• Menu
  • Skip to right header navigation
  • Skip to main content
  • Skip to secondary navigation
  • Skip to primary sidebar
  • Skip to footer

Before Header

About Us | Articles | Free Resources | Podcast | YouTube Channel

Contact Us Subscribe

Bryghtpath

Business Continuity and Crisis Management Consultants

  • Start
        • Start your Resilience Journey

          Moving your organization – or your career – forward on your resilience journey can be a difficult and scary proposition.  Often, we find that prospective clients aren’t quite sure where to start.

          To help you along your journey, we’ve outlined below four curated collections geared towards momentum-building action and advice perfectly paired with your organization’s current stage of resilience.

        • I want to learn more about Resilience

        • We’re just getting started with our resilience program

        • We’re seeking to optimize & mature our resilience program

        • I’m a Resilience Professional seeking to further develop my skills

  • Company
        • About Bryghtpath

        • Our Core Values

        • Meet our Team

        • About Bryghtpath
          • Case Studies & Results
          • Certifications and Awards
          • Contact Bryghtpath
          • Contract Vehicles
          • Media & Professional Appearances
          • Our Clients
          • Our Proven Process
          • Security & Compliance
          • Strategic Partners
          • Work with Us
  • Capabilities
        • Our Capabilities
        • We help your organization strategically navigate uncertainty and disruption.

        • Case Studies & Results

        • Business Continuity as a Service

        • Business Continuity
          • Business Continuity - Overview
          • Business Continuity as a Service (BCaaS)
          • Business Continuity Software
          • Coaching
          • IT Disaster Recovery
          • Resiliency Diagnosis®️
        • Crisis Management
          • Crisis Management - Overview
          • Crisis Communications
          • Crisis Exercises
          • Cyber Crisis Exercises
          • Cyber Incident Response Planning
          • Crisis Playbook®️
          • Global Security Operations Center (GSOC)
          • Resiliency Diagnosis®️
        • Other Capabilities
          • Intelligence & Global Security Consulting
          • Speaking
          • Training
  • Courses & Training
        • Courses & Training

          We’ve created a number of free and premium courses that have helped thousands improve their skills, build more resilient organizations, and lead through organizations through difficult critical moments successfully.

        • Coaching
          • 1-on-1 Coaching Call
          • Private Backchannel
          • Private Coaching Program
        • Free Intro Courses
          • Overview
          • Business Continuity 101
          • Crisis Communications 101
          • Crisis Management 101
        • Premium Courses
          • Overview
          • Custom Training
          • 5-Day Business Continuity Accelerator
          • Communicating in the Critical Moment
          • Crisis Management Academy®️
          • Preparing for Careers in Resilience
  • Expertise
        • Our Expertise
        • Here at Bryghtpath, in our core values, we state that we are humbly confident in our resiliency expertise.

          We write, publish, speak, and train others constantly – striving to share our thought leadership publicly to advance our industry and exercise our curiosity by interacting with other leaders in our practice domains.

        • Ultimate Guide to Business Continuity

        • Ultimate Guide to Crisis Management

        • Case Studies & Results

        • Free Resources & Frameworks
          • Overview - Free Resources
          • Bryghtpath Frameworks
            • Bryghtpath Business Continuity Lifecycle
            • Bryghtpath Crisis Management Framework
            • Bryghtpath Exercise Maturity Model
            • Bryghtpath Global Security Framework
            • Bryghtpath Long-Term Recovery Framework
            • Bryghtpath Professional Reading List
            • Bryghtpath Workplace Violence & Threat Management Toolkit
          • Resiliency Professionals Facebook Group
          • Resource Library
          • Webinars & Videos
          • Whitepapers & Reports
        • Our Thoughts & Insights
          • Articles
          • Lead Through Disruption. Stay Ahead with Bryghtpath.
          • Managing Uncertainty Podcast
          • Media & Professional Appearances
          • YouTube Channel
        • Whitepapers & Reports
          • Global Security Operations Centers & Resilience
          • Managing the Whole Crisis: The Ransomware Challenge
          • Mastering Uncertainty: Strengthening Organizational Resilience
          • Social Activism Campaigns
          • The Resilience Roadmap: 250 Ways to Fortify your Business against Disruption
  • Industries
        • Our Industry Expertise

          Bryghtpath has extensive experience in a number of industries working with clients of all sizes, geographical locations, and business models. As a team, we possess, deep global operating experience on every continent around the world.

        • Industries Overview

        • Case Studies

        • Start your Journey

        • Education

          Education Icon
        • Finance

          Financial Services 800x800
        • Government

          Government Icon
        • Healthcare

          Healthcare Icon 800x800
        • Hospitality & Leisure

          Hospitality & Leisure Industry Icon 800x800
        • Life Sciences

          Life Sciences 800x800
        • Logistics

          Transportation & Logistics Industry Icon 800x800
        • Manufacturing

          Manufacturing Industry Icon 800x800
        • Non-Profits

          Non-Profit Industry Icon 800x800
        • Retail

          Retail Industry Icon 800x800
        • Tech & Media

          Communications Industry Icon 800x800
        • Utilities

          Power & Utilities Icon
  • Products
        • Our Products

          College Classroom - Mature Teacher
        • Crisis Playbook™️

        • Exercise in a Box™️

        • Exercise in a Day™️

        • Books
          • From Panic to Poise: Crisis Management in the Modern World
          • The Continuity Code: Mastering Business Resilience
        • Crisis Playbook™️
          • Overview
          • Active Shooter Plan
          • Emergency Response Guide
          • Fatality
          • Food/Product Recall
          • Protest
          • Violent Attack
        • Maturity Models
          • Overview
          • ASIS Workplace Violence and Active Assailant
          • FFEIC Maturity Model – Business Continuity
          • ISO 22301 – Business Continuity
          • ISO 22361 – Crisis Management
          • ISO 27031 - IT Disaster Recovery
          • NIST 800-53 Contingency Planning Maturity Model
        • Templates & More
          • After-Action Process & Templates
          • Awareness Collateral
          • Business Continuity Plan Templates
          • Crisis Management Plan Templates
          • Disaster Recovery Plan Templates
          • Job Descriptions
  •  

Mobile Menu

  • Start
  • Company
    • About Bryghtpath
      • Case Studies & Results
      • Certifications and Awards
      • Contact Bryghtpath
      • Contract Vehicles
      • Media & Professional Appearances
      • Our Clients
      • Our Proven Process
      • Security & Compliance
      • Strategic Partners
      • Work with Us
  • Capabilities
    • Our Capabilities
    • Business Continuity
      • Business Continuity – Overview
      • Business Continuity as a Service (BCaaS)
      • Business Continuity Software
      • Coaching
      • IT Disaster Recovery
      • Resiliency Diagnosis®️
    • Crisis Management
      • Crisis Management – Overview
      • Crisis Communications
      • Crisis Exercises
      • Cyber Crisis Exercises
      • Cyber Incident Response Planning
      • Crisis Playbook®️
      • Global Security Operations Center (GSOC)
      • Resiliency Diagnosis®️
    • Other Capabilities
      • Intelligence & Global Security Consulting
      • Speaking
      • Training
  • Courses & Training
    • Coaching
      • 1-on-1 Coaching Call
      • Private Backchannel
      • Private Coaching Program
    • Free Intro Courses
      • Overview
      • Business Continuity 101
      • Crisis Communications 101
      • Crisis Management 101
    • Premium Courses
      • Overview
      • Custom Training
      • 5-Day Business Continuity Accelerator
      • Communicating in the Critical Moment
      • Crisis Management Academy®️
      • Preparing for Careers in Resilience
  • Expertise
    • Our Expertise
    • Our Thoughts & Insights
      • Articles
      • Lead Through Disruption. Stay Ahead with Bryghtpath.
      • Managing Uncertainty Podcast
      • Media & Professional Appearances
      • YouTube Channel
    • Free Resources & Frameworks
      • Overview – Free Resources
      • Bryghtpath Frameworks
        • Bryghtpath Business Continuity Lifecycle
        • Bryghtpath Crisis Management Framework
        • Bryghtpath Exercise Maturity Model
        • Bryghtpath Global Security Framework
        • Bryghtpath Long-Term Recovery Framework
        • Bryghtpath Professional Reading List
        • Bryghtpath Workplace Violence & Threat Management Toolkit
      • Resiliency Professionals Facebook Group
      • Resource Library
      • Webinars & Videos
      • Whitepapers & Reports
    • Whitepapers & Reports
      • Global Security Operations Centers & Resilience
      • Managing the Whole Crisis: The Ransomware Challenge
      • Mastering Uncertainty: Strengthening Organizational Resilience
      • Social Activism Campaigns
      • The Resilience Roadmap: 250 Ways to Fortify your Business against Disruption
  • Industries
  • Products
    • Books
      • From Panic to Poise: Crisis Management in the Modern World
      • The Continuity Code: Mastering Business Resilience
    • Crisis Playbook™️
      • Overview
      • Active Shooter Plan
      • Emergency Response Guide
      • Fatality
      • Food/Product Recall
      • Protest
      • Violent Attack
    • Maturity Models
      • Overview
      • ASIS Workplace Violence and Active Assailant
      • FFEIC Maturity Model – Business Continuity
      • ISO 22301 – Business Continuity
      • ISO 22361 – Crisis Management
      • ISO 27031 – IT Disaster Recovery
      • NIST 800-53 Contingency Planning Maturity Model
    • Templates & More
      • After-Action Process & Templates
      • Awareness Collateral
      • Business Continuity Plan Templates
      • Crisis Management Plan Templates
      • Disaster Recovery Plan Templates
      • Job Descriptions
  •  

8 Things to Look At When Assessing Third Party Risk

You are here: Home / Business Continuity / 8 Things to Look At When Assessing Third Party Risk
Risk Assessment Diagram

June 21, 2016 By //  by Bryan Strawser

By this point, your company should know why it’s important to manage risk and invest time and money into business continuity. What many businesses fail to realize, though, is how vulnerable they are due to the third parties and vendors they work with.

Here is some important information that you need to be aware of regarding third-party risk:

  • Most companies rely on third parties. A recent survey found that two-thirds of all companies rely extensively on third parties, and another 34% rely moderately on them. In fact, only 1% of all companies operate independent of third-party vendors.
  • Most global data breaches occur due to a vendor. An investigation was conducted on 450 major data breaches that happened in 2013, and researchers found that 63% were a third-party’s fault.
  • We don’t have a clear consensus on why this happens. A study completed by the Ponemon Institute regarding the main causes of data breaches came back inconclusive. Malicious attacks, negligence and human error, and system glitches all caused about one-third of the breaches, which means that you need to equally focus on all three.

It’s clear that managing your third-party vendors is just as important as managing your own internal risk. The problem is that it’s much more difficult to assess and manage the risk of another company than it is your own. To help you out, we have put together eight important things you must ask at when assessing third-party risk.

1. What Do Our Service Agreements Say?

Managing your contracts is one of the most important aspects of managing your vendors. Avoid using lower end solutions, as they’re usually difficult to pull and often incomplete – usually, they highlight the most important information, like renewals and expiration dates.

You’ll want to initially review your contracts to see how they store and secure your valuable information, and whether or not they’re liable for breaches that affect you. You should continue to review these every year or two to ensure that they’re keeping up to date with the latest security standards.

2. Are Our Solutions Intuitive For Vendors?

If your risk management solution confused your vendors, it’s not going to produce the results you want. Your company can figure out how to use a convoluted system, but your vendor is managing many different clients. They’re not going to have the chance to master your processes if they’re too involved.

For best results, include your vendors as you implement a third-party risk management solution. Make sure they’re onboard and know how to handle everything and you’ll have a much more reliable and efficient solution.

3. Are We Focused on the Most Important Relationships?

Before taking the time to measure the risk factors for every single third-party vendor, you need to prioritize a bit. Managing all of your vendors is a monumental task, so it’s better to focus on the most important third-parties first. Do this by taking a look at your most critical business processes, and identifying which third-parties are closely involved in them. Get started by investing most of your efforts with these vendors before branching out and managing the less involved ones.

4. How Do We Measure Third Party Risk?

Since there are many different factors that lead to third-party breaches, you need to measure every risk factor for each vendor. Your assessment needs to include a wide variety of metrics, compiling a score for each third-party to see how risky or safe they really are. Some of your metrics should include:

  • How risky each vendor is as a business. This includes traditional geopolitical risk factors.
  • The information that each vendor is exposed to.
  • Who has access to your information in their organization.
  • How your information is stored by their organization.

5. Do I Know How Each Vendor Secures Our Information?

It’s not enough to know how risky your vendors are, or what they’re contractually obligated to do. You need to know their specific controls and processes. Speak with your vendors to find out what controls they have already implemented, and how effective they are. See if they’re willing to collaborate with you to find a way to mitigate risk even further.

Get started by having each third-party cover how they handle risk prevention, detection, and response. The conversation should flow naturally from there.

6. What Are Our Escalation and Governance Processes?

Your company has many different departments and employees managing their third-party vendors, so it’s important to have a centralized governance for third-party risk. Typically, this is handled by your IT department. Give them the power to make important risk decisions, including whether or not a vendor is too risky to deal with. By providing a single team ownership of the process, manageability will be simple and accountability will be clear.

7. Do We Have the Tools We Need?

A clear risk management process with thorough assessments, clear governance, and third-party buy-in can only be as successful as the tools supporting it. Make sure your organization has everything it needs to track and maintain risk analysis data, make the workflow easy to manage, and help your management by providing them with up-to-date, actionable recommendations. Usually, this is handled by several different solutions, but your best bet is finding a risk management partner who can assist you with all three.

8. Have We Developed Processes That Enable Constant Improvements?

Like any other business process, you need to make sure your third-party risk management is scalable, sustainable, and open to continual improvements. Make sure that you are constantly evaluating each vendor’s risk score and the effectiveness or your program. Speak with your vendors regularly about any potential threats to their business or yours, and bring in a risk consultant to help you review everything once every couple years.
If you need assistance assessing and managing your third-party risk, we’re here to help. Make sure to secure your workplace from internal and external threats by reaching out to us today!

3hzKqKBM_2OH79EsrklydIaKkL961qCj7Z3pxvH5UdmxaZibFN4SQh1X6HkJ7XU5nbQLq67Uib8Pr5ti-BCpHw=s0 8 Things to Look At When Assessing Third Party Risk

Can we help you?

We’ve developed the Third Party Risk Management programs used by many members of the Fortune 500, helping to reduce their risk from disruptions many weren’t even previously monitoring. We can do the same for you.

Contact us online or give us a call at +1.612.235.6435 and we’d be happy to talk further about how we can assist you with your current challenges.

Category: Business ContinuityTag: Business Continuity, business continuity management, third party risk, third party risk management, tprm, vendor risk, vendor risk management

About Bryan Strawser

Bryan Strawser is Founder, Principal, and Chief Executive at Bryghtpath LLC, a strategic advisory firm he founded in 2014. He has more than twenty-five years of experience in the areas of, business continuity, disaster recovery, crisis management, enterprise risk, intelligence, and crisis communications.

At Bryghtpath, Bryan leads a team of experts that offer strategic counsel and support to the world’s leading brands, public sector agencies, and nonprofit organizations to strategically navigate uncertainty and disruption.

Learn more about Bryan at this link.

Previous Post: «Business people discussing work on laptop at a meeting How to sell your business continuity program to senior executives
Next Post: Making Your Business Case to Senior Management Business people discussing work on laptop at a meeting»

Footer

Contact

BRYGHTPATH LLC
+1.612.235.6435

PO Box 131416
Saint Paul, MN 55113
USA


contact@bryghtpath.com

  • Facebook
  • LinkedIn
  • RSS
  • Twitter
  • YouTube

Our Capabilities

  • Business Continuity
    • Business Continuity as a Service (BCaaS)
    • Business Continuity Software
    • Coaching
    • IT Disaster Recovery Consulting Services
    • Resiliency Diagnosis®️
  • Crisis Communications
  • Crisis Management
    • Crisis Exercises
    • Cyber Crisis Exercises
    • Cyber Incident Response Planning
    • Global Security Operations Center (GSOC)
  • Speaking
  • Training

Our Free Courses

Business Continuity 101

Crisis Communications 101

Crisis Management 101

Our Premium Courses

5-Day Business Continuity Accelerator

Communicating in the Critical Moment

Crisis Management Academy®️

Preparing for Careers in Resilience

Our Products

After-Action Templates

Books

Business Continuity Plan Templates

Communications & Awareness Collateral Packages

Crisis Plan Templates

Crisis Playbook®

Disaster Recovery Templates

Exercise in a Box®

Exercise in a Day®

Maturity Models

Ready-Made Crisis Plans

Resilience Job Descriptions

Pre-made Processes & Templates

Site Footer

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.


Bryghtpath®, Crisis Management Academy®, Crisis Playbook®, Exercise in a Box®, Exercise in a Day®, Resiliency Diagnosis®, Resilience Operating Model™
and their respective logos are registered trademarks of Bryghtpath LLC in the United States and other countries.


About Bryghtpath LLC | Disclaimer | Privacy | Status Page | Terms of Use

Proudly powered by Mai Theme, the Genesis Framework, and Wordpress.