Third-party risk management: no one-size-fits-all solution


Third-party risk management (TPRM) is high on the list of business priorities and risk management priorities, and that’s a good thing.

Despite predictions from the early days of the COVID-19 pandemic that companies would limit their outsourcing strategies, the third-party ecosystem continues to grow, small vendors and vendors remain cybersecurity targets, the global regulatory machine continues to produce new demands and disruptions in the value chain has become a regular occurrence. For TPRM vendors, this is great news because, unlike the years following the Great Recession, companies are not withdrawing their investments in security and risk.

What’s in a name? Is it TRPM or IT VRM?

To-may-to, to-mah-to, right? Not exactly. Here is some background on the nomenclature of third-party risks. Financial services uses “third parties” to align with OCC (Office of the Comptroller of the Currency) language, healthcare refers to “business associates” to align with HIPAA, and manufacturing commonly uses “provider”. Everyone else revolves around the term “vendor” because much of what we now call third-party risk management began with (and in some cases still is primarily focused on) software vendors and IT service providers. , where the primary concern is to comply with IT control frameworks/standards.

Also: The definition of modern Zero Trust

Forrester uses “third parties” to refer to these entities, as well as non-traditional third parties such as foreign affiliates, outside legal counsel, public relations firms, contingent or on-demand workers, and even your board of directors. If it’s not an employee, then it’s a third party.

The TPRM market is not “one size fits all”

Several types of vendors support the TPRM market, each specializing in one or more risk areas, industries, or customer maturity levels. For us, third-party risk is more than a cybersecurity rating or a due diligence tool.

Forrester defines this category as:

Platforms that identify, assess, rate, monitor and report risks to the organization arising from their relationships with third parties. They support the analysis, processing, and workflow for risk mitigation at each stage of the third-party lifecycle, including: 1) sourcing/procurement, 2) due diligence, 3) screening, 4) onboarding, 5) ongoing risk monitoring, and 6) termination/offboarding.

There is no shortage of options when it comes to managing the risk and compliance of third-party entities. The new Forrester report, Now Tech: Third-Party Risk Management Platforms, Q1 2022, ranks 22 of the best TPRM technologies into four segments based on their capabilities:

  1. Dedicated technologies. These provide robust capabilities throughout the third-party risk management lifecycle. They offer a combination of domain expertise and extensive functionality to support all TPRM maturity levels.
  2. CRM platforms. Governance, Risk, and Compliance (GRC) platforms offer robust support for a wide range of risk and compliance use cases in addition to TPRM.
  3. Exchange sponsors. Exchange sponsors provide access to pre-populated and validated assessment results, multiple types of documentation and evidence, and analytics.
  4. Vertical-focused providers. These vendors have the deep expertise in dedicated technologies, the range of capabilities of GRC platforms, and often provide support services, but particularly focus on industries with complex third-party compliance requirements.

Each segment contains vendors that will suit different types of buyers.

This post was written by Senior Analyst Alla Valente, and it originally appeared here.


About Author

Comments are closed.