Third Party Risk Management
Third party risk management is the process of continuously monitoring, evaluating and reporting on all your third parties and their potential risk to your organisation. Managing the risks a single third party could present is challenging enough, but what happens when you have tens or even hundreds working for you? Continuously assessing them is very costly and time-consuming, to say the least.
Organisations of all sizes have their challenges when it comes to dealing with vendors. These include vendor cybersecurity awareness, completing risk assessments, and reporting.
Appropriate documentation must be collected from vendors, verified and stored, and then aligned to completed assessments to evaluate the risk presented by vendors.
Tied to legal and internal compliance, small and large organisations alike often struggle to obtain relevant documentation from vendors. Continuous back-and-forth communication is needed to determine the state of completion from the various responsible parties, and this results in inefficiencies.
One of the biggest challenges today lies in knowing the state of your vendors’ cybersecurity controls. This relates directly to privacy, compliance and your corporate reputation. As such, it’s crucial that vendors be investigated to ensure compliance with your governance standards (e.g. COBIT, ITIL or ISO27001), and legislation like the General Data Protection Regulation (GDPR) and Protection of Personal Information Act (POPIA). Case in point: several companies have been fined significantly in 2019.
Over time, companies have begun implementing vendor management processes to monitor risk. These consist of excel spreadsheets and physical audits. The problem is, said processes are inefficient, manual, error-prone and not scalable, compounded by naming convention standards not being maintained. Result? Data integrity is lost.