Companies often work with a large number of service providers in order to be able to concentrate on their core business or save costs. For this to succeed, companies must grant their service providers access (digital and analog) to their company assets. This opening up to service providers is not without risk, as an information security breach at the service provider can quickly lead to damage within the company. To address this risk appropriately, companies need to introduce effective third party risk management (TPRM). In our series of articles "Information security in third party risk management", we explain the basics of effective TPRM, common stumbling blocks and possible solutions.
Monitoring your TPRM program - these are the questions you should ask yourself
If you have set up a TPRM (Third-Party Risk Management) program in your company or are in the process of doing so, you will naturally want to monitor how well it is working. After all, you can ultimately assess which adjustments you still need to make to the program only with the help of meaningful insights into its performance. A TPRM program usually involves a large number of third parties that vary greatly in size, performance and criticality to the company. In addition, there are various internally involved departments and roles, such as information security, purchasing, risk management and various specialist departments, which may also need to be taken into account in the TPRM program. Defining meaningful key performance indicators for such a complex system and establishing functioning monitoring mechanisms is therefore a challenging task. This makes it all the more important to plan this task in a goal-oriented manner, to approach it pragmatically and to gradually expand the TPRM program.
To help you set up the monitoring of your TPRM program, we have put together some questions you should answer for yourself:
Which aspects of the TPRM can and would I like to monitor?
The monitoring of your TPRM program will be as unique as your company and your supply chain. However, regardless of how many and what types of third party relationships your company has, there are certain key aspects to monitoring your TPRM program. We have listed the most important ones for you here:
Effectiveness
Are all required TPRM process steps performed? This includes, for example, the completion of self-disclosures (by your third parties) or the assessment of risks from self-disclosures (by your company). If this is not done, information on third-party compliance (TP compliance), for example, is not very reliable.
Efficiency
Are the steps carried out within their specified deadlines? Here too, a distinction can be made between the steps carried out by third parties and those carried out by internal parties such as the information security/TPRM team/specialist departments. If there is a lack of efficiency, resources may be overloaded and the quality of the results will suffer.
TP compliance
What have the third parties themselves stated with regard to compliance, for example in self-disclosures? What results were obtained in assessments (self-disclosures or audits) that you have carried out with third parties? What do monitoring/scoring services indicate about the status of your third parties? Such services can be a way to gain some visibility of third party vulnerabilities even without audits.
TP risk level
What are the internally registered third-party risks? How are the risks assessed? What is the status of risk treatment? Are there concentrations with individual third parties or, the other way round, with parts of your company that make use of third parties?
TP incidents
Have there already been security incidents at third parties? If yes, has there been any known damage to your company and to what extent?
For all aspects that you would like to include in your monitoring, weigh up the effort required against the expected informational value. When setting up your monitoring, we recommend that you first focus on the aspects that can be easily identified with the TPRM tooling you are using. In any case, you should focus in particular on the aspects that show you major problems or the greatest risk potential. Also make sure that you include all aspects that are required for regulatory reasons in your monitoring.
In which dimensions can and would I like to monitor?
Of course, you are also free to choose the dimensions of your monitoring. The following two dimensions offer you the greatest informative value to start with and are also relatively easy to determine:
Time
You can use suitable metrics to monitor changes over time. To do this, you need corresponding historical values. For example: comparison of the compliance of a third party with the same third party in the previous year.
Cohort
You can compare third parties with each other. Due to their heterogeneity, you should divide your third parties into cohorts in order to actually be able to measure your measurement objective in a meaningful way. You can divide the cohorts based on criteria such as criticality, industry and company size of the third parties.
What should I keep in mind when it comes to KPIs?
When selecting your KPIs, always keep in mind that the goal is not to collect the KPIs themselves. Rather, your goal is to be able to act immediately if the KPIs indicate a need for action. Therefore, define meaningful and goal-oriented actions for each KPI in advance that you will carry out if one slips into the “yellow” or “red”. This way, you are prepared to maintain an acceptable level of risk if necessary or to adhere to the internally available budget for your TPRM program.
The metrics you choose to evaluate your TPRM program should meet the well-known “SMART” criteria. The acronym SMART stands for:
Specific
Is the target for the TPRM program to be achieved using the KPI precisely and clearly defined?
Measurable
Can the measured values be collected effectively and efficiently - especially if this requires input from third parties? Can the key performance indicator be used to assess whether the objective has been achieved, both after the defined actions have been completed?
Achievable
Is the target to be achieved with the help of the KPI desirable and achievable through the defined actions or already achieved if no action is required?
Result-oriented
Do the KPIs together with the defined actions serve the objective of the KPI for the TPRM program?
Time-bound
Are both the key performance indicator surveys and the actions to be taken scheduled in such a way that deviations from the TPRM program objectives are corrected within a reasonable period of time?
The heterogeneity of your third-party relationships must also be taken into account when selecting suitable metrics. When defining KPIs, threshold values and predefined actions, it is therefore essential that you differentiate between different third parties based on their criticality for your company and the characteristics of the third parties, such as their size or the complexity of the service provided.
How do I improve monitoring?
The monitoring of your TPRM program should be continuously improved, just like your TPRM program itself. Once you have established basic monitoring, you can gradually develop your TPRM program based on experience gained or tool improvements. We recommend that you set a date early on, for example four years in the future, to carry out a trend analysis and evaluate the results. You can then incorporate the knowledge gained from this into the improvement of your KPIs.
When monitoring your TPRM program, always bear in mind that collecting KPIs alone does not necessarily add value to your TPRM program. Therefore, don't just look at your KPIs in isolation, but also assess them in the context of the overall situation whenever possible. Even though high-quality metrics are an extremely helpful tool in monitoring your TPRM program: Make sure that you do not exclude “common sense” by defining and evaluating KPIs.
Do you need assistance?
Do you need support in setting up your third-party risk management program? Our experts are happy to help.