There are several terms (e.g., Third Party Risk Management, Supplier Relationship Management, Vendor Risk Management) that are routinely used to refer to the process of assessing and managing the risk posed to your organization by outside entities.
The terms Supplier Relationship Management (SRM), Supplier Risk Management, and Vendor Risk Management (VRM) are synonymous. You are most likely to see the term “Supplier Relationship Management” when dealing with an organization that is ISO-27001 certified as that is how Annex A 15.1 & 2 refers to Vendor Risk Management. In either case, the concept is exactly the same: this is the process by which an organization manages the risks posed to it by outside companies or other organizations that provide it services or products.
Third-Party Risk Management (TPRM) is broader. You are most likely to see the term “Third Party Risk Management” when dealing with a financial firm as TPRM is the term used in Office of the Comptroller of the Currency Bulletin 2013-29, the document that has become the de facto standard for TPRM. Like VRM & SRM TPRM includes vendors or suppliers, but it also includes other “third parties”. Illustrating the difference is easier with examples.
Examples of Suppliers
- A company that sells you office equipment
- A consultancy that advises you about mergers and acquisitions
- A law firm
- A company that you pay to develop software
- A company that hosts your corporate website
Examples of Other Third Parties
- A counterparty in a joint venture
- Your customers
- A government regulatory agency
- A company that you sell overdue debt to for collections
- A nonprofit to whom you donate your product
How are the Risks Different?
With most vendors/suppliers;
- Your company enters into a direct contract. In this contract, it is possible (indeed advisable) to build in language that requires the supplier to meet certain requirements around information security (e.g., minimum password length for their systems), operational effectiveness (e.g., their call center will answer 99% of calls within four rings), and corporate oversight (e.g., your company has a right to perform an on-site audit of their operations twice a year). Having this kind of language in a contract allows your company to reduce risks by ensuring that the controls that your supplier has in place are sufficient to manage risks to your company.
- The relationship between you and your supplier is usually quite clear, the supplier provides a well-defined product/service in exchange for a fee, with well-specified and clearly articulated terms.
With other third parties, neither of these characteristics is necessarily true. For example;
- You will likely not have a contract with a government regulatory agency, but you may still be required to give them access to sensitive data to demonstrate compliance with applicable regulations. Do you know how they control access to that information? Probably not. Can you audit them to find out? Usually no.
- Because the universe of third parties is very large and the nature of the relationships often differ, there is an inherent ambiguity that may represent a significant risk. A customer can interact with you in many different ways, and in some cases, unforeseen types of interaction can bring risks that were never intended to have controls applied.
Differences between VRM and TPRM Programs
Many companies start their TPRM process by beginning with risk management activities over their vendors. Once risks for each vendor are well understood, your company solicit information (e.g., ISO-27001 certificates, pen test reports, control questionnaires, financial information, conduct on-site audits) to ensure that the controls required to mitigate your risks are adequate and effective.
When a company broadens its vendor risk management process to include other third parties, understanding risk for each Third Party is still the first step. Where the process often differs is that the nature of the relationship often makes it more difficult to conduct the same activities as with a traditional vendor (you often don’t have the leverage of monetary exchange). So you may need to have greater reliance on monitoring of news and upon information voluntarily provided by the Third Party (for example a regulatory agency’s voluntary description of their use of cloud technology).
In short, a TPRM program is a VRM program that has been extended to address the often disparate risks associated with Third Parties..
Which Type of Program Do I Need?
That largely depends on your company’s particular risks; are the largest risks from Vendors or other Third Parties?
In most cases, it makes sense to start with a Vendor Risk Management program. As you build your Vendor Risk Management Program you will develop a far greater understanding of third parties, and how you can effectively manage them. Generally, you will quickly develop an understanding of how important it is to extend your VRM program to include other Third Parties, and if so, you will have a sound foundation to base it on.
Pivot Point Security can help with both kinds of programs. We can help you understand the costs, risks, benefits and drawbacks associated with different kinds of risk management approaches, and with different kinds of program implementations.