Third Party Vendor Risk Management (TPVRM) is the process of due diligence and controlling risks presented to your company, your data, your operations, and your finances by parties OTHER than your own company. Due diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle.
Who are the third parties?
- Joint Ventures
- Fourth parties
- Fifth parties
Why does your business need a Third Party Vendor Risk Management Plan?
- Reduces likelihood of data breach costs
- Reduces likelihood of costly operational failures
- Reduces likelihood of vendor bankruptcy
- Regulatory mandates may require it
- Prudent due diligence is an ethical obligation
- Audits where the risk is
- Enterprise risk portfolio may expose the organization to its highest risk
Third Party Vendor Risk Management Findings:
- 70% of companies do not adequately check their third parties security posture, yet over 90% say they will INCREASE their use of third parties
- Data breaches caused by third parties cost $43 per record more than other breaches, yet account for over 40% of all breaches
- Effective TPVRM involves combination of oversight and review of the external partner AND implementation of internal controls and processes
- Given the risk exposure and costs involved, TPVRM can be the single most cost-effective risk management program that a company can implement, and internal audit and InfoSec can contribute in many significant ways.