Corporate Governance (Third-Party Risk Management – TPRM)
-
Third-party risk management (TPRM) is the ongoing management (or attempted management) by the enterprise of any form of risk to the enterprise that may be caused by some action or failure to act of a third-party entity to the enterprise, with which the enterprise may have some form of implicit business relationship with the enterprise, but no direct contract.
-
With TPRM, there is some form of implicit business relationship (whether downstream or upstream, such as for example: affiliates; agents; brokers; business partners; distributors; manufacturers; resellers; service providers; suppliers; vendors; and the like) between the enterprise and the third-party, but no direct contract.
-
Within the enterprise, responsibility for handling TPRM will be generally determined by joint agreement of the Board of Directors and C-Suite executives; if the enterprise may lucky and prosperous enough to have a dedicated risk management department, then that may be a logical place to assign TPRM responsibility; if not, then the Board and C-Suite might designate a particular executive to be the Chief Risk Officer, to have responsibility for TPRM; there is no general rule for assigning such responsibility; whatever works best for the enterprise is acceptable, providing tat the chain of TPRM responsibility, upstream ad downstream, is clearly-defined in Board resolutions, corporate policies, and organizational charts, all of which should be posted on the enterprise corporate intranet.
-
In order to provide a quick reference to the enterprise when attempting to allocate enterprise resources in the most-efficient manner, it may be beneficial for the enterprise to prioritize all the potential suppliers and vendors the enterprise and group them into categories, perhaps based on the level of criticality their goods or services represent to to the enterprise operations, such as for example (your enterprise may use as many Tiers as is practical): Tier 1 – highest risk to the enterprise, due to the highest criticality to the enterprise of the goods and services they may eventually provide to the enterprise (through those suppliers or vendors which have direct contracts with the enterprise); Tier 2 – moderate risk to the enterprise, due to the moderate criticality to the enterprise of the goods and services they may eventually provide to the enterprise (through those suppliers or vendors which have direct contracts with the enterprise); Tier 3 – lowest risk to the enterprise, due to the lowest criticality to the enterprise of the goods and services they may eventually provide to the enterprise (through those suppliers or vendors which have direct contracts with the enterprise);
-
Although TPRM may sound very similar to supply chain risk management (SCRM), there is a nuanced distinction between TPRM and SCRM; TPRM involves any risk to the enterprise caused by an entity that has no direct contract with the enterprise (for example, a vendor to a supplier on the enterprise supply chain, which has a direct contract with the supplier to sell widgets to the supplier that the supplier in turn will eventually sell to the enterprise through the enterprise supply chain), whereas SCRM involves the direct relationship between the enterprise and suppliers on the enterprise supply chain, each of which has some form of direct contract with the enterprise (in that example, the vendor to the supplier is a “third-party” to the enterprise, because there is no direct contract between the enterprise and the vendor, but the vendor does have a direct contract with the supplier that involves the enterprise supply chain to some extent – in that the vendor’s widgets will eventually end up in the enterprise supply chain).
-
Types of third-party risks (any risks inflicted upon the enterprise as a result of an external entity’s activities, whether accidental or intentional) to the enterprise may be – compliance (the costs resulting from trying to satisfy all the requirements imposed on the enterprise by existing laws, in numerous domestic and international jurisdictions); digital (such as: cloud services; cyber attack; data breach; data leak; data privacy; data security; key-loggers; malware; security incidents; spyware; viruses; or the like); downstream risk (disruptions wherever the enterprise sells goods or services); environmental (the general environmental practices of the supplier’s or vendor’s physical location); ethical (the general honesty and integrity of the inhabitants of such supplier’s or vendor’ physical location, human corruption); information security (risks caused by allowing external entities to have access to sensitive enterprise data); financial (such supplier’s or vendor’s bankruptcy, cash on hand, credit rating, and other generally-accepted financial indicators); geographical (locations prone to natural disasters such as earthquakes, hurricanes, typhoons, and the like); geopolitical (hostile or unstable governments); legal (such as government investigations or lawsuits); operational (disruption to any operations of the enterprise); regulatory (new laws imposing new requirements on the enterprise); reputational (perhaps the result of: account impersonations; brand compromises; dissatisfied customers; fraud campaigns; mere appearance of impropriety on the part of the enterprise; negative public opinion, perhaps caused by justified, mistaken or scurrilous attacks on the enterprise); strategic (failure to meet the enterprise’s own long-term goals, due to the failure of some key external third-party’s performance or lack thereof); theft (for example, if third-parties are outsourced by the supplier or vendor which has the direct contract with the enterprise, such third-parties may have access to sensitive enterprise data, due to their contractual duties to the supplier or vendor which hired them, and thus, they may be able to steal such sensitive enterprise data); transactional (such as disruption of delivery or supply); upstream risk (disruptions wherever the enterprise may produce or source goods or services).
-
Third-party risks to the enterprise may be mitigated or remediated to a certain extent through – continuous monitoring of all vendors during the vendor lifecycle; digital foot printing; having secondary backup requirements with redundant suppliers and vendors, in the event that any primary suppliers to the enterprise cannot perform; implementation of service-level agreements (SLAs) between the enterprise and all the direct suppliers and direct vendors to the enterprise, mandating certain key performance indicators (KPIs), to which all the direct suppliers and direct vendors to the enterprise must adhere (which is generally-accomplished through contract pass-through provisions in the contracts between such direct suppliers and direct vendors and their subcontractors – who thus become third-parties to the enterprise – mandating that such subcontractors must comply with all the KPIs in the contracts between the enterprise and such direct suppliers and direct vendors); limiting access permissions to sensitive physical spaces and systems to the fewest possible people – only those with an actual need for access; performing due diligence before on-boarding new vendors.
-
Typical valid business considerations an enterprise may have when attempting to determine the qualifications and risk assessment (added risk a prospective supplier or vendor may inflict upon the enterprise) may include: the existence (or not) of such prospective supplier’s or vendor’s business continuity plan; how such supplier’s or vendor’ historical performance in previous contracts compares to the minimum standards established by industry-accepted frameworks, such as those of the International Organization for Standardization (ISO) or the National Institute of Standards and Technology (NIST); the level of access permissions to enterprise physical locations and systems that the enterprise may need to grant to such prospective supplier or vendor in order for such prospective supplier or vendor to perform their work; the physical location of such prospective supplier or vendor (so there would be less risk to the enterprise of interruptions to deliveries or shipping); the regulatory compliance posture of such prospective supplier or vendor (meaning how closely such prospective supplier or vendor complies with the domestic and international regulations with which the enterprise complies); the tier at which such prospective supplier or vendor may operate (meaning that a second-party supplier or vendor to the enterprise – a supplier or vendor with a direct contract with the enterprise may be expected to generate much greater risk to the enterprise than might a fourth-party supplier of vendor); the type of enterprise data such prospective supplier or vendor might need to access; the type of goods or services such prospective supplier or vendor might provide (if critical goods or services, then the enterprise may have to plan for a redundant supplier or vendor as backup); verify all aspects of such prospective supplier’s or vendor’s security history (checking for best practices, data breach history, internal controls, reputation, security posture, and the like); with which lower-tier suppliers or vendors does the prospective supplier or vendor have business relationships (which may be an indication about which such lower-tier suppliers or vendors the supplier or vendor currently under consideration by the enterprise might use on any enterprise contract – meaning that such lower-tier suppliers or vendors might someday have third-party and fourth-party relationships to the enterprise, so the enterprise would have to assume the risk of associating with them); offboarding (any contract with such prospective supplier or vendor should mandate that such prospective supplier or vendor must retain all data, documents and records related in any way to whatever work they may have preformed on any enterprise-related contract for the maximum time period in the applicable jurisdiction, and at the expiration of such applicable time period, must be destroyed to the sole satisfaction of the enterprise by whatever method of destruction the enterprise may mandate at that time).
-
The TPRM lifecycle generally consists of a series of investigational general steps that the enterprise might employ to collect as much data as possible on any prospective supplier or vendor, and may include: sourcing – identifying as many possibly-qualified potential suppliers and vendors for each task requiring goods and services the enterprise may need, in various global locations, and then collecting as much data as possible on each; pre-selection – from the pool of prospective suppliers and vendors, the TPRM selection team (generally appointed by the executive having responsibility for TPRM) selects apparently-qualified prospective suppliers and vendors; vetting – each such possibly apparently most-qualified prospective suppliers and vendors must then complete a battery of questionnaires, and meetings with enterprise personnel, attempting to elicit information directly from the executives of each such apparently most-qualified prospective suppliers and vendors; qualification – the TPRM selection team then selects the most-qualified of such prospective suppliers and vendors; onboarding – once TPRM selection team has chosen the final suppliers and vendors, the enterprise places their information in the enterprise database for future reference when their goods and services may be needed by the enterprise, their authorized representatives are given whatever training the enterprise may deem necessary, the enterprise assigns them a starting benchmark risk score (below which they must not fall, if they want to remain as suppliers and vendors to the enterprise), and their starting internal controls are checked by the enterprise; behavior monitoring – the enterprise commences a process of continuous monitoring of them, to ensure that they are not engaging in risky practices (and thus fall below their starting benchmark risk score); listing – the enterprise will then list them on an enterprise list of acceptable third-party suppliers and vendors, so that any second-party supplier or vendor which has a direct contract with the enterprise may use such listed third-party suppliers and vendors in any contract such second-party supplier or vendor may have with the enterprise; performance monitoring – the enterprise also begins to monitor their performance of contractual obligations (in their contracts both with the enterprise and with unrelated parties, to assess whether their performance of contractual obligations such as key performance indicators (KPIs) and service level agreements (SLAs) is as good or better than what was required of them contractually (and if not, the enterprise will warn them to improve, and if they do not, the enterprise may terminate its contract with them); offboarding – once their contract expires or is terminated, the enterprise will assess their overall performance and make a determination about whether they will be allowed to participate in any further enterprise contracts.
-
The enterprise should employ a TPRM framework to reduce the overall third-party risk level to the enterprise to an acceptable threat level by creating a security posture profile of each and every prospective supplier or vendor prior to commencing the on-boarding process, through a series of analytical steps intended to screen out any such prospective supplier or vendor whose resulting security posture profile exceeds that level which the enterprise deems unacceptable, (there are also firms, generally-known-as “third-party risk exchanges” or the like, similar to background-checking firms about prospective employees, which do all the background-checking tasks noted below on behalf of enterprises) as follows:
-
analysis of all the risks a prospective supplier or vendor may already have, through application of security ratings to each potential risk, resulting in a security posture profile of such prospective supplier or vendor;
-
if the prospective supplier or vendor has an unacceptable security posture profile, the enterprise would not continue further (unless perhaps the enterprise felt that such security posture profile could somehow be improved, to eliminate enough risk issues that the overall risk to the enterprise would be within tolerable limits), but if the security posture profile is acceptable to the enterprise, the next step would be for such prospective supplier or vendor to complete a security questionnaire, which would provide the enterprise with detailed information about all the internal security controls currently-used by such prospective supplier or vendor;
-
if the enterprise identifies design deficiencies in such internal security controls, the enterprise may either offer to work with such prospective supplier or vendor to remediate such design deficiencies or may choose to not to proceed any further with such prospective supplier or vendor;
-
after such design deficiencies have been remediated by such prospective supplier or vendor, the enterprise might request permission to perform penetration testing (also known as “pen-testing”) on the systems of such prospective supplier or vendor, and also perhaps physical inspection of such prospective supplier’s or vendor’s facility and systems, to determine the post-remediation efficacy of such systems;
-
assuming the results of the pen-testing and inspection were acceptable to the enterprise, and the design deficiencies have all been remediated, the enterprise may approve such prospective supplier or vendor to be placed on a list of acceptable third-party suppliers or vendors to the enterprise;
-
then going forward, the enterprise should employ continuous security monitoring (CSM) or security information and event management (SIEM) systems to monitor the security posture profile of such approved supplier or vendor, and should advise such approved supplier of vendor if the enterprise detects any negative issues with such security posture profile, giving such approved supplier or vendor the opportunity to remediate such negative issues before the enterprise would allow such approved supplier or vendor to participate in any procurement or sourcing initiatives in any way related to the enterprise.
-
An often-overlooked but critical task for the enterprise when reviewing prospective suppliers and vendors for risky behavior is to determine how such prospective suppliers and vendors performed in previous contracting situations with other entities; in order to perform this exercise, the enterprise must request copies of the entire contracting lifecycles (including the pre-award RFP process, the executed contract, all correspondence during the contract term and final offboarding documents) from the prospective supplier or vendor; in the contracts themselves, the enterprise should pay particular attention to the provisions regarding: confidentiality; contract price; data privacy; data processing; data security; deliverables; disclaimers; indemnification; insurance; intellectual property (IP); KPIs; limitation of liability; payments; relationships; representations and warranties; risk of loss; schedule; scope of work; SLAs; subprocessor changes; term of contract (with extension provisions); termination.
-
The enterprise will also have to guard against fourth-party risks, from entities that have been outsourced through any third-party entity to the enterprise (meaning that the fourth-party to the enterprise has a direct contract with a third-party to the enterprise, but itself has no direct contract with the enterprise – this chain of liability may go on endlessly, extending down through a plethora of “Nth”-party entities, depending upon the size and complexity of the enterprise and its supply chain); despite being farther-removed from the enterprise in the chain of potential liability, nevertheless fourth-party entities may still cause catastrophic liability to the enterprise (as actually happened in 2013, when an outsourced fourth-party provider of environmental control devices (which had a direct contract with a mechanical subcontractor, which in turn had a direct contract with a general contractor, which in turn had a direct contract with a national retail chain enterprise) installed malware that embedded itself in the enterprise payments system, and was then able to access the personal financial data of millions of customers of the enterprise).
-
-
Drafting and negotiating all TPRM-related documents, and legal support for all TPRM-related tasks.
Progress_Page_Last_Updated_221105_1522