Kezia Farnham

Senior Manager

Third-party risk management metrics: Best practices to enhance your TPRM program

Only 4% of organizations don’t use any third-party apps. For the whopping 96% that do, an effective third-party risk management strategy is essential. But so are third-party risk management metrics.

Third-party risk management (TPRM) metrics help organizations understand whether or not their strategy is working. Moreover, the right metrics can provide key assurances to the board that third parties aren’t introducing risk or, if they are, that their cybersecurity team is equipped to mitigate them.

The challenge, though, is selecting metrics meaningful to the security team and metrics that the board (more than likely a non-security audience) can truly appreciate.

Here’s what organizations need to know about third-party risk management metrics to create impactful reports for the board.

How Do You Assess Third-Party Risk?

Though third-party risk management starts at onboarding, it’s so much more than that. Effective TPRM requires understanding every step of the third-party lifecycle, from the day they first get access to your organization to the day they no longer need it.

This includes evaluating what level of access they need and creating guidelines for where and how to access company systems and processes for revoking access once their relationship with the organization ends. Start by creating an effective third-party risk management strategy, then introduce metrics to evaluate performance.

What Are Metrics for Third-Party Risk Management?

Third-party risk reporting can get complicated since these reports must be meaningful to the security team and the board. Large third-party networks, near-constant change and limited resources can further challenge teams tasked with managing their organizations’ third parties.

But no matter what challenges an organization may face, metrics can help evaluate how successful they manage third-party risk. Third-party risk management metrics fall into two categories: key performance indicators and key risk indicators.

1. Key Performance Indicators (KPIs): measure the risk management team. They indicate how successfully the team implements and maintains the organization’s third-party policies and meets longer-term objectives.
2. Key Risk Indicators (KRIs): measure the risks themselves. KRIs indicate an activity’s risk and allow organizations to visualize their third-party risk exposures.

These two figures allow teams to distill complicated security measures into easy-to-read numbers, a win for themselves and their boards.

Examples of Third-Party Risk Management Metrics

Third-party risk management metrics vary from organization to organization. A company that works heavily with contractors may need to evaluate different risks than an organization that primarily uses third-party apps. Regardless of the risk, it’s important to remember that the metrics should tell the organization’s risk story — illustrating what risks exist and how effective the organization is at mitigating those risks.

Some examples of risk management metrics are:

1. Number of Risks Identified: This KPI measures how many risks the team (and individual employees) identifies over time. The organization’s objective will likely be to increase this number; the higher the number, the more effective the team is at understanding third-party risks. 
2. Number of Risks That Occured: Identifying risks is great. But reducing the number of risks that come to fruition is, perhaps, even more important. A high number of risks identified coupled with a reduced number of risks that actually occurred can be a sign of an effective risk team. 
3. Cost of Risk Management: Reporting on this KPI should be two-fold; teams should be able to articulate the current cost of risk management and show how they’re reducing costs over time. This can be a great way to prove the team’s success since lower costs can signal fewer risks over time. 
4. Time to Detect: This KPI articulates how long it takes for a team to detect a possible risk. Boards will want to see low detection times, so risk managers should also report on how their team has reduced (and/or will reduce) their time to detect. 
5. Time to Mitigation: Once teams have detected risks, they need to mitigate them. Acting fast can save organizations from further financial and reputational damage. Time to mitigation can help teams visualize how fast they are now and set objectives for increasing their speed over time. 
6. Comparison by Business Unit: Risk typically isn’t confined to a single business unit or division. Comparing KPIs between business units can help the board visualize where they’re most at risk, then prioritize risk management activities accordingly. 

How to Choose Risk-Management Metrics

There’s more than one way to report on third-party risks effectively. Metrics depend on how an organization works with third parties and the risks they introduce, so no two organizations will report to their boards in exactly the same way. How a risk team reports to the board is heavily influenced by how security-savvy the board is. Less savvy boards may need a more straightforward set of metrics than boards that already understand risk measurements.

But even if the metrics vary, organizations can take the same steps to choose which risk management metrics are right for them.

Here’s how:

1. Understand Each Business Unit: Risk managers and their teams need a deep understanding of each business unit and how they operate in partnership with third parties. Do they use third-party contractors or third-party apps? How do those third parties play into that business unit’s day-to-day activities? Risk teams should talk to key stakeholders within the business to get full insight into the business’s requirements.
2. Create a Risk Program: Risk teams should use insights from each business unit to create a more standard risk program. The outcomes for each team may vary slightly, but this program should detail the organization’s requirements for managing third-party risk at each step of the third-party process.
3. Use the Right Tools & Technology: Manually managing risk is challenging. The more third parties an organization works with, the harder it is to identify and mitigate every risk that arises. Third-party risk management software can do much of the heavy lifting, from enforcing third-party requirements to flagging emerging risks. The right tools can even help report to the board, creating a seamless, end-to-end third-party risk management process. 

Third-Party Risk Metrics Support the TPRM Lifecycle

TPRM is circular. Just like risks evolve, so should the organization’s approach to identifying and mitigating them. In this way, third-party risk metrics are a critical part of the TPRM lifecycle. From onboarding to offboarding, organizations need metrics to understand the risks they face and whether or not their teams are becoming more efficient.

Rather than setting processes or metrics in stone, organizations should look at these as a living, breathing part of their risk program that can change as the risk landscape does. This always-on approach allows metrics to mature along with the organization, ensuring that the organization remains competitive in the face of ever-changing risks.

Read Diligent’s guide to the TPRM Lifecycle to learn more.