Third-Party Risk Management Consulting
What is Third-Party Risk Management?
Third-Party Risk Management (TPRM), sometimes referred to as Vendor Risk Management (VRM), is the process by which an organization understands and manages its relationships with third parties (including, but not limited to, vendors). These may include the risk that the supplier will experience a data breach (information security risks), that it will cease operations, or that it will violate a law or regulation, for which the client organization might be held responsible.
How Does TPRM / VRM Affect My Organization?
Information security (InfoSec) is often the single biggest risk posed by a third-party, but it is far from the only one. Other risk areas include operational competency (the risk that the supplier will be unable to perform an agreed-upon task), financial, reputational, (that a supplier’s actions will cause damage to your company’s reputation), compliance (that your supplier will violate a regulation for which your company will be responsible), and several other distinct risk domains.
In many cases, regulations mandate that organizations formally manage these risks. For example, all banks in the United States that are under the supervision of the Office of the Comptroller of the Currency (OCC) are required to do so by OCC 2013-29. In other cases, an organization’s own customers or clients will expect that the organization have such a program in place, and be able to document its effectiveness. Finally, organizations often maintain these functions because it makes good business sense.
Why Pivot Point Security?
Unique Approach to Integrated Service Offerings
Pivot Point Security has a long history and deep background in information security and business continuity. We integrate that expertise into our TPRM consulting in ways that others can’t. For example:
- Our highly certified network security team runs a technical vulnerability assessment of a vendor’s internet-facing system during our due diligence assessment of vendors to ensure that they are secure. They can also review critical artifacts (e.g. network architecture diagrams) provided by your vendors to spot problems before they cause a problem.
- Our ISO 27001, SOC 2, HITRUST and FedRAMP consultants can bring expertise to different verticals and to the contextualized analysis of vendor reports, to ensure that they provide the assurance you need.
- Our highly certified application security team can review existing artifacts or, where necessary, perform OWASP aligned testing to ensure that key applications are as secure as you require.
This kind of integration can give you holistic assurance that third-party risks are effectively managed.
Our consultative process and “roadmap” have been vetted across dozens of engagements and in one of the largest banks in the United States. We back that expertise with one of the most highly certified teams in the industry, including multiple consultants holding “Certified Third-Party Risk Professional” certification (the industry’s only certification for TPRM). We don’t offer what we can’t do extremely well.
Alignment with Trusted and Widely Accepted Standards
We have built our consulting practice on a foundation of understanding, valuing, and implementing industry standards such as the ISO 27001/2 Information Security standard and the ISO 22301 Business Continuity Standard. Our TPRM practice leverages these standards, and focuses on vendor risk management using industry-leading standards including Office of the Comptroller of the Currency Bulletin 2013-29 (OCC 2013-29) and Shared Assessments.
We offer a variety of third-party risk management (TPRM) services. These include:
Due Diligence Assessments
Ensuring that third parties and vendors have the controls in place to protect your critical data can be challenging when you are resource constrained. Having expertise available on demand can be valuable in a number of situations, including:
- You are considering several vendors for a project and you need detailed information about the strengths and weaknesses of their information security practices.
- You are performing an initial or annual assessment on a critical supplier.
- You are establishing a TPRM program and you have a challenging number of reviews to get through in a limited time frame with even more limited staff.
- There has been an incident with a supplier, and you need to understand what happened and what might be done to prevent a recurrence.
Due Diligence Assessments can be tailored to your existing vendor risk management program and can be extended to include reviews of several areas of risk, including information security and operational, reputational, human resources and financial solvency. If you want or need to do an even “deeper dive” we can engage additional subject matter experts (network, application security, DRBCP) to get you the assurance you need that your risks are being effectively managed.
Program Consulting, Design, and Implementation
Our consulting team has extensive experience in building TPRM programs. We can guide and assist your organization in the development and rollout of a TPRM program, from initial vision through ongoing execution. Our standards-based approach will design a program that fits your organization’s risk tolerance and specific needs while cutting through the complexity to help you truly manage your risk.
Managed Third-Party Risk Management Services
While it makes sense for many companies to run their own TPRM programs internally, it makes just as much sense for many others to outsource some or all of the program components that make up their TPRM process. Whether you are interested in outsourcing a single component (such as due diligence reviews, as noted above) or are interested in outsourcing the entire program, we can help.
Third-Party Risk Consulting
TPRM is becoming ever more important for many organizations. It takes many forms, with many facets and different levels of complexity. Whatever your TPRM needs are, we can assist you. Maturity assessments? Assessments of your supplier’s own TPRM programs? Annual reviews, or continuous improvement assistance? We understand TPRM, and we have an extensive history of working with businesses of all sizes and from many different industries.
Talk with us about your needs. We’d love to have a free, no-pressure conversation with you, with one of our experienced third-party risk consultants. Just fill out the information below, and we’ll get in touch with you right away.
How complicated and expensive is this?
TPRM programs exist in organizations of every size because risk from third-parties exists in organizations of every size. The complexity of a TPRM program is related to your organization’s size, use of suppliers, regulatory requirements, and risk appetite. However, implementing TPRM controls does not have to be terribly difficult or expensive. There are proven processes, tools, and techniques that can be quickly and effectively implemented in almost every organization.