The importance of Third-Party Risk Management (TPRM)

People review documents of third-party risk information

Like many organizations, Thoropass relies heavily on the products and services offered by third-party service providers and vendors. Our third-party ecosystem offers several critical solutions we depend on to support our operations and our customers. In fact, we have just about as many applications as we do employees. We aren’t more unusual or unique than any other organization. It’s not uncommon for many organizations to have hundreds (even thousands) of third parties offering all types of products and services with some being critical to their operations.

To properly manage these products and services, we must thoroughly understand the inherent risks of using third parties and perform adequate due diligence activities to minimize these risks. We must perform a comprehensive review and vet these third parties as part of our third-party risk management program (TPRM). This blog is intended to provide you with an overview of Thoropass’s TPRM Program.

At Thoropass, we utilize a hybrid framework developed from the best the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), the American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) Trust Services Criteria (TSC), the Information Commissioner’s Office (ICO)[UK] related to the General Data Protection Regulation (GDPR), and other generally accepted best industry practices (and frameworks) have to offer. 

What is TPRM?

Third-Party Risk Management (TPRM), or vendor risk management, is part of the vendor due diligence process by which an organization evaluates the risks of utilizing a certain third party (or vendor) as well as a process to determine the effectiveness of the controls the third-party claims to have in place to safeguard any sensitive information shared with the third-party. TPRM is conducted before engaging with a third party and is ongoing while we have a working relationship with the third party.

Thoropass is under certain contractual obligations to ensure we are good stewards of our customers’ information. Still beyond this, we take the security and privacy of our customers’ information very seriously; this includes thoroughly evaluating the third parties we use and conducting adequate TPRM activities on our third-party vendors.

Risks from third-party relationships

Some third-party vendor risks might be obvious to you, but others less so. Here are some common risks that businesses might face from third-party relationships:

Data breaches and security risks

Suppose a third-party vendor has access to the organization’s sensitive data, such as customer information or intellectual property. In that case, there’s a risk that inadequate security practices on their part could lead to a data breach. This can result in financial losses, legal liabilities, and damage to the organization’s reputation.

Compliance and regulatory risks

If a third party fails to comply with industry regulations or legal requirements, the organization that engaged them could also face penalties and legal consequences. For example, if a vendor mishandles customer data in violation of privacy regulations, the organization that shared the data could be held accountable.

Operational risk

If a critical third-party service provider experiences operational disruptions, such as system outages or financial instability, it could directly impact the organization’s ability to operate smoothly. This is especially true when organizations heavily rely on a single third party for essential services.

Financial risk

If a third-party vendor faces financial issues or goes out of business, it could disrupt the services they provide to the organization. This can lead to supply chain disruptions, delayed projects, and financial losses.

Reputational risks

A third-party’s actions can reflect on the organization they are associated with. If a vendor is involved in a scandal or unethical behavior, it could damage the organization’s reputation by association.

Vendor lock-in

Organizations may become overly dependent on a particular third party for a critical service or technology. This can limit flexibility and increase costs if the vendor raises prices or fails to keep up with technological advancements.

Quality control issues

If a third-party vendor’s products or services don’t meet the organization’s quality standards, it could impact the organization’s products or services, leading to customer dissatisfaction and potential revenue loss.

Intellectual property risks

Sharing proprietary information with third parties, such as contractors or suppliers, could expose the organization’s intellectual property to theft or unauthorized use.

Supply chain risks

Businesses that rely on third-party suppliers for raw materials or components are vulnerable to supply chain disruptions, such as natural disasters, geopolitical issues, or transportation disruptions, which can disrupt production and impact the bottom line. 

Lack of control

Organizations might have limited control over the actions and practices of third-party vendors. This can make it challenging to enforce security measures, compliance standards, or quality control.

Overview of Thoropass’s third-party vendor process

To see how this all looks in action, let’s look at Thoropass’s TPRM process. Our vendor process begins with the need for a product (or service) a third-party service provider can provide. We have a sponsor of the request complete a vendor assessment and business justification form.

This form consists of four parts:

1. Third-party general information

Third-party management begins with collecting the basics: 

  • The name of the third party
  • Description, website
  • Privacy notice
  • Terms of service
  • Security
  • Sponsor name
  • Date/time of submission

2. Third-party and finance-specific information

This includes terms and cost information and an overview/benefit of the product/service. The sponsor must explain the issues we are trying to solve and how working with the third party will solve these problems. The sponsor will detail the value proposition of working with the third-party and describe other third-parties evaluated in the process of determining the recommendation. 

The sponsor must abide by our Procurement and Expense Policy, which includes obtaining approval from a department head (as necessary), obtaining a W-9 form, having the third-party complete a vendor form, and including certain clauses (such as privacy, security, limitations, etc.) in contracts/agreements.

3. IT and compliance-specific information

This section includes criteria defining the need to perform a security and privacy review.  Almost any software application, program, or third party being utilized, integrated, accessed, collected, or having a financial impact on Thoropass will require a review. 

The sponsor will do their best to assign a criticality rating and a vendor risk rating based on defined criteria along with their rating rationale. If they are unsure, the ratings will default to medium for further evaluation by our Chief Information Security Officer, Data Protection Officer, Operations Lead, and Finance Lead.

For instance, we define vendor criticality as: 

  • High: We rely on the application daily, and if the application fails, it would seriously disrupt operations OR the third party provides a critical product and replacing it would be difficult/costly; 
  • Medium: We utilize the application daily, but our operation doesn’t depend on its use, OR if the application fails, it won’t seriously disrupt operations—replacing the application would cost some effort or money, but not difficult/costly;
  • Low: We utilize the application intermittently; if it fails, it does not impact business operations.

We define vendor risk as:

  • High: The third party accesses, handles, or stores sensitive/confidential information (either internal, external (customers), or both); 
  • Medium: The third party may have some knowledge of our customers but no access to sensitive/confidential information;
  • Low: The third party cannot access sensitive or confidential information.

In addition, we want to know about the third party’s reputation and any attestations/certifications they’ve obtained.

4. Privacy risk screen assessment 

We ask 13 questions as part of our privacy risk screening. After determining the type of data collected or stored by the application (to include processing of either employees, customers, or both), the following questions must be answered:

  • Does the application use profiling or automated decision-making, or does the application run algorithms to score/rate responses impacting an individual?
  • Does the application process personal data in a way involving tracking individuals’ online/offline location/behavior?

If the answer is ‘yes’ to any of these questions, we will conduct an enhanced evaluation, which could include performing a data protection impact assessment (DPIA).

Guide of a SOC 2 as a Strategic Business Generator
How to unlock your growth potential through compliance
How SOC 2 Can Accelerate Business Growth icon-arrow-long

TPRM process

The following process is where we do most of the heavy lifting in evaluating the security and privacy compliance of third parties. These steps break down into the following 4 areas: 

  1. Trade and Sanction Compliance
  2. Risk management
  3. Security
  4. Privacy

1. Trade and sanction compliance program

As a United States corporation, we are obligated to comply with all U.S. laws, including export controls administered by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS), economic sanctions and trade embargo programs administered by the U.S. Department of the Treasury’s Office of Foreign Asset Control (OFAC), and U.S. anti-money laundering (AML) laws. 

We perform due diligence activities on all third parties to ensure we don’t violate BIS, OFAC, and AML regulations.

2. Risk management

To determine and evaluate risks posed by third parties, we perform a risk management evaluation (or third-party risk assessment) based on the third party’s criticality and risk ratings discussed above. 

Note: Third parties providing a security/privacy attestation or certification may not be required to submit other additional documentation or security/privacy questionnaires.  

Third parties must adequately demonstrate their security/privacy posture commensurate with their criticality/risk ratings. The higher the ratings, the higher the demand for verifiable evidence, including reviews performed by independent assessors/auditors. We perform the following as part of our risk management evaluation process:

  • Determine regulatory, risks, and technology factors impacting the third-party product or service offering;
  • Review policies/procedures related to the third-party product or service offering;
  • Review policies/procedures related to the third-party’s risk management program to include the following:
    • Monitor (or sample) key risk indicators, performance, and effectiveness of controls;
    • Review resources and staffing requirements;
    • Review change management processes;
    • Review risk escalation and testing;
    • Determine risk appetite;
  • Review policies/procedures on internal controls to include:
    • Nature/scope/frequency of reviews;
    • Independence/qualifications of testing;
    • Quality of audit to determine the effectiveness of controls;
  • Review attestation reports (SOC 2 Type 1 and 2), certification reports (ISO 27001 or HITRUST), and/or self-assessments from a risk perspective;
  • Review the status of any assessment findings as well as implemented action items (or the status of these items); and,
  • Review service level agreements.

3. Information security

All Thoropass’s third parties must implement adequate security controls to effectively safeguard and protect any information we might share with them. To this end, we review security controls to cover confidentiality, integrity, availability, and resiliency, which could include, but are not limited to:

  • Review policies/procedures related to security controls/safeguards to include:
    • access management
    • physical security
    • backups
    • change management
    • anti-malware protection
  • Review policies/procedures related to incident response and management to include Incident reports with after-action reviews;
  • Review security awareness training provided to staff;
  • Review system security plans and network/architectural diagrams;
  • Review standard information gathering (SIG) questionnaires/cloud questionnaire (CAIQ) or other security questionnaires (we may provide as applicable);
  • Review penetration test reports;
  • Review attestation reports (SOC 2 Type 1 and 2), certification reports (ISO 27001 or HITRUST), and/or self-assessments from a security perspective; and,
  • Review Terms of Service (ToS) (or other agreements) and ensure these agreements maintain security clauses and provide us the Right to Audit.

4. Privacy

Since we are considered a processor and contractually obligated to only process personal data (or personally identifiable information (PII)) as directed by our controllers (i.e., customers), we review applicable third parties (i.e., subprocessors) to ensure they meet (or exceed) the privacy requirements we must abide by.  We review the collection and use of PII of our third parties, which could include, but are not limited to:

  • Determine applicable privacy regulations;
  • Review Privacy Notice;
  • Review policies/procedures related to privacy controls and PII Management to include data protection, data classification, handling, retention, and disposal;
  • Review Data Flow Diagrams (or Data Transfer Agreements);
  • Review Data Protection Impact Assessment/Privacy Impact Assessments; and,
  • Review Data Protection Agreements/Addendums (DPAs).

More TPRM tips

Although this may seem like a lot of information to review, as you get more experienced in asking certain questions or evaluating attestation/certification reports, you’ll start to figure out what areas of concern to focus on. These really depend on the type of product (or service) offered, the type of information shared, the risks posed by the third party, the integrations of the product (or service) within your business operations, and the criticality/risk ratings assigned to the third party.  As mentioned, the thoroughness of the review ultimately depends on how you will use the third party.  

With this in mind, there are some tips you want to keep in mind when reviewing attestations and certification reports:

Tip #1: Understand not all attestations/certifications are the same

Not all attestations/certifications are the same, or the assessors performing these assessments may vary in their knowledge (or skill) levels. This being said, you must read through the report and make sure the scope covers the applications you’ll use from the third party. Just because a third party has an attestation (or certification) doesn’t mean they included the product you will be using. 

In some cases, an organization may have the ‘flexibility’ to determine a specific scope of an audit.  Make sure your needs are covered in your evaluation to ensure the third party adequately demonstrates their risk, security, and privacy posture.

Tip #2: Ensure audit periods are adequate

Ensure audit time spans are adequate. For instance, you’ll want to make sure any attestation (or certification) report maintains a long enough period (such as 12 months) to provide a large enough sample size of evidence to determine control effectiveness. If a report has expired, determine the status of their next attestation/certification period and request a bridge letter to cover any gaps.

Tip #3: Ensure the auditor’s opinion meets your criteria

Focus on the auditor’s opinion and ensure it meets your criteria (such as indicating the report is ‘unqualified’ or ‘no exceptions’ noted.) If there are exceptions, ensure they are addressed and compatible with your risks in using the third party. Make sure relevant user-entity controls are being performed and there is substantial evidence to ensure the user-entity controls are adequate.

Tip #4: Have a plan of action to mitigate deficiencies or non-conformities

When monitoring the vendor’s inherent risk, take note of any deficiencies or non-conformities. Ensure non-compliance items have compensating or mitigating controls in place.  Review any non-conformities along with the plan of action to minimize any risks presented by these deficiencies to an acceptable level.

Final thoughts on managing third-party risks

Third-Party Risk Management (TPRM) is a very important process that must be implemented appropriately within your organization. The ability for your third party to quickly respond to your requests and provide you the necessary assurances that they are doing what they say builds trust.  

And let’s be clear: It is all about trust when it comes to divulging your sensitive information or relying on a third-party product to perform as it should. Trust can be hard to come by, and if lost,  may be even harder to regain.

If your organization appreciates the process shared here or if you need some assistance with your TPRM program, get in touch. We have experts at Thoropass who can help!

This post was originally published in April 2023 and updated for content and comprehensiveness.

Share this post with your network: