Explainers & Guides
Optimising your third-party management: 3 tips to consider
Supply chain attacks increased by 431% in only two years, and the number of impacted organisations has surged by 2600% in the 5 years leading up to 2023. Where does this leave TPRM?
TPRM is broken, so Risk Ledger is putting it under the microscope. Over the course of this year, Risk Ledger will investigate the people, product and process challenges with TPRM, and reveal how they can be fixed.
We begin by assessing the ‘people’ challenge facing TPRM and how it can be fixed through enhanced collaboration: internally between different cyber security functions, between organisations and their supplier as well as between organisations and their industry peers. We argue that strengthening collaboration in these three crucial relationship areas is key for better TPRM outcomes - including for identifying and mitigating concentration risks - and how this would solve the most pressing challenges with TPRM today.
This first article in our series “Breaking Down Siloes: The Power of Collaboration in TPRM”, we zoom in on why cross-team collaboration is crucial, and how to achieve it.
It’s never been more important for businesses to understand and mitigate the risks posed by their third party suppliers and extended supply chain dependencies. In today’s digital world, every business is linked to a multitude of organisations by intricate and sometimes hidden digital connections. While IT security teams are fully aware of the need to identify these third-party relationships and the risks emanating from them, third-party risk management (TPRM) can only be truly effective if different teams across your organisation all play their part.
Only those teams working directly with suppliers, vendors and partners are fully aware of the relationships between your business and those it works with. The success of your TPRM programme, however, relies on especially IT security and TPRM teams, procurement, threat intelligence, operational resilience, incident response and compliance teams to work closely together to ensure the absence of shadow IT and vendors that they are not aware of, as well as to facilitate more complete information, faster incident response, and a greater awareness of risks in the extended supply chains for better resilience planning.
TPRM requires data and insights from every area of the business. Without internal collaboration, your business cannot develop a complete view of third-party relationships and gain a clear understanding of the associated risks. If any critical vendors are overlooked, you could underestimate the aggregate risk to your business. That means IT security teams won’t be able to provide an accurate view of risks to senior managers to inform their risk-management decisions.
A lack of collaboration on TPRM can also lead to compliance issues. If teams don’t communicate regularly with legal departments, they may not understand the regulatory and contractual obligations associated with third-party relationships. Internal collaboration with the procurement team is also vital for vendor risk assessment and onboarding. If onboarding is impeded by poor collaboration, it can strain relationships with new vendors, strain the relationship between the IT security and procurement teams, and impact the business operations that rely on them.
Collaboration between TPRM functions and incident response teams is equally essential, for improving response speeds to supply chain incidents when they occur. Collaboration between these teams ensures that risks are identified early, prioritised effectively, and addressed swiftly, minimising potential damage. For example, aligning TPRM's vendor monitoring capabilities with incident response's containment strategies allows for rapid action during zero-day vulnerabilities or breaches. Such collaboration not only accelerates decision-making during crises but also enhances the overall resilience of the organisation’s supply chain.
The same is true for collaboration between TPRM, threat intelligence and operational resilience teams. Greater synergy between them allows for a more dynamic and adaptive TPRM strategy, enhancing the organisation's ability to detect, respond to, and mitigate supply chain cyber risks effectively. Threat intelligence teams can provide TPRM with real-time insights into emerging threats and vulnerabilities specific to the supply chain, enabling more informed risk assessments and prioritisation, while operational resilience teams can contribute their expertise in maintaining business continuity, helping to identify critical suppliers and develop robust contingency plans.
Without clear communication, teams may view TPRM as burdensome and obstructive, rather than an essential part of safeguarding the business. A well-established foundation of internal collaboration is vital if your business is to scale up its TPRM efforts and safely establish new third-party relationships as it grows.
Ultimately, a lack of collaboration will seriously hinder your response to a security incident originating at a third-party supplier. A swift and coordinated response is required whenever a security breach occurs, so that financial, reputational and operational impacts can be minimised.
Now that TPRM has become key to the overall cyber security of any organisation, it’s essential that everyone plays their part. Here’s our advice on how to facilitate collaboration across your business.
In any organisation, people are busy every day focusing on their core responsibilities and priorities. Motivating people to make time for TPRM means pressing upon them its critical importance to the whole business. Your first step in improving cross-team collaboration on TPRM is therefore education and training as well as instituting a cultural change.
Offer training on the value of TPRM to the business, and share case studies to demonstrate the importance of effective TPRM and the devastating consequences of failing to manage third-party risks. Show the benefits of working together to identify risks in an integrated way, including easing the burden on individuals, avoiding duplicated effort and enhancing the overall efficacy of TPRM.
Effective collaboration relies on clear and regular communication. Create dedicated channels for cross-functional communication on TPRM, using Teams, Slack or other familiar collaboration platforms. Put regular cross-team meetings in the diary to discuss TPRM progress and challenges, and enable teams to share best practice. Ensure actions and findings are recorded centrally for key stakeholders to access. You could also create liaison roles to facilitate communication on TPRM between departments.
Because TPRM is central to the success of any organisation, it should be possible to align TPRM objectives with broader company goals, such as protecting data, improving customer satisfaction and reducing costs. These cross-functional TPRM goals can then be incorporated into individual objectives and performance reviews, ensuring TPRM is a focus for everyone and gets the attention it deserves.
Technology can play a key role in simplifying and improving TPRM, as well as supporting data sharing and lessening the workload for individual teams. Vendor management software enables you to create a single source of truth for data on third-party suppliers. It can also be used to automate vendor onboarding and risk tiering.
TPRM has traditionally relied on supplier responses to risk-assessment questionnaires. IT tools can now automate and standardise these risk-assessment processes, saving time and improving accuracy. Continuous monitoring can be used to track risks constantly – rather than relying on periodic re-assessments. Advanced tools can also be used to identify emerging risks within your supply chain network, enabling you to take prompt and targeted mitigation action when necessary.
Improved collaboration cannot be brought about by processes and rules alone. You need to foster a culture of cross-team interaction, so that knowledge sharing becomes a natural part of working life. This can be encouraged by organising cross-functional workshops to address specific TPRM challenges. You can create communities to share TPRM expertise, experiences and resources.
To embed this culture of collaboration, new employees could be paired with experienced team members through mentoring programmes. This will help TPRM to be recognised as an integral part of your working practices from day one.
TPRM can only ever be effective if organisations have access to all available information about third-party suppliers, and the systems and processes they have in place as well as visibility into their extended supply chains and the ability to collaborate quickly across different teams when new vulnerabilities or incidents appear. No IT security team alone can shoulder all of this responsibility. That’s why managing third-party risks must be a whole-organisation priority.
Collaboration across teams is the most effective way to ensure TPRM programmes are comprehensive, worthwhile and effective. Every team must take responsibility, and by collaborating routinely they can help your business achieve the highest levels of protection against third-party risks.
In the next article in this series, we will focus on the importance of enhanced collaboration between organisations and their suppliers for better supply chain security outcomes. Stay tuned for more.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
