Five Best Practices to Improve Your Third-Party Risk Management Program

  • Team at Table

Each third-party vendor relationship comes with a selection of risks that must be recognized in time. These third-party risks are usually multi-dimensional because they extend across other parties, service providers, contractors, vendors, and suppliers, and are capable of having an effect on various amounts of the group like product lines, business units, along with geographies.

An effective third-party risk management program starts by comprehensively determining potential third-party risks including process risks, political risks, unwanted functions, contract risks, legal as well as regulatory issues for non-compliance, and info system failures. This risk identification procedure should be followed by an evaluation of the precise drivers that increase third-party risk.

1. Establish a Tone with Board Level Oversight

The senior management, which includes the Board and C-suite, are responsible for the risks in third-party relationships. It’s their responsibility to create a lifestyle of collaboration and transparency in the third-party ecosystem, while simultaneously identifying and managing the risks that develop from such interactions.

2. Lead with the Contract

An excellent practice is focusing strongly on contracts which govern third-party relationships. A thorough, and carefully written contract, or Business Associate Agreement for healthcare, that outlines the rights and duties of all parties can help you better manage third-party relationships. It is also essential to frame policies and implement controls to mitigate third-party risks. Appropriate testing and monitoring procedures are key in ensuring risk-mitigating controls are working as hard as expected.

3. Concentrate on IT Vendor Risk

With third parties accessing regulated business info, the probability of security incident occurring is on the rise. So, view IT vendor risk within the purview of the larger third-party risk management plan. Categorize vendors based on their risk profile, and determine a suitable monitoring mechanism. These vendors often pose the greatest risk to the organization as they access, manage, and process your organization’s sensitive data.

Conducting proper due diligence can prevent incidents such as the one reported by Berkshire Medical Center to HHS, where 1,745 patient records were affected and the report stated; “A former employee of a business associate (BA), Ambucor Health Solutions, stole the protected health information (PHI) of the covered entity’s (CE) patients that was contained in a mobile computer drive.” 1 A third-party risk assessment could have uncovered the lack of security practices in the management of the covered entities data.

4. Identify Fourth-Party Sub-Contractors

The factory fires in Bangladesh highlighted once again, the issue of unauthorized sub-contracting. It exposed precisely how organizations often don’t have full visibility into their supply chains which put them in a precarious place.

It is critical to decide whether goods and services are in fact offered by third parties, or even in case they are actually sub-contracted to a quarter party. The key is usually to contractually bind third parties to understand and obtain approvals on any fourth party involvement. Also, collect and manage fourth-party info as part of the third-party ecosystem. Ensure that the fourth-party subcontractors are within the scope of screening as well as risk management procedures.

5. Ensure Appropriate Staffing and Investment

As organizations recognize the value of a third-party management plan, several are increasing their investments in these programs. The investments should not be focused on just regulatory compliance but should focus on managing third-party security risks and improving the performance of your vendor. Appropriate staffing is necessary to control vendor management initiatives at levels that are optimal, both locally and across the world.

Conclusion

In the day and age of outsourcing and cost savings to the business, there is an ever-growing need to ensure proper management of your organization’s third-party relationships. Establishing a program with executive buy-in and support drives the emphasis on security through these partnerships. Ensuring proper due diligence on these third parties can be time-consuming and encompass a wide variety of security aspects as you implement new solutions, which is why it is crucial to have the staffing and support needed to ensure proper vigilance.

Partnering with industry leaders to conduct this due diligence ensures proper risk management and allows for organizations to partner with industry expertise outside of their current resource pool, leading to better results and streamlined processes. Contact us today to discuss how we can enhance your third-party management processes and assist in securing your businesses critical functions.

May 21st, 2018|

About the Author:

David Rauschendorfer is a Senior Director, of Security Services Operations at CynergisTek. David has more than 10 years of experience in risk management. David’s primary focus is on third-party risk management and providing vendor security solutions. David is an active writer, speaker, and enjoys spending his time educating people on information security practices and third-party risk management strategies.