Third Party Service Provider (TPSP) risk management has been a hot topic in recent years, and there’s certainly a tumultuous history of risk and compromise when engaging with these organizations.
As related conversations take place across organizations’ risk and security teams, the common question naturally arises: what can a consulting company actually do to improve TPSP risk management?
Last month we wrote about a few best practices that Fastrics recommends to improve your vendor risk management program (check it out if you haven’t yet!), and now we’re shedding light on how we can help you develop a comprehensive TPSP risk management program.
At Fastrics, we can audit your organization’s existing program or develop a customized risk management program for your organization.
In an audit, we evaluate the organization’s TPSP risk management program to ensure that all key external relationships are appropriately managed and monitored.
We take several things into consideration when completing an audit, including:
Program governance, including policies, standards, and procedures;
Key procurement integration points including engagement initiation and legal and/or contracting final sign off;
Service provider risk classification and integration with data governance processes;
Standardized due diligence, assessment, and re-assessment; and
Legal and/or contracting requirements for confidentiality, availability, integrity, right to audit, and indemnification.
For establishing and executing a TPSP risk program, we have five core steps at Fastrics:
Establish a vendor risk governance program (i.e., policies, procedures, and management ownership and oversight);
Identify existing vendors;
Profile vendors and access inherent risk;
Assign vendor risk category;
Perform and track ongoing assessments.
We first take a look at the organization’s current TPSP risk program to see if it was created in-house or outsourced. From there, we update or create related program governance documentation. Then, we collaborate to establish manual or systematic GRC vendor data collection processes, review artifact format expectations, and maintenance of review artifacts. Afterwards, we will develop a TPSP inventory and associated context. This can include business process use, data elements stored, compliance impacts, regulatory requirements, and more.
Once that is completed, Fastrics will establish risk assessment and reassessment timelines and escalation paths for the organization. Throughout the process, we will collaborate with senior leadership regarding the process and timeline expectations.
If your organization needs support in developing your TPSP risk management program, Fastrics is here to help. Contact us directly to discuss how we can help support your organization with vendor risk management.
Comentarios