The three steps for third-party risk management are crucial for mollifying regulators and boards alike.
Learn how to measure the impact of your risk management team and reduce the overall cost and time needed to mitigate third-party risks.
Empower your compliance program with ongoing third-party risk monitoring and reporting
Kelly Maxwell
Content Marketing Specialist, OneTrust
July 10, 2022
The three steps for third-party risk management are crucial for mollifying regulators and boards alike.
Learn how to measure the impact of your risk management team and reduce the overall cost and time needed to mitigate third-party risks.
These days, there is so much data available to us. Overburdened by choice, determining exactly which third-party risk metrics to measure and report on can feel like a daunting and endless task. How can you satisfy regulators without spending every waking moment conducting risk assessments?
Since the updated guidance from the Department of Justice (DOJ) emphasizes the importance of ongoing activity and conduct monitoring in the third-party relationship lifecycle, static evaluation is no longer an option. The DOJ’s guidance now asks, “does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?” Precise and ongoing monitoring, as well as an emphasis on the supporting relationship management activities required to execute those activities, are now officially the name of the game.
No matter if you’re a seasoned compliance pro or totally new to the world of risk assessment, today we’ll be unpacking the three crucial steps to manage and measure third-party risk.
The first step in third-party relationship management is understanding your unique third-party landscape by conducting risk assessments. If you want to become a trust-based business, protect your brand’s reputation, and ensure compliance, you’ll need to vet and monitor your third-party relationships. But since it is impossible to survey and oversee every individual third-party at one time, especially with limited resources, you’ll need to prioritize the highest-risk relationships first. Take the time to conduct a thorough risk assessment in order to triage your third-party relationships and supporting due diligence activities.
Since third parties aren’t governed by your organization’s oversight, the importance of relationship management cannot be overstated. Businesses, as the first line of defense, need to understand the risks their third-party relationships present by embedding risk management into general business operations. Kick off this process by assigning a relationship manager to every third party your organization does business with. This employee will be responsible for the management, maintenance, evaluation, and reporting on the relationship between your company and the third party. These vital tasks will be essential to the next two steps in the third-party risk monitoring process, detailed below. They must be dependable and knowledgeable enough to tackle the following:
Since the DOJ emphasized the need for “risk-based due diligence,” your third-party evaluation and KRIs should never be one-size-fits-all. After the initial risk assessment is completed and your high-priority relationships have been identified via triage, risk-based due diligence can officially begin. The 2020 Update to the Evaluation of Corporate Compliance Programs lays out guidance for prioritizing due diligence questionnaires and contracting, requiring high-risk relationships to be managed on an ongoing basis.
The DOJ Update asks, “How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?” If you’ve ended up with a small group of high-priority third parties, then you can evaluate them first. But if you end up with a large group of high-priority parties, you may want to go back and refine your criteria in the triage process. Remember that the DOJ will look at your processes, so you must be able to explain your actions and show your work.
Do you remember those old infomercials with the tagline, “Set it and forget it?” We sure do. Unfortunately, if your third-party risk reporting has any hope of being accurate and reliable, it must be constantly monitored and reported on. No “one and done” data allowed here. But this isn’t just busy work – if properly done, it will end up being the sharpest tool at your disposal. To objectively determine exactly how your compliance terms and conditions are followed, your ongoing monitoring needs to be systematic, independent, and easily documented. Reporting on your data will become second nature if you consistently capture, detail, and analyze your third-party risk. A minimum baseline for third-party monitoring should include the following metrics:
Beyond the basic third-party monitoring metrics listed above, consider the following list for additional data to evaluate:
Remember that the measurements don’t stop with your third-party vendors; your KPIs will detail your program’s success overtime. Own the process by documenting the impact and effectiveness of your internal third-party risk management metrics. A few of these KPIs to consider are listed below as a jumping-off point. Tailor your risk management metrics to fit your specific organization.
How responsive is your team, once a risk has been detected? The speedier the response, the lower the potential harm. Aim to reduce this KPI overtime to signal efficiency and effectiveness to your Board.
How much does it cost your company to manage third-party risks? As efficiency improves, is that figure decreasing over time? Additionally, if costs are lower here, does that mean fewer risks overall?
The number of risks your team/individual staffers have identified over time. This KPI might increase, as your efficiency and third-party comprehension improves.
Although comparing your program to others may help identify areas for improvement, observing the risks from other departments or divisions in your unique organization can encourage more thoughtful and methodical action. Drill down into the above KPIs, across all business units, in order to visualize the greatest risks to your organization overall.
The work isn’t done once you’ve started your oversight and monitoring; the health of your third-party management program depends on regular review. If you want to stop potential threats in their tracks, the strength and dependability of your fortified program will eradicate issues before they become full-blown Foreign Corrupt Practices Act (FCPA) violations. For any regulator to test your report, stay consistent and fully document the steps you’ve taken. Whenever you conduct an audit of your compliance program, your meticulous metrics will help with any self-assessments down the road.
Want to see what a comprehensive third-party risk management tool looks like in action? The OneTrust team is ready to walk you through a free demo of our third-party risk software solution.
Streamline intake and compliance checks, centralize third-party profiles, automate risk assessments and flagging, monitor compliance and minimize risk with Third-Party Due Diligence from OneTrust’s unified platform for Trust Intelligence. Request a free Third-Party Due Diligence demo today.
Webinar
Register for this live demo to learn more about OneTrust Third-Party Risk Management solutions.
Webinar
This webinar will show you how to develop strategies for assessing reputational risks as it relates to third parties and the impact of third-party relationships.
Webinar
In this webinar, we’ll discuss the unique competencies of third-party risk and due diligence programs and examine when and how to align them.
Infographic
Download our infographic to learn about the new DORA regulation, who needs to comply, and how OneTrust can help streamline the process.
Webinar
Learn how to leverage financial, operations, compliance, ESG, and cyber scores to drive resilience insights and detect possible supply chain disruptions.
Video
Watch this demo video to learn how OneTrust third-party management helps organizations create resilient, secure, and scalable third-party ecosystems.
Checklist
See the path to managing third-party risk effectively with a checklist that outlines the six steps for a sound TPRM program.
Webinar
How can you build a privacy-focused TPRM program? In this webinar, we discuss best practices for privacy compliance when working with third parties, from onboarding to offboarding.
Video
Watch this video for the five top trends shaping the third-party management industry this year.
Checklist
Managing third-party risk is a critical part of AI governance, but you don’t have to start from scratch. Use these questions to adapt your existing vendor assessments to be used for AI.
Infographic
What key challenges do CISOs face going into the new year? Download this infographic to hear what experts from industries across the board have to say.
Webinar
Join this webinar as we discuss key trends for third-party management and lessons learned over the last year.
Webinar
Attend this demo to see how our TPRM solution can help you identify and mitigate risk as well as automate manual and repetitive tasks to ultimately reduce the time you spend managing your vendors
Webinar
Insight into your third parties’ inherent risks can change the way you run your TPM program.
Webinar
Join our webinar to learn the primary goals of successful Third-Party Risk and Third-Party Due Diligence programs.
Webinar
Join our risk assessments experts as we discuss best practices, program templates, and how provide an assessment that provides the best value for your organization.
Webinar
Join our webinar and learn how to save time and streamline third-party risk assessment throughout the TPRM lifecycle.
eBook
Understand the importance of data privacy in third-party risk management, and 10 best practices for achieving privacy compliance when working with third parties.
Webinar
Join us for a live demo of OneTrust's third-party risk management solution and see how it can help automate and streamline your TPRM program.
Webinar
Join this webinar to learn how to manage the third-party risk lifecycle across teams while optimizing your processes with automation.
Webinar
In this webinar, we'll share seven practical tips for effective third-party risk monitoring, helping you to identify new risks and take timely action to protect your business.
Infographic
Learn how to actively screen and monitor your third parties in the OneTrust Third-Party Risk Exchange.
Webinar
Join our in-depth webinar and learn how to define third-party due dilligence levels and when to apply them during your vendor management lifecycle.
Webinar
Join us as we explore how automating third-party management workflows streamlines processes, drives alignment across teams, and reduces reduntant work.
Webinar
In this webinar, we examine the scope of third-party due dilligence, best practices, and industry trends driving greater scrutiny on third parties.
Webinar
Join our webinar and learn how to create an effective, privacy-focused third-party risk management (TPRM) program that streamlines recordkeeping and reduces your risk exposure.
Video
See how OneTrust's third-party management solution can help scale your third-party lifecycle and evaluate vendors with real-time risk intelligence.
Video
The OneTrust Vendor Risk Management provides businesses access to pre-completed vendor risk assessments while supporting industry standards.
Webinar
Join OneTrust and HackNotice as we discuss effective ways to protect your organization from third-party data breaches and build strong incident response workflows.
Webinar
Join our upcoming webinar as we explore the pivotal ways procurement and InfoSec teams can collaborate to reduce third-party risks.
eBook
Download our eBook to learn practical advice on how to approach third-party risk management like an InfoSec expert.
Webinar
In this live webinar, our expert panel discuss emerging third-party risk regulatory trends in the Nordic region and show how OneTrust can help your business stay complaint.
Webinar
In this webinar, you will learn how to reduce the use of spreadsheets for third-party risk management and cut costs when building your TPRM program.
Webinar
Watch this webinar to learn how to align your TPRM and TPDD programs to achieve workflow efficiencies and the distinction between the two discipline areas.
In-Person Event
Join this OneTrust live event series, which will address critical topics such as navigating data management, compliance automation and third-party risk.
Infographic
The number of businesses and third-party suppliers has increased, widening the risk landscape. This infographic shows how businesses are managing that risk.
Webinar
Learn how to balance the intricacies of CPRA, VCDPA, CPA, CTDPA, and UCPA when managing third parties and understanding privacy-related risks.
Webinar
Attend this webinar to learn about Third-Party Risk Management (TPRM) workflow definition and maintenance best practices you can apply to your business.NEED
Webinar
In this webinar, you will learn how to utilize TPRM to help to optimize workflows, leverage data, and increase accountability across sourcing and procurement.
Webinar
Our third-party risk software helps you build a vendor inventory, conduct vendor assessments, mitigate risks, monitor vendors over time, and more.
Report
Download this Market Guide from Gartner® to gain insights into this evolving market, including access to leading IT Vendor Risk Management solution profiles.
Video
Watch the demo video to learn how OneTrust Third-Party Risk Management can help your TPRM program meet your privacy team's expectations.
Webinar
In this session, we’ll outline how to identify, reduce, and monitor cyber risk as it relates to your third parties including methods for tracking cyber risks over time.
Webinar
Join OneTrust for a demo on how our privacy management platform helps Canadian businesses streamline ISO 27001:2022 compliance.
Webinar
Learn how InfoSec teams can automate scoping mandatory requirements and streamline generating evidence to prove compliance across ISO.
Webinar
In this webinar session, we’ll outline how to take a data-driven approach to understand, reduce, and monitor cyber risks as it relates to your third parties.
Webinar
This webinar focuses on the fundamental considerations when managing third parties and enables your organization to build a solid and scalable foundation.
Webinar
In this webinar, we provide a live product demonstration to show you how your organization can optimize and scale a third-party risk program.
Webinar
Watch this webinar as OneTrust discusses how privacy and security teams can save time throughout the third-party risk assessment lifecycle.
Webinar
We’ll discuss the 7 core metrics successful third-party risk programs track and how to track them, such as critical metrics to track as your program matures.
Webinar
Learn the top 7 red flags for risky third parties, mitigation tactics for reducing third-party risk, and key ways to streamline risk identification, and more.
Webinar
In this webinar, we'll discuss third-party risk management's role in privacy compliance and cost-effective techniques for maintaining records for compliance.
eBook
Ensure your enterprise IT risk assessment is a success with a top-down approach that gets executive buy-in from the start
Webinar
Watch our LkSG webinar to understand the scope of LkSG, how your company will need to adjust, and the repercussions of noncompliance.
Webinar
In this webinar, we discuss best practices for how privacy and security teams can work better to eliminate redundant work, save time, and be more efficient.
Webinar
Watch this webinar to hear how to leverage third-party risk management workflow creation and maintenance best practices.
Webinar
In this panel discussion, we address critical points such as defining the metrics to track in relation to third parties and their cybersecurity risks.
Webinar
In this webinar, we’ll review services providers under the ADPPA and outline how you can ready your third-party risk program to align with privacy regulations.
Checklist
Download our LkSG readiness checklist to understand your readiness for risk management systems and responsibilities, and due diligence obligations.
Infographic
In this infographic, you'll discover third-party risk and learn how to operationalize a "3A approach", including addressing evolving risk factors and timelines.
Webinar
In this webinar, we’ll explore these questions and layout 7 must-know best practices to conduct more meaningful third-party risk assessments.
eBook
Understand what it takes to build a successful third-party risk management program through OneTrust's third-party risk management guide.
Webinar
We discuss key points, such as choosing which certifications count the most to your business and how to save time when answering questionnaires.
Webinar
Join our panel of experts as we discuss the German Supply Chain Due Dilligence Act and the best practices for compliance.
Webinar
This webinar will discuss best practices for how privacy and security teams can work together to eliminate redundant work, save time, and be more efficient.
Webinar
Join this webinar to learn how you can integrate your Third-Party Risk Management program within a broader IT Security platform
Webinar
In this webinar, we will provide you with the steps that you need to define a solid third-party risk management program
Webinar
Watch this webinar and see how the COVID-19 pandemic forced companies to accelerate automation and scale their third-party management.
Webinar
Discover effective strategies for preparing security questionaire responses with our free webinar.
Webinar
Watch this webinar and learn how to launch an effective third-party risk managment program and practical methods to track success.
eBook
Download our guide on third-party management and learn what you need to know to shift your buisness to TPM.
White Paper
Download this joint research report conducted by CyberRisk Alliance and Vendorpedia to understand today's third-party risk landscape.
eBook
In this eBook, learn the business value of TPRM software and why all leading organizations rely on it when working with third-party vendors.
Webinar
Join this webinar to learn best practices on how your organization can step-up business resilience with better third-party risk management.
Webinar
Watch our free webinar to discover how to optimize your third-party risk program and reduce manual data management with automation.
Webinar
Prepare for 2022 Trends in Third-Party Risk Management and future-proof your Third-Party Trust program.
Webinar
This webinar will discuss how to create a Third-Party Risk Management (TPRM) program that prioritizes privacy compliance and simplifies record-keeping.
eBook
Download the OneTrust Vendor Risk Management Handbook for an in-depth understanding of updated regulations, requirements and more.
Webinar
Access this free webinar to learn how to be a trusted vendor.
eBook
Download our third-party risk management eBook and get a complete roadmap to your TPRM lifecycle.
Video
Watch the demo of our Questionnaire Response Automation tool and learn how it helps vendors automatically answer any questionnaire.
eBook
Learn how an exchange community of customers and vendors improves security and builds trust.
Webinar
Join this webinar series, which will focus on the four foundational pillars of Third-Party Risk Management: Automation, Compliance, Reporting, and Collaboration.