overall management of your TPRM Program
  4. Clearly defined roles and responsibilities across the organization

In Part V we will cover the next topic “Analyzing Vendor Risks.”


Third-Party Risk Mgt.- Major Breaches and Bankruptcy Part I

Third-Party Risk Mgt.- Major Breaches and Bankruptcy Part II

Third-Party Risk Management Part III

Third-Party Risk Management Part V

Related posts

Everything You Need to Know About DoD CMMC – CMMC Introduction

2 Mins read
In March 2020, Visser Precision Manufacturing confirmed it was “the recent target of a criminal cybersecurity incident, including access to or theft…

General Data Protection Regulation GDPR Part II

3 Mins read
The article below is important for every small business including the Sales and Marketing team who generate leads and close the deals….

How Do I Leverage My GDPR Preparation for CCPA? Part III

4 Mins read
The GDPR team has new challenges with the California Consumer Privacy Act (CCPA) compliance and many more to come from other states….

Leave a Reply

Your email address will not be published. Required fields are marked *