Large increases in third-party incidents, breaches, compliance issues, and supply chain disruptions have led many organizations to adapt third-party risk management (TPRM) programs to address emerging risks outside of the IT realm.
A third party is any entity which a business works with. These include suppliers, vendors, business partners, and the service providers that used.
Risk is about the identification of hazards (factors with the potential to cause harm). To determine whether a hazard will cause an acceptable risk requires an understanding of the severity of the hazard and the likelihood that an event associated with this hazard will occur. An additional layer of confidence about the risk outcome, which can affect the acceptability of the risk, is the strength of any detection method in place. A detection method that can provide an early warning of an outcome occurring is superior to one that provides a post-event signal.
The trends for organizations to extent risk frameworks beyond information Technology has been picked by a company called Prevalent. The form has released a report titled “2022 Third-Party Risk Management Industry Study”. The report details the state of TPRM today in light of best practices and modern global realities.
The important of their-party risk assessments is borne out by a key finding from the report where 69 percent of organizations experiencing a data breach or other security incident due to poor vendor security.
The report finds that organizations are paying more attention to non-IT security risks. While this is not a revelatory finding for those who practice health and safety assessments or who are involved with pharmaceuticals and healthcare (areas that have deployed risk frameworks for decades), the extension into other areas is often novel.
As an example, 40 percent of respondents manage both IT and non-IT vendor risks. Despite this trend, 45 percent of TPRM programs still focus primarily on IT vendor risk.
With TPRM there are signs that the discipline is be getting more strategic. To add to this, 67 percent of those surveyed indicated that their TPRM programs have more visibility than the year prior (this is likely a response to surges in third-party vendor and supplier-related attacks such as Log4j, the Toyota supply chain breakdown, and other events of concern.)
In terms of who these assessments are performed, manual methods for assessing third parties persist. As an indicator, 45 percent of respondents are still using spreadsheets to assess third parties. Whether these tools are the best is debatable and many organizations have increased concern with damaging third-party security incidents; however, they are also lacking effective tools.
