Companies often work with a large number of service providers in order to be able to concentrate on their core business or save costs. For this to succeed, companies must grant their service providers access (digital and analog) to their company assets. This opening up to service providers is not without risk, as an information security breach at the service provider can quickly lead to damage within the company. To address this risk appropriately, companies need to introduce effective third party risk management (TPRM). In our series of articles "Information security in third party risk management", we explain the basics of effective TPRM, common stumbling blocks and possible solutions.
How to – Steps for setting up a TPRM program
The more business processes are outsourced (in whole or in part) to service providers and the more business-critical the outsourcing is, the greater the need to identify information security risks that may arise from the collaboration. This requires structured Third Party Risk Management (TPRM). The following steps will help you to set up such a TPRM:
1. Review / Preparation
First, review which processes for service provider management, for example in onboarding or purchasing, already exist in your company. Check which regulatory requirements may need to be met (e.g. KRITIS, DORA, etc.). Then carry out a comparison of the target/actual situation and check your existing processes for efficiency and effectiveness: Are the defined processes practicable? Do they meet the requirements?
2. Definition of policy and governance model
First, determine the basic design principles of your TPRM program. Your business strategy will play a big role in making some decisions. It will answer questions such as how many third parties your company will engage with, what types of services you are willing to outsource, and whether the processes of your TPRM program need to scale as your company grows. These considerations then lead to decisions about specific design principles, such as:
- Do you pursue a risk-based approach or a one-size-fits-all solution for all third-party contracts?
- Do you use manual or tool-supported management?
- Do you limit your TPRM program to external service providers or do you also apply it to internal service contracts?
Also ask yourself how to deal with resellers, for example of software. After all, your TPRM requirements cannot usually be communicated directly to the manufacturers.
Then design the main TPRM process and, based on this, all sub-processes and surrounding processes. Identify the interfaces to other departments and business processes. For example, your main TPRM process could look like this:
- Onboarding,
- Criticality rating,
- Determine scope for the contract,
- Determine scope for the Assessment,
- Conduct the Assessment,
- Identify and treat risks
Bear in mind that the process may be different for new and existing service providers: Ideally, the design is based on a new third-party relationship. However, changes to your TPRM processes must also be transferred to existing contracts. Here you need to decide where the entry point of existing contracts into the new process can reasonably be placed. Decisions on whether it is advisable to let certain contracts expire instead of transferring them to the new process may also need to be made at this point.
Define clear roles and responsibilities within the company for the various process steps and decisions. Which departments or people need to be involved in which decisions? Who is authorized to make certain decisions, such as approving the acceptance of a certain risk?
Set goals and define metrics to measure the success of your TPRM program. We will outline how this can be done in a follow-up article.
Establish policies and procedures for evaluating and monitoring service providers.
Define escalation and reporting mechanisms.
3. Implementation into regular operations
Once your TPRM policy has been finalized, the next step is to integrate the newly developed processes into your company's regular operations. The biggest challenge here is to implement this as smoothly as possible without disrupting your operating processes. The support of an external consultant can make a decisive contribution to success here.
4. Monitoring
Continuous monitoring of your TPRM program is essential to ensure that all third parties are meeting their obligations and that there is no undesirable risk to your company. It includes, for example, the following questions:
- When must an Assessment be conducted again with which third party?
- Have mitigating measures been implemented for identified risks?
- Has there been an information security incident at a third party?
- Has the service scope of a third party changed and do additional requirements need to be considered for these changes?
New TPRM measures will regularly emerge from the findings of this monitoring and will need to be integrated into your regular operations. Here, too, the support of an external consultant can be helpful.
Do you need assistance?
Do you need support in setting up your third-party risk management program? Our experts are happy to help.