Blog | Cyber Security News & Training | Securetain

Third-Party Risk Management Part IV

According to the Opus and Ponemon 2018 report, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is higher at 61 percent. Also noted that many breaches go undetected: 22 percent of respondents admit they didn’t know if they had a third-party data breach in the past 12 months. A third-party breach costs, on average, twice what a normal breach cost.

We covered the Major Breaches and Bankruptcy in Part I, and Part II and III were about the Drivers, Alignment, and Governance of Third-Party Risk Management (TPRM). The series will cover the following topics at a high level to provide sufficient knowledge for professionals to design the program that commensurates with the size, nature, and objectives of the organization. It explores the topics below:

Many organizations are not aware but intellectual property (IP) breaches can be a recipe for bankruptcy.

Categorizing Vendors

The vendor categorization helps in determining the focus of risk management efforts based on the business value vendor delivers and how critical is vendor’s contribution in achieving business objectives. The strategic vendor, for example, represents significant client spending, a high cost to switch, and is expected to deliver a high level of business value. Hence all vendors do not require the same level of scrutiny for risk management.

In order to prioritize the risks to be monitored, it is essential to segment the vendors. The chart below provides information about different factors that help categorize vendors. The publications by Forrester, Gartner, ISACA, and other professional organizations provide questionnaires to assist in categorizing vendors based on their criticality to business objectives.

  Strategic Legacy Emerging Tactical
  Current Expenditure  High  Medium or High  Low to Medium    Low to High
  Future Expected Spending  High to Medium  Medium to High Medium to High  Low to High
  Strategic Alignment  High  Medium  High  Low
  Breadth of Product or Service/Dependency  High  High  Low to Medium  Low

It is essential to manage the relationship with vendors based on the risk it poses to the organization’s objectives. Below is brief about the different categories of the vendors:

The classification vendors will also help the organization to develop and implement controls to reduce the risk. The business continuity will take into consideration the risks associated with strategic vendors in its continuity planning and risk resiliency program.

In Part II we discussed Drivers of Risk Management. Part III is about Alignment and Governance. The four very important considerations for TPRM governance are:

  1. Alignment of customer and providers goals
  2. A comprehensive inventory of third parties
  3. Accountability for oversight and the overall management of your TPRM Program
  4. Clearly defined roles and responsibilities across the organization

In Part V we will cover the next topic “Analyzing Vendor Risks.”

RELATED POST:

Third-Party Risk Mgt.- Major Breaches and Bankruptcy Part I

Third-Party Risk Mgt.- Major Breaches and Bankruptcy Part II

Third-Party Risk Management Part III

Third-Party Risk Management Part V