Five Steps To Kick Off Your TPRM Program
Whether you’re just beginning your TPRM journey or want to improve an existing program, here are some starting points:
1. Identify Your Key Risks
It’s crucial to uncover both internal and external threats across your organization. For example:
- Do you need to meet certain regulatory requirements (e.g., the Health Insurance Portability and Accountability Act (HIPAA))?
- Do you use a cloud provider to store customer data?
- How many employees have access to company or customer information?
- Could natural disasters or political unrest disrupt your supply chain?
2. Think of TPRM as an Enterprise-Wide Endeavor
To ensure strategic alignment and resources, you need leadership commitment and executive support. Find the business leaders who can champion adoption. You need to increase awareness and integrate TPRM practices into day-to-day processes. Board-level involvement is essential for stakeholder buy-in.
3. Develop Risk Categories
According to the Opus & Ponemon Institute’s 2018 Third-Party Data Risk Study, organizations, on average, share confidential and sensitive information with approximately 583 third parties. That’s a lot of data to patrol!
However, it’s unlikely that you’ll need to treat each third party with the same scrutiny (e.g., an event caterer is low-risk, while your payroll provider is high-risk). You can start with a mini-survey of all of your vendors to understand the risk classification that you want to have for each. Once you identify those risk profiles, the next step is to identify a subset of high-risk vendors to examine more closely.
4. Complete a Vendor Risk Management Checklist
This is a simple way to identify your needs and software requirements to execute your program. Our vendor risk management checklist outlines key features you should look for in a VRM solution and explains the significance of each in mitigating vendor risk, including:
- Vendor risk assessment workflows
- Vendor engagement
- Risk reporting requirements
- Architecture and infrastructure
5. Pre-Qualify Vendors
Diligent has integrated BitSight Security Ratings into the Diligent Third Party Management solution for information security. These Security Ratings are similar to consumer credit scores (they range from 250 to 900) and are updated daily. That means that you can check the security performance of a potential vendor before you sign a contract, and during the entirety of your working relationship.