Register now for better personalized quote!

Third-party risk management: No one size fits all

Feb, 11, 2022 Hi-network.com

Third-party risk management (TPRM) is high on the list of business priorities and risk management priorities, and that's a good thing. 

Featured

  • iPhone 15 Pro review: Prepare to be dazzled
  • Generative AI will far surpass what ChatGPT can do. Here's everything on how the tech advances
  • Google Pixel 8 vs. Google Pixel 8 Pro: Which one is right for you?
  • The best USB-C cables for the iPhone 15: What the experts recommend

Despite predictions in the early days of the COVID-19 pandemic that firms would rein in outsourcing strategies, the third-party ecosystem continues to grow, smaller vendors and suppliers remain cybersecurity targets, the global regulatory machine continues to churn out new requirements, and disruption in the value chain has become a regular occurrence. For TPRM vendors, that's great news because, unlike in the years following the Great Recession, firms aren't pulling back on security and risk investment. 

What's in a name? Is it TRPM or IT VRM? 

To-may-to, to-mah-to, right? Not exactly. Here's some context on third-party risk nomenclature. Financial services use "third parties" to align with OCC (Office of the Comptroller of the Currency) language, healthcare references "business associates" to align with HIPAA, and manufacturing commonly uses "supplier." Everyone else gravitates to the term "vendor" because much of what we now call third-party risk management started out with (and, in some cases, is still mostly focused on) software vendors and IT services providers, where the primary concern is about complying with the IT control frameworks/standards. 

Also: The definition of modern Zero Trust

Forrester uses "third party" to refer to these entities, plus nontraditional third parties such as foreign affiliates, external legal counsel, PR firms, contingent or gig workers, and even your board of directors. If it's not an employee, then it's a third party. 

The TPRM market is not "one size fits all" 

Several types of vendors support the TPRM market, each specializing in one or more risk domains, industries, or levels of customer maturity. For us, the third-party risk is more than a cybersecurity rating or a due diligence tool. 

Forrester defines this category as: 

Platforms that identify assess, score, monitor, and report on risks to the organization stemming from their third-party relationships. They support analysis, treatment, and workflow for risk mitigation at every stage of the third-party lifecycle, including: 1) sourcing/procurement, 2) due diligence, 3) selection, 4) onboarding, 5) ongoing risk monitoring, and 6) termination/offboarding. 

There's no shortage of options when it comes to managing the risk and compliance of third-party entities. The new Forrester report, Now Tech: Third-Party Risk Management Platforms, Q1 2022, categorizes 22 of the top TPRM technologies into four segments based on their capabilities: 

  1. Dedicated technologies. These provide robust capabilities throughout the third-party risk management lifecycle. They offer a combination of domain expertise and breadth of functionality to support all levels of TPRM maturity. 
  2. GRC platforms.Governance, risk, and compliance (GRC) platforms offer robust support for a wide range of risk and compliance use cases in addition to TPRM. 
  3. Exchange sponsors.Exchange sponsors offer access to prepopulated and validated assessment results, multiple types of documentation and evidence, and analytics.
  4. Vertical-focused vendors.These providers have the depth of expertise of dedicated technologies, the range of capabilities of GRC platforms, and often provide supporting services but are singularly focused on industries with complex third-party compliance requirements. 

Each segment contains vendors that will be a good fit for different types of buyers. 

This post was written by Senior Analyst Alla Valente, and it originally appearedhere

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.