Third-party risk

management
essentials
 Table of contents
Third-party risk is everywhere 3

What is third-party risk management? 4

Organizations’ most critical risks 5

So, how do third parties introduce risk? 7

Real-world examples 8

The difference between VRM & TPRM 10

Fourth-party risk 11

How control frameworks help 12

Galvanize Case Study 15

Conclusion 17

Further learning & resources 19

2
Third-party risk
is everywhere
From big banks and university hospitals to retail But bringing on third parties can also introduce a
fashion chains and every level of government, long list of risks that can do serious damage to an
organizations around the world rely on third parties to organization’s financial and reputational well-being.
provide products and services to keep them running (Like the real-life risk management disasters you’ll
effectively and efficiently. This is because outsourcing read about later on.)
responsibilities to a third party helps you better serve
In this eBook, we’ll discuss the basics of third-party
customers, grow revenues and cut costs.
risk management, how it differs from vendor risk
management and how to begin the process of picking
a risk management framework that best fits your
organization.

3
 What is
third-party risk
management?
1
ISACA defines third-party risk management (TPRM) EXAMPLES OF THIRD-PARTY
as “The process of analyzing and controlling VENDORS:
risks presented to your company, your data, your
+ Your office’s paper shredding company
operations and your finances by parties other than
your own company.” + A contractor providing marketing services to
your department
Parties other than your own company are any
non-customer entities that you’ve established a + The food suppliers who stock your workplace
relationship with to outsource certain operational cafeteria
functions, or to source products or services. These
+ The SaaS company that stores your data in
entities are commonly referred to as third parties,
the cloud
vendors, suppliers, partners and business associates.

1 http://www.isaca.org/about-isaca
4
Organizations’ most
critical risks
A global survey of 170 organizations2 revealed their most critical risks:
1. Disruption in client service due to third-party action.

2. Breach of regulation or law by third parties.

3. Reputational damage.

4. Supply chain breakdown.

5. Financial fraud/exposure.

6. Failure of financial viability of a third party, impacting delivery.

Of the 170 global respondents:

1. 26% suffered reputational damage from third-party actions.

2. 23% have been non-compliant with regulatory requirements (8.7% of these faced a fine or financial penalty).

3. 23% have experienced financial- or transaction-reporting errors.

4. 20.6% have had sensitive customer data breached through third parties.

2 Deloitte, 2016, Third-party governance and risk management, Extended enterprise risk management global survey

5
6
So, how do third parties
introduce risk?
Risk exposure begins when organizations give third- So, if these are the consequences, then why don’t
party vendors access to their facilities, networks and organizations properly scrutinize their third-party
data—often with far less care and concern than they vendors? Well, there are a number of potential
reserve for direct vendors. When one of your third- reasons:
party vendors is compromised, your organization
+ Teams and resources are already stretched to
can experience devastating financial, reputational,
capacity
regulatory, operational and strategic consequences.
Even though your service provider made the mistake + Other tasks are taking higher priority
or is otherwise responsible, you’ll still suffer the
+ There’s an expectation that the third party itself is
consequences. Your customers—and maybe even the
taking the necessary steps to manage risk
courts—will hold your organization accountable.

+ On average, companies share their data with

In other words, a service can be outsourced, but risk
3
583 third parties, creating serious complexity that
ownership can’t be.
many organizations just can’t cope with

+ Uncertainty around how to implement a functioning

vendor risk management (VRM) strategy and
uncertainly about the true cost of ownership, which
includes the logistics of ongoing maintenance and
continual vendor assessment

+ There isn’t buy-in from senior management,

e.g., “We’re not big enough to target” or
“Nobody knows who we are”

3 Opus & Ponemon Institute, 2018, Results of 2018 Third-Party Data Risk Study
7
 Real-world examples
Third-party failures have caused catastrophes in healthcare, banking,
hospitality, manufacturing, retail and the public sector, and they
continue to make front-page news, especially cybersecurity-related
failures. Third parties are often the weakest link, making them much
easier to target by cybercriminals. In fact, 63% of all cyberattacks
could be traced either directly or indirectly to third parties.4
To prove that point, here are just a few third-party incidents that have gained international attention in recent
years:

+ In 2014, 53 million email addresses and 56 million + Marriott International, one of the largest hotel
credit and debit card details were stolen from chains in the world, suffered a data breach in
Home Depot, the largest home improvement 2018. The company discovered that there had
retailer in the US. Hackers gained access to the been unauthorized access by hackers through
credentials of a third-party vendor, eventually its Starwood guest reservation database system
accessing the company’s point-of-sale devices, since 2014, exposing information such as the
where they deployed malware on self-checkout names, phone numbers, email addresses and
systems. The estimated cost of this data breach: passport numbers of nearly 400 million guests.
5
$179 million, including a $25 million settlement. The breach has cost Marriott $28 million to date;
it is also facing a fine of $123 million for violating
the European Commission General Data Protection
6
Regulation.

4 PwC, 2018, The Global State of Information Security Survey

5 Fortune, 2017, Home Depot to pay banks $25 million in data breach settlement
6 Forbes, 2019, Marriott faces $123 million fine for 2018 mega-breach

8
+ Capital One announced a third-party data breach While cybersecurity fails top the list, they’re not the only
that exposed the names, emails, addresses, phone thing that can take down an organization. For example,
numbers, birthdates and incomes of approximately Chipotle suffered multiple food safety crises—yes,
100 million Americans and 6 million Canadians. plural—in 2015. These were the result of a number of
The company blamed a “configuration vulnerability” issues, including the decision to bring locally sourced
in the servers of the cloud computing company food from various suppliers onto their menu. As a result,
that hosted its customer data. According to Capital the company suffered six outbreaks of food-borne illness
One in 2019, the breach could cost between $100 in 2015. The company’s stock dropped 40%, and the
7
million and $150 million. company spent a hefty $50 million on marketing and
8
promotion to win back customers.

So whether it’s a data breach, intellectual property

theft or poor employee training, third-party mistakes
are common (and costly).

Your third-party risk management program is

only as strong as your weakest vendor.
» Chris Murphey, Director of Customer Success, Galvanize

7 CNN, 2019, A hacker gained access to 100 million Capital One credit card applications and accounts
8 Risk Management Magazine, 2016, Dia de la Crisis: The Chipotle outbreaks highlight supply chain risks

9
 The difference
between VRM & TPRM
Before we dig deep into TPRM, we first need to TPRM goes even deeper and includes every single
address a very common question: “What’s the third party, like partners, government agencies, your
difference between vendor risk management (VRM) franchises, or charities in which you donate your time
and third-party risk management (TPRM)?” or money, as well as all of your vendors. In this case,
these organizations may require access to sensitive
VRM is all about vetting partners, suppliers and
company data (e.g., to demonstrate compliance with
vendors to make sure they meet certain conditions.
government regulators), but you often have no ability
These conditions, along with the expectations for each
to define who accesses it or how they use it—and
party, are detailed within the vendor contract, and
there’s a good chance you can’t audit it.
include things like information security and regulatory
compliance requirements. For example, you might TPRM often starts with VRM; it’s the foundation on
specify how often a vendor audit needs to take place, which TPRM is built. Organizations will begin with a
or the password complexity requirements for anyone VRM program and, as they grow and mature, they’ll
accessing your data. identify a need to address the specific and frequently
disparate risks that a growing list of third parties
present.

Whether you take a VRM or TPRM focus, ongoing

monitoring of your program is essential. This is usually
neglected as organizations settle into a long-term
relationship with a vendor. But, as we’ve seen in
our previous examples, not staying on top of these
relationships and conditions only leads to trouble.

10
Fourth-party risk
If you think third parties are your only concern, we’ve got For example, if cybersecurity is one of your
some bad news for you: You could be put at risk by your organization's top risks (and we hope it is), third parties
vendors’ vendors—welcome to fourth-party risk. (And who have access to your sensitive data will require
don’t forget about your vendors’ vendors’ vendors... but deeper scrutiny and management than those who
we’ll save fifth-party risk for another eBook.) don't. This will flag organizations where you will require
a deeper investigation into their subcontractors.
Fourth parties can introduce the same financial,
reputational, regulatory, operational and strategic Again, we know that not all fourth parties can be
risks as third parties. However, fourth-party risk managed the same way, but when it comes to your
can be even more difficult to detect, manage and vendors, you can help protect and strengthen your
remediate, because you’ve got no legal contract with organization by:
the organizations in this extended network.
+ Taking a risk-aware approach to outsourcing
In Deloitte’s fourth annual extended enterprise risk services
9
management survey, only 2% of respondents said
+ Identifying and prioritizing risks based on
they identify and monitor all fourth-party risks. And a
organizational objectives
further 8% only identify and monitor what they deem
to be their most critical relationships. + Creating detailed, legally binding contracts
that include any and all vendor requirements
Rather than being due to a lack of concern, this is
(including fourth-party approvals for your
often due to resource constraints. VRM teams struggle
most critical services)
to manage their own vendors, making fourth-party risk
management a seemingly insurmountable challenge. + Performing regular, ongoing assessments of your
However, with increasing digital data exchange and overall risk posture
improved AI and analytic capabilities, managing
These tasks can seem daunting, especially for
fourth-party risk will only get easier over time.
organizations who are just entering this new stage
So, if fourth parties introduce just as much risk as of maturity—it’s hard to know where to start.
third parties, how do you take a strategic approach to This is where using a purpose-built platform like
managing this? ThirdPartyBond can help. Organizations can manage
and automate the entire vendor risk process,
Just like any risk program, TPRM should be linked to
minimizing the exposure to financial, operational,
business objectives. You can take your direction by
reputational and security risks from third parties—from
analyzing the organization's top risks, then link the
third-party onboarding, assessment and remediation
risks posed by your third- and fourth-party vendors
to performance monitoring and ongoing review, as
back to those organizational risks.
well as termination.

9 Deloitte, 2019, Fourth annual extended enterprise risk management survey

11
 How control
frameworks help
When you’re getting started with your TPRM program, NIST is available free of charge: https://doi.
the best place to begin is with the implementation of org/10.6028/NIST.CSWP.04162018. ISO frameworks
good governance. Part of this includes selecting and can be purchased from their website: https://www.
using control frameworks. iso.org/. Many organizations, once they’ve established
their initial framework, will expand and add other
If you’re not familiar with them, risk control
frameworks to make sure there aren’t any gaps in risk
frameworks help organizations build preventative and
coverage.
detective controls that are designed to mitigate risk
to acceptable levels. They provide best practices and But, as you’re probably not in the mood to read all
principles that result in a base level of assurance, and 55 pages of NIST right now, here’s a quick snapshot of
can be adapted to an organization’s needs or specific the content you can expect.
requirements.

The two most common risk frameworks are

the National Institute of Standards and Technology
(NIST) and the International Organization for
Standardization (ISO).

12
FUNCTION CATEGORY SUBCATEGORY

Identify Supply Chain Risk Management (ID.SC): ID.SC-1: Cyber supply chain risk
The organization’s priorities, constraints, management processes are identified,
risk tolerances and assumptions are established, assessed, managed and
established and used to support risk agreed to by organizational stakeholders.
decisions associated with managing
ID.SC-2: Suppliers and third-party
supply chain risk. The organization
partners of information systems,
has established and implemented the
components and services are identified,
processes to identify, assess and manage
prioritized and assessed using a cyber
supply chain risks.
supply chain risk assessment process.

ID.SC-3: Contracts with suppliers

and third-party partners are used to
implement appropriate measures
designed to meet the objectives of an
organization’s cybersecurity program and
Cyber Supply Chain Risk Management
Plan.

ID.SC-4: Suppliers and third-party

partners are routinely assessed using
audits, test result or other forms of
evaluations to confirm they are meeting
their contractual obligations.

13
 + Function: NIST defines five function areas: When deciding on your framework needs, it’s
Identify, Protect, Detect, Respond and Recover important to consider the following:

+ Category: Actual controls are divided into + Regulatory requirements such as the Payment Card
categories; in the example on the previous page, Industry Data Security Standard (PCI DSS) and
it’s Supply Chain Risk the Health Insurance Portability and Accountability
Act (HIPAA)
+ Subcategory: The subcategories detail the
controls + Compliance requirements (e.g., environmental,
health and safety)
So, while there’s no one-size-fits-all framework, this
provides a road map of sorts for organizations. It’s an + Acceptable level of risk, defined by the probability
excellent starting point. and impact of a certain risk occurring

+ Organizational objectives—otherwise, the priorities

of individual departments may differ or conflict

These frameworks, combined with your specific

organization’s needs, can result in a lot of work. But
there are software tools that can help you manage
all of these requirements, controls and tasks.
Our vendor risk management checklist can
help you identify your needs and the software
requirements to execute your program.

14
Galvanize case study
Large US healthcare provider automates manual, time-consuming vendor assessments

A large healthcare provider was conducting hundreds

of assessments a year via email requests, manual
surveys and spreadsheets. They were concerned,
because they were only able to assess a small
percentage of their vendor ecosystem using a manual
process. Getting surveys completed properly and
on time was a persistent challenge. If a vendor was
considered a risk, the subsequent follow-up was very
time-consuming.

The company wanted to automate the entire process:

data gathering, notifications, risk scoring, analysis and
remediation. Additionally, they wanted to integrate
third-party intelligence so they could understand what
happens if a vendor moves to a high-risk location or
has financial viability issues. Finally, the company
wanted to leverage their existing workflow processes
and data from legacy systems.

The customer selected ThirdPartyBond, and the

solution was implemented in three months. Since
the assessment module went live, the company has
increased the number of yearly assessments they
were able to complete by 373%. If an assessment
is determined to be low risk, ThirdPartyBond
automatically generates a memo to internal
stakeholders indicating the status. Meanwhile,
high-risk assessments are escalated for action.

15
16
Conclusion
Third-party risks are only increasing, especially with We hope this eBook has given you a foundational
more and more organizations relying on emerging understanding of the complex world of third-party
technologies like cloud computing. Gartner estimates risk management.
that, by 2020, 75% of Fortune Global 500 companies
will treat vendor risk management as a board-level
initiative to mitigate brand and reputation risk.

17
 Further learning &
resources
Want to do some further reading? The following RISK MANAGEMENT IN THE REAL WORLD
resources will provide you with more information
https://www.charteredaccountants.ie/Accountancy-
on TPRM:
Ireland/Articles2/Leadership/Latest-News/Article-
THIRD-PARTY RISK IS BECOMING A item/risk-management-in-the-real-world
FIRST PRIORITY CHALLENGE
THIRD-PARTY RISK MANAGEMENT:
https://www2.deloitte.com/ca/en/pages/risk/articles/ KEEPING CONTROL IN A RAPIDLY
reduce-your-third-party-risk.html CHANGING WORLD

THIRD-PARTY RISK MANAGEMENT https://eyfinancialservicesthoughtgallery.ie/third-

party-risk-management-keeping-control-in-a-rapidly-
https://www.isaca.org/resources/isaca-journal/
changing-world/
issues/2017/volume-2/the-practical-aspect-third-
party-risk-management

GUIDANCE FOR MANAGING

THIRD-PARTY RISK

https://www.fdic.gov/news/news/financial/2008/
fil08044a.pdf

18
 Ready to find out
how ThirdPartyBond
helps manage
third‑party risk?

↳
To find out how Galvanize can help your organization automate critical processes, deliver the
answers that drive strategic change and improve your bottom line, call 1-888-669-4225, email info@
wegalvanize.com or visit wegalvanize.com.

19
ABOUT GALVANIZE Galvanize, a Diligent brand, is the leading provider of GRC software for security,
risk management, compliance and audit professionals. The integrated
HighBond platform provides visibility into risk, makes it easy to demonstrate
compliance, and helps grow audit, risk and compliance programs without
incurring extra costs.
wegalvanize.com

©2021 ACL Services Ltd. ACL, Galvanize, the Galvanize logo, HighBond and the HighBond logo are trademarks or registered
trademarks of ACL Services Ltd. dba Galvanize.
© 2021 Diligent Corporation. All other trademarks are the property of their respective owners.