Top Questions CISOs Ask about Third-Party Risk Management

By Chris Murphey

third-party risk management CISO

Over a recent period of eight weeks, I was on the road during a six-city tour, engaging in conversations with roughly 150 CISOs during events hosted by the CISO Executive Network. It’s exciting, both for me personally and Rsam as a company, to have a front row seat with the executives to learn about what’s working for them, where their challenges lie, and how we can tailor our platform to help them overcome some of their hurdles.

As a client partner at Rsam, I get to be a GRC advisor to our clients and I'm essentially included with licensing the product. The moment a client wants to do business with us, I get to jump in and focus on three things: 1) helping them avoid the pitfalls in their GRC implementation and determine how prepared they are for the journey ahead, 2) creating an understanding of how to articulate success, measure it and share that across the organization, and 3) guiding them through implementation.

These sessions with the CISO Executive Network enabled me to share some of these experiences with the leaders in this space and learn from their expertise.

At most of these events, I spoke about third-party risk management, specifically centered around a very provocative question: How can my organization manage the workload of 2,000 suppliers, roughly $2,000,000,000 in spend and only do it with five resources? (You can insert your own numbers to create the version of the question you're probably trying to answer.) 

Here’s what we learned from their most common challenges and questions.

Is automation the only way to solve the problem of third-party risk management with limited resources? 

In reality, many factors come into play. It’s about people, processes and technology. Automation surely helps, but if we automate a bad process or we take an unskilled labor force and use them as the backbone or the brain set behind that automation, then you'll get something worse than you had before. Your organization must be open to adopting a new mindset and way of working around the process and the people. You have to evaluate if they're ready, and then you can apply automation and advanced technology to take things to the next level.

Do organizations of varying sizes share the same third-party risk management problems?

One of the things I loved about the tour was meeting companies of all different sizes, from startups in Palo Alto, to 100-year-old behemoths in the Northeast.

In terms of what they shared in common, companies just starting their VRM journey need to catch up with regulations emerging in their space. It’s a daunting task. You have to manage your own business now, as well as thousands of potential vendors.

The other common challenge is around managing in a hosted environment or cloud provider. In these situations, the question is not about how to get started, but how to evolve and what are the best practices for covering more ground and feeling more comfortable in advising a board on how the company will be successful with third-party risk management.

Regardless of the company size, it became apparent that it’s hard to get resources and investment. You need a solid understanding of what you're trying to achieve and how you're going to achieve it so you can pitch a good business case to the people who control the purse strings. You have to make them understand why you need this money and what you can provide back to them. 

The key for companies doing this well is focusing on how you can provide value across silos within an organization and not just ask for an investment in vendor risk management, but ask for an investment in your business and its bottom line.

Is a platform or tool the most important element of third-party risk management, or should an organization consider other factors during the RFP process? 

There are a lot of tools out there that are very flexible that can eventually be configured to do almost anything. When you release an RFP and everybody can say “Yes” to everything, you also must consider how committed the company providing the solution is to your risk and compliance journey.

The first version of your approach to VRM is going to have an end at some point. Your organization will be required to evolve to meet a new regulation, to meet a new level of risk tolerance, or new demands in the marketplace. The solution you choose should be backed by a company that can create a roadmap and takes into account their current needs, intent, people, processes and technology, and the steps needed to evolve.

Who should own third-party risk management in the organization? 

It's a common question, and what drives the answer for most organizations are the industry-specific regulations and guidance that indicate where these types of things need to be established. The regulations drive corporations to say, this is a compliance need, or this is a procurement need, or this is an operations need. Organizational charts will ultimately articulate where ownership will be allocated based upon the perceived focus of the regulation.  That said, there are highly effective models that are hard to glean from an Org chart alone.

I have had the opportunity to stand up a vendor risk management program for a Fortune 25 organization and we worked to develop a methodology that really worked well. We’ve applied that methodology to our clients here at Rsam. It’s a center-led program where you have someone at the helm that is governing this process of vendor management, which is a very inclusive set of processes to cover a large scope of work across the organization. 

However, you have other agents in the organization that play roles in the effort. For instance, you will have a security lead that helps on the security and safety side, as well as leads in compliance, operations, performance and legal. This center-led approach is the only way to break down the inefficiencies of the silos, and it must be backed by an application or a technology that is flexible and allows you to grow and manage such a workload in such an effort.

How do you prioritize vendor assessments?

That question speaks to the battle organizations fight with resources. There are a few ways to approach the question of prioritization. 

Most importantly, you need a vendor governance policy in place. It can't be just a few bullets that say that your company will evaluate all critical vendors every three years. It needs depth and weight and should be audit-defensible. Part of that policy should define the way that you risk-rank, and rack-and-stack your vendors based on the type of work that is involved and what your company finds risky. I encourage you to spend your time on that versus the administration of an assessment program. Once you have that in place, you can find tools that will help you automate the administration of an assessment, so you can spend more time in the risk management and risk governance space than you do in risk administration.

How do you ensure that third parties will participate in your assessments? 

I've seen companies require participation through their contracts with third-parties in hopes that the contractual obligation ensures participation. I’ve also seen companies that have extensive vendor management organizations that micromanage the relationship, risk, and the performance of the vendor, seeing it as an extension of their company. 

Above all, you have to make participation easy for your vendors. Have a simple, hosted interface where vendors can fill out answers to a questionnaire, provide documents, and avoid getting on the phone with you, spending hours of their time because your requests are not clear. That is one thing that really helps with adoption and participation in such a program. 

There are also clever ways outside of technology that work, such as participating in a consortium where a vendor is assessed on behalf of many companies at the same time.

You should also focus on the vendors that matter. You don’t want to be in the business of evaluating hundreds or thousands of vendors every year. Strive to focus on data driven scoring and prioritization efforts, so you only go after the ones that matter. 

The Rsam platform is natively designed as a security assessment manager, as a risk processing and prioritization engine. It has that in its DNA, so you can classify and augment your risk scoring models. You can rack-and-stack them in the platform and interact with the information through our BI and our visualization tools, enabling you to make informed decisions with that data. 

How important is VRM and how well-equipped are most organizations to handle its demands? 

I wanted to get a sense of which companies are discussing VRM at a board level and how ready are those boards to engage in detailed discussions around it.

I asked who is getting top-down requirements and support from their board or their executive team around VRM, and 80 to 90 percent of the CISOs in the room raised their hands. Then I asked whose board has someone on it with a security or technical background to really care in depth about VRM and guide it. Nearly all hands went down.

That tells me that while it is top of mind and is really in need of attention, we don't necessarily have all of the positions in place at the board level, which is really needed to be effective. We’re currently all working from the bottom-up to meet a top-down requirement. 

How important is a common language around third-party risk management? 

I also heard questions like what's the difference between a third-party vendor and a fourth-party vendor? Where do fourth parties fit into this, or are they just another type of third party, and so on and so on. What we started to realize was we have a hard time talking to each other. It's like we're speaking different languages because we have so many different words for the same thing: some regulations call it third-party governance (TPG), while others call it third party risk management (TPRM) or vendor risk management (VRM); in health care, there is an entire nomenclature that's prescribed by the Centers for Medicare and Medicaid Services (CMS) guidelines known as First-tier, Downstream and Related entities (or FDR).

As a group, we decided that “vendors” are the people that serve you hot dogs at a carnival and that “third-party” is really a better name overall that encompasses parties outside your organization. And then below third party you have things like fourth parties and related entities that engage with you through your interactions and terms of use and conditions.

In Conclusion

I have a passion for this area of practice and for challenging the status-quo to this daunting problem.  I enjoyed validating and evolving my perspectives with a large audience of executives.  And, I believe we all know 80-90% of the pain and problems to overcome in this space, but where we fail ourselves as practitioners is living in that pain and checking the box on processes execution.

We can serve ourselves better by sharing best practices, focusing on continuously improving a Third-Party Management program and pointing out where we are organizationally ill-equipped from the top-down to make real headway on third party management. Please reach out to engage with me/us, to share your thoughts/comments, or if you want to talk about best practices in this space.