Third party risk management (TPRM) is rapidly becoming its own function with certifications, software platforms and multiple-person staffs in larger organizations. However, it is a relatively new field, still gaining traction within management, so it isn’t usually given the attention it needs when it comes to assigning organizational responsibility, unlike well-established security and privacy functions.
It usually sits under one of the other operational areas, such as IT, security, compliance, legal or purchasing. Where it lands in the reporting structure can greatly impact its effectiveness and contribution to the entity’s security and compliance, which is why it’s so critical to determine where it sits organizationally. Given the rise in third party data breaches, including several mega breaches in the last few months (Solarwinds, Sandworm and Accellion to name a few), it is becoming critically important that TPRM is implemented and working properly. Here are some of the possible owners of the TPRM function and the pros and cons of each organizational sector.
Information Security
Information security is probably the most common department for TPRM ownership to reside. This seems logical since one of the main goals of TPRM (and one of the main goals of information security) is better cybersecurity. However, it depends on whether information security is its own independent department or a sub-department within IT. While IT will understand the various technologies involved with TPRM, they may be inclined to apply less risk to vendor situations in view of user demands or gaining more efficiency. For example, using the same VPN you use for your employees makes for an easy fix, but does not provide the extra layers of security and monitoring needed for maximum protection from vendor breaches and bad actors. An independent security department will typically have the technical know-how to understand the technology side while also knowing how to properly conduct risk assessments – a practice that is at the core of TPRM. So having TPRM managed by information security is ideal as long as the department has enough independence and bandwidth to objectively judge the risks.
Compliance
As having a robust TPRM program often comes from a requirement of various regulations (GDPR, CCPA, NYS-DFS Cybersecurity), compliance is often a home for this discipline. In many ways, it makes sense. They are usually an independent department, whose oversight is required in various operational departments. They will know how to build a program that meets the letter and spirit of the law. As long as they have the cross-functional authorities that are needed to get buy-in on such a program, they should be able to succeed at managing third party risk.
Risk
Some organizations are big enough to justify having a separate risk management department. In this case, TPRM responsibilities would obviously go here. However, risk departments often have responsibility for multiple risk domains (legal, environmental, etc.), depending on the industry. Also, they may not have the deep technological understanding needed to assess that kind of risk. They can be more effective in the job if they set up liaisons with IT and information security departments in order to get the subject matter expertise they need to properly rate third party risk.
Legal
In some cases, TPRM falls under the legal department since lawyers are often trying to offset risks when they create contracts. However, the risk here (no pun intended) is that they might take too much of a legalistic approach and rely solely on contracts and liability assumptions to liquidate risk, which only works after you’ve been breached. It also assumes a solvent vendor to make restitution, and as we saw in the LabCorp/Quest Diagnostics breach, the underlying vendor who caused the breach (a small collections company) quickly went bankrupt and left their clients holding the bag. While contracts are important in TPRM, they are only part of the overall management of third party risk.
Purchasing/Contracting
These departments might seem like natural fits to run a TPRM program since they deal with all vendors serving the organization, and they should certainly be involved in the TPRM process. However, their responsibilities range over a wide variety of vendors, like raw materials, office supplies, etc. – only some of whom will need remote access. Similar to the other departments discussed above, they usually don’t have the security or technology expertise to judge risk levels of different vendors and modes of access, so they are not a great place to house a TPRM process. However, having their buy-in is critical in order to insert the TPRM steps at the very beginning of a vendor relationship. They can also be a good crosscheck of your program to make sure you’ve captured all vendors and third parties who have access to your company’s digital assets.
Getting a TPRM program up and running is vital to your organization’s cybersecurity and compliance protocols. Assigning TPRM under any department is a big step in the right direction, regardless of who handles it, and getting the right ownership groups and buy-in from the various stakeholders will help ensure that your TPRM program is a long-term success.
