Common Pitfalls in Third-Party Risk Management

David is the Senior Director of Information Security for ReSource Pro.

What is the purpose of third-party risk management?

There’s a key question every insurance organization should ask before signing on a new third-party service provider: “Why do we trust them?” After all, signing on a business partner has the potential to expose your business to risks that could negatively impact your customers, reputation, and revenue.

That’s why businesses use third-party risk management (TPRM), a process designed to help them understand and address risks they could be exposed to when working with contractors, infrastructure providers, and service providers. Unfortunately, because the process is complex and can be challenging to perform, businesses often fail to conduct it effectively or neglect it altogether.

In this article, we’ll explore three common reasons third-party risk management fails, including:

  • Failure to identify risk
  • Omission of key steps
  • Lack of accountability

Failure to identify risk

Most third-party vendors—such as a supplier of office furniture—won’t pose a risk to your organization, but how can you tell which of them do? This is a common challenge for businesses, but it can be resolved by answering these three screening questions:

  1. Does delivery of critical business services depend on the vendor?
  2. Do they store, work with, or process sensitive information, especially personally identifiable information?
  3. Is significant IT integration required to work with them?

If the answer to any of the above questions is yes, the third-party risk management process should be invoked, and a risk assessment carried out. If the answer to each is no, then procurement can proceed.

Omission of key steps

During the risk management process, organizations typically request that the third-party complete a Standardized Information Gathering (SIG) questionnaire. These questionnaires range from 330-1200 questions and are designed to help businesses gather the information needed to carry out a risk assessment.

Too frequently, organizations simply take the results of the questionnaire at face value and neglect to conduct a true risk assessment. The results need to be interpreted, whether by an information security team or risk department, to determine the smallest and largest potential impact a vendor could have on the business, and ultimately determine the level of risk the vendor might present, whether high, mid, or low.

Lack of accountability

A common reason third-party risk management fails is because no individual or team within the organization is held accountable for ensuring the process is carried out how and when it should be. Because the process impacts multiple business areas and involves multiple departments—such as legal, accounting, and IT—key leadership should be briefed on the process, understand and approve it, and help to coordinate all parties involved. This includes:

  • C-suite and SVPs
  • Talent (HR)
  • Other key people who directly participate are accounts payable, procurement, legal, internal audit, and security.

Protect your business’ value

As cyber risk increases, and insurance organizations depend more and more on cloud services and third parties, effective third-party risk management is more critical than ever to protecting your business’ value proposition and customer relationships.

Do your business partners prioritize security? Let’s talk about how ReSource Pro can securely support your insurance organization.