Recently, NAVEX hosted a webinar featuring Carol Williams, CEO and principal consultant at Strategic Decision Solutions where she discussed best practices on how to assess and mature third-party and IT risk management programs.
The importance of TPRM and ITRM practices has never been greater, and organizations must mature these programs to properly secure their organization and protect customer information. In this post Carol Williams answers the questions we received during the webinar. To watch the full webinar, you can access the recording here.
What is the best model for collaboration between IT risk, third-party risk, and enterprise risk management? Should they all be the same group or three separate groups?
IT Risk requires such specialized knowledge and collaboration with technology staff that it is best suited to be part of IT. Oversight of IT risk should be handled by internal audit or a similar function, and IT risk should collaborate closely with enterprise risk management to ensure that management has correct and complete information on risk priorities and risk management strategies.
There is such a heavy element of operations when it comes to third-party risk. It can actually be a hinderance for enterprise risk management to be coupled so closely with third-party risk within the same group. Third-party risk focuses on two areas – consistent processes and individual vendor management. You can’t manage individual vendors if you are supposed to focus on strategy and the enterprise. Keep in mind that these three distinct areas do not have to be within the same group to collaborate and coordinate.
Many organizations manage IT vendors separately from all vendors. What is the best way to help the organization understand that all external parties should be assessed, as long as they're not a separate covered entity under HIPAA?
IT vendors should absolutely be managed consistently with all other organizational vendors. To ensure this happens, I highly recommend using messaging to the organization along these lines: IT is there to support the business, the organization as a whole. Therefore, IT vendors are simply an extension of IT. The business needs to be assured that the relationships with IT vendors will be held to the same standard as all other business vendors.
What about a discussion of OFAC/DOJ/sanctioned list research?
All organizations in the U.S. are required to avoid transactions with individuals and businesses on the Watch List, which is maintained by the Office of Foreign Asset Control (OFAC). If your organization doesn’t currently conduct an OFAC screening, it is imperative to develop a process and begin this immediately.
How does the Risk Committee Charter facilitate managing TPRM?
The Risk Committee Charter is simply a document stating the responsibilities of the Risk Committee. The Risk Committee members must continually demonstrate, by words and action, their support and buy-in for TPRM. The Charter itself will not facilitate TPRM; however, it can indicate that the Risk Committee is responsible for the oversight of TPRM results and provides guidance to the TPRM team regarding action taken on high-risk vendors.
Our intermediary management program is different from our vendor/supplier management. Is this common, as the question often addresses third-party risk management as whole?
Interesting distinction, as intermediaries are typically thought of as a vendor to the organization. (See the image embedded within this summary article published after the NAVEX Next TPRM session.) I would think that there is a significant amount of duplicative work being done between these two programs. Instead, it would be great if intermediary management was part of the vendor/supplier management program, and if there are specific questions targeting intermediaries, include those based on the type of vendor.
What sort of key risk indicators/metrics would you use to support the case for increasing maturity? Or to support the current maturity assessment? for both TPRM and ITRM.
It would be difficult to use KRIs to support increasing maturity. Rather, by asking a few pointed questions to management, their responses can make the case for you. Here are some questions you can ask:
- Do you feel risk management is providing you with the information you need to make decisions in a timely manner?
- Is TPRM/ITRM sharing insights and information you didn’t already have?
- Would you like to see more value from TPRM/ITRM?
If you absolutely need metrics, some examples would be:
- Number of IT incidents requiring response that should have been prevented
- Number of vendors without interaction from the organization in the last year
How do we use NAVEX IRM for TPRM?
A key element of any TPRM program is the ability to assess, identify, monitor, and manage their third-party risks through automation, centralization, and data visualization. NAVEX IRM enables organizations to conduct effective due diligence on partner’s compliance with regulations, policy and practice, integrate this information with risks across the enterprise and manage a regular cadence of assessments to determine the values and processes that your organization aspires to. NAVEX IRM accomplishes this by:
- Evaluating and continuously monitoring all aspects of a third party’s risk, from consideration to onboarding and throughout the entire relationship
- Applying enhanced due diligence and assessing an organization’s regulatory, business operations, and responsibility metrics
- Gaining an ongoing understanding of the risks each third party brings and addressing them as they surface
- Managing corrective actions and escalations in a centralized location when risks arise
All of this helps organizations gather operational, information security, financial, and compliance risk information in a centralized location to better understand the risks each third party presents. Additionally, NAVEX IRM’s business continuity management capabilities allow organizations to plan and prepare for business interruptions involving third parties, minimizing their impact.
To learn more about how to assess and mature IT risk and third-party risk management programs