[author: Carol Williams]
NAVEX recently hosted a webinar with Carol Williams, CEO and Principal Advisor at Strategic Decision Solutions, where she discussed best practices for evaluating and advancing third-party and IT risk management programs.
The importance of TPRM and ITRM practices has never been greater and organizations must mature these programs to adequately secure their organization and protect customer information. In this post, Carol Williams answers the questions we received during the webinar. To watch the full webinar, you can access the recording here.
What is the best model for IT risk, third-party risk, and enterprise risk management to work together? Should they all be the same group or three separate groups?
IT risk requires such expertise and collaboration with technology people that it is best suited to be part of IT. IT risk oversight should be handled by internal audit or a similar function, and IT risk should work closely with enterprise risk management to ensure management has accurate and complete information on risk priorities and risk management strategies.
There is such a heavy operating element when it comes to third party risk. In fact, it can be an obstacle to enterprise-wide risk management to be so tightly coupled to third-party risk within the same group. The third-party risk focuses on two areas – end-to-end processes and individual supplier management. You can’t manage individual vendors when you’re supposed to focus on strategy and business. Remember that these three different areas don’t have to be in the same group to work and coordinate together.
Many companies manage IT vendors separately from all vendors. What is the best way to help the organization understand that all external parties should be evaluated unless they are a separate HIPAA covered entity?
IT vendors should be managed consistently with all other organizational vendors. To ensure this happens, I strongly recommend using messages to the organization along these lines: IT is there to support the business, the organization as a whole. Therefore, IT vendors are simply an extension of IT. The business must be assured that relationships with IT vendors are maintained to the same standard as any other business vendor.
How about a discussion on OFAC/DOJ/Sanctioned List Research?
All organizations in the US are required to avoid transactions with individuals and companies on the watch list maintained by the Office of Foreign Asset Control (OFAC). If your organization is not currently conducting OFAC screening, it is imperative to develop a process and start immediately.
How does the Risk Committee charter make it easier to administer TPRM?
The Risk Committee Charter is simply a document that sets out the responsibilities of the Risk Committee. Risk Committee members must continually demonstrate their support and support for TPRM through words and actions. The charter itself will not facilitate TPRM; However, it may indicate that the Risk Committee is responsible for overseeing TPRM outcomes and providing guidance to the TPRM team on actions taken on high-risk vendors.
Our intermediary management program differs from our vendor/supplier management. Is this common as the question often relates to third party risk management as a whole?
Interesting distinction as intermediaries are typically viewed as the organization’s vendors. (See the image embedded in this summary article published after the NAVEX Next TPRM session.) I would think that there is a significant amount of duplicate work being done between these two programs. Instead, it would be great if agent management was part of the vendor/supplier management program, and if there are specific questions aimed at agents, you should include those based on the type of vendor.
What type of key risk indicators/metrics would you use to support the case for increasing maturity? Or to support the current maturity assessment? for both TPRM and ITRM.
It would be difficult to use KRIs to support increasing maturity. By asking management a few pointed questions, their answers can make arguments for you. Here are some questions you can ask:
- Do you think risk management gives you the information you need to make timely decisions?
- Does TPRM/ITRM share insights and information you didn’t already have?
- Want to see more value from TPRM/ITRM?
If you absolutely need metrics, some examples would be:
- Number of IT incidents that required a response and that should have been prevented
- Number of providers without interaction with the organization in the last year
How do we use NAVEX IRM for TPRM?
A key element of any TPRM program is the ability to assess, identify, monitor, and manage third-party risk through automation, centralization, and data visualization. NAVEX IRM enables organizations to conduct effective due diligence on partner compliance with regulations, policies and practices, integrate this information with risks across the organization, and manage a regular cadence of assessments to determine the values and processes that your organization aspires to. NAVEX IRM achieves this through:
- Assess and continuously monitor all aspects of a third party’s risk, from assessment to onboarding and throughout the relationship
- Applying increased due diligence and assessing an organization’s regulatory, business and accountability metrics
- Gaining an ongoing understanding of the risks that each third person poses and addressing them as they arise
- Manage corrective actions and escalations in one place when risks arise
All of this helps organizations gather operational, information security, financial, and compliance risk information in one place to better understand the risks each third party poses. In addition, NAVEX IRM’s business continuity management capabilities enable organizations to plan for and prepare for business disruptions involving third parties in order to minimize their impact.
To learn more about how to assess and mature IT risk and third-party risk management programs
Watch the webinar
View the original article at Risk & Compliance Matters