THIRD-PARTY RISK

MANAGEMENT:
CRITICAL STEPS TO SAFEGUARD
YOUR BUSINESS RELATIONSHIPS

A QuestionPro Publication

By Paresh Amin, CISSP

Chief Information Security Officer (CISO)
Third-Party Risk Management: Critical Steps to
Safeguard Your Business Relationships

Third-Party Relationships
Risky Business
Virtually all organizations today rely on third-party relationships to support business operations.
Most enterprises depend on outsourcers, product vendors, third-party service providers, and
partners to improve efficiencies, be more competitive, and reduce costs. The harsh reality is that,
with added business value also comes added risk.

Maintaining operational integrity is a top priority for most organizations; however, a startling
number do not have processes in place to fully understand and manage the true business risk of
third-party relationships. Whom an organization does business with can dramatically increase risk
exposure, potentially threatening an organization’s valuable information assets, compliance with
industry regulations, and corporate reputation.

There’s clearly a lot at stake, and many companies do not have a unified view of corporate risk due
to the following road-blocks:

• Uncertainty: Managing risk is often low on the priority list for organizations, as the task
is daunting and raises questions about where and how to begin.
• Undefined methodologies: Without implementing a structured, proven approach to risk
management, organizations struggle to gain an accurate understanding of the potential
risks of third-party relationships.
• Lack of visibility: Risk management and compliance practices are typically managed in
silos, across internal departments and using individual point products, precluding that
ability to have a single view of the risk environment.
• Geographical barriers: Third parties are often located across multiple locations, making
it challenging to streamline the assessment, as well as track and report risk for all
relationships.
• Evolving data protection and privacy laws: Many organizations struggle to keep pace
with new regulations tied to data security, hampering the effectiveness of security
controls.
• Lack of standardized processes: Risk management processes need to be proactive and
flexible enough to adapt to dynamic business environments, yet structured enough to
ensure consistent analysis across multiple third parties.

For more information, contact our sales team at +1 (800)531-0228

© 2017 QuestionPro Survey Software
Third-Party Risk Management: Critical Steps to
Safeguard Your Business Relationships

Risk Management False Starts

Limited Visibility
In an effort to manage third-party risk, organizations have traditionally adopted one of two types
of solutions: automated or manual. Automated solutions—web-based survey tools and online
compliance document repositories tools—typically address single aspects of the risk management
process, such as third-party risk assessment (via questionnaires), evaluation of existing workflows,
and IT control evidence collection. These solutions–while often providing robust data collection
capabilities—can lack the analysis needed to thoroughly determine overall risk to the enterprise.
On the flip side, some organizations rely on spreadsheets to help manage third-party risk by
compiling profile information and risk ratings through manual, time-consuming processes.

The reality is that both approaches result in an incomplete view of risk, potentially exposing
organizations to security breaches, violations of regulatory mandates, or loss of confidential
business data. Effective third-party risk management involves a hybrid approach: maximizing the
use of automated processes combined with built-in real-time risk analytics and rich automated
standardized risk reporting, in order to quickly and effectively determine accurate risk levels/
scores of your third-party population. Now image if you could, combining those feature sets—all
built within a SaaS-based platform that offers flexibility and continuous insight to understand,
manage, and monitor risk exposure. What you would have at the end is QuestionPro’s On-Demand
Risk Intelligence Management platform.

QuestionPro’s Vendor Risk Score Comparison

QuestionPro’s Vendor Risk Score Comparison

For more information, contact our sales team at +1 (800)531-0228

© 2017 QuestionPro Survey Software
Third-Party Risk Management: Critical Steps to
Safeguard Your Business Relationships

The way organizations have changed from having limited visibility to full visibility in terms
of risk and exposures related to their third-parties is through QuestionPro’s Risk Scores and
Reports. Finally, now organizations have visibility into this complex and critical business problem.
QuestionPro Risk Reports provide companies, who are concerned with protecting their data,
customers, and reputation, with an easy-to-use tool that quickly assesses risk and manages
compliance against a wide variety of risk frameworks.

Whether you are interested in assessing your third party’s compliance to HIPAA, VSA, BITS,
ISO27001, PCI guidelines or in developing your own customized assessment framework, this on-
demand software-as-a-service solution delivers quick and accurate results.

QuestionPro Risk Intelligence meets the risk and compliance management requirements of a
full range of business services, while drastically reducing costs. Risk exposure is quantified and
monitored.

A Comprehensive Risk Strategy

The Big Picture
Third-party risk should be evaluated as part of an overall risk management strategy. A single,
comprehensive approach is required in order to gain in-depth visibility into enterprise-wide risks
and allow decision makers to balance risks with business opportunities. While risks are unique to
each organization, when implementing new risk management procedures, most companies want to
achieve at least one of the following goals:

• Ensure information managed by third parties is secure

• Understand the risks of outsourcing data processing, IT management, or other functions
• Address exposure associated with shared infrastructure and applications
• Maintain awareness of service provider compliance
• Define and maintain security Service Level Agreements (SLAs) with service providers

But many organizations aren’t sure where to begin. Below, you’ll find the key steps to helping
organizations identify third-party relationships, understand the inherent risks, manage risk
exposure, and monitor changes and remediation efforts.

For more information, contact our sales team at +1 (800)531-0228

© 2017 QuestionPro Survey Software
Third-Party Risk Management: Critical Steps to
Safeguard Your Business Relationships

Step 1. Determine Your Risk Tolerance: How Much Risk is Too Much?
The first step in managing third-party risk is the same first step for general risk management–
determining a risk threshold. This risk limit is typically agreed upon by senior management and is
aligned with the organization’s existing strategies and policies. Without a defined risk target, an
organization could take on more risk than desired or minimize opportunities for improved business
performance due to overly risk-averse behavior.

As part of the process, organizations also need to identify their most-valuable assets, whether
it’s corporate/customer data, technology, or intellectual property. It’s critical that organizations
communicate to all employees the importance of protecting these identified assets. While not
every staff member should play the role of risk manager, ensuring a wide-spread understanding of
which assets should be vigorously protected will boost success of risk management initiatives.

Step 2. Identify Sources of Risk: Putting Risk to a Name

Effective third-party risk management needs to encompass all third-party relationships, regardless
of size, location, or function. Organizations should develop and regularly maintain a list of all third
parties that includes:

• The nature of the relationship (vendor, contractor, service provider, supplier, etc.)
• Due diligence performed to date–financial stability, information security practices,
ethics and integrity, and regulatory compliance standings
• Which third parties are directly or indirectly involved with critical business processes,
information, systems, or supplies

QuestionPro Assessments Platform

For more information, contact our sales team at +1 (800)531-0228

© 2017 QuestionPro Survey Software
Third-Party Risk Management: Critical Steps to
Safeguard Your Business Relationships

Step 3. Understand Risk Exposure: Profiling Third Parties

Once the above list is created, the next step is to identify which third parties represent the greatest
risk to the organization. This process is not as obvious as it may seem. Many organizations assume
that the greatest risks are tied to partners who make the largest contributions to sales and
revenue, customer relations, or the delivery of key products and services. However, sometimes
a seemingly small third party can carry significant risk. As a best practice, organizations should
segment third parties based on degree of importance and potential risk to operations. Once this
tiered list is complete, the next step is to develop processes to ensure that the most critical third
parties are financially sound, well managed, process-oriented, and staffed with knowledgeable and
trustworthy people.

Finally, don’t forget to address partners with their own third-party relationships. Many third parties
rely on other organizations to provide services or technology (e.g., for cloud computing), and the
risk those vendors carry could impact the original organization’s risk posture.

QuestionPro’s Detailed Vendor Risk Scoring

Step 4. Manage Risk Exposure: The State of Affairs

It’s imperative that all third-party contracts closely align with an organization’s risk management
requirements. Existing contracts should be reviewed to ensure that expectations for information
security, regulatory compliance, and adherence to ethics statements are clearly defined. Liability
clauses, insurance requirements, and other standard risk mitigation mechanisms should be
thoroughly examined as well. During this process, organizations should work closely with their
legal team to address potential discrepancies.

For more information, contact our sales team at +1 (800)531-0228

© 2017 QuestionPro Survey Software
Third-Party Risk Management: Critical Steps to
Safeguard Your Business Relationships

When assessing the risk environment, another key step is to evaluate a third-party’s information
security controls and business continuity plans. For example, does the partner have airtight
security measures in place to protect confidential data as if it’s their own? If an unplanned event
were to occur, such as a data breach, organizations need to understand how far back data could be
recovered (also known as the RPO or recovery point objective), as well as how quickly the business
can be back up and running following the event (the RTO or recovery time objective). These key
target metrics are typically established during disaster recovery planning and play a key role in
developing effective third-party risk management controls.

Step 5. Monitor Third-Party Relationships: A Continuous Cycle

For most organizations, external risks increasingly exceed internal risks. Therefore, third-party
risk management should not be treated as a secondary item but rather, as a part of an overall
enterprise governance, risk and compliance (GRC) strategy. By combining risk management with
these activities, organizations can achieve visibility into links between business objectives, risks
to those objectives, and establish controls to mitigate risks. The end result is improved risk
awareness that positively impacts daily decision making and operations.

Operational environments can change quickly and therefore, it’s important to continuously
monitor and assess third-party relationships on a regular basis. However, not all relationships
should be monitored with the same frequency; third parties who pose the greatest risk to the
organization (in the top-tier of the segmented list) should receive top priority.

Conclusion
If an organization works with third parties, those relationships must be factored into an overall risk
management program, otherwise the understanding of risk is incomplete. By following the steps
outlined above, organizations will gain unprecedented visibility into all enterprise risk and will
maintain the confidence that critical and trusted third parties are delivering true business value.

Need Help Getting Started?

For organizations who want to get their third-party risk management program off the ground,
QuestionPro offers a Complimentary Discovery Call with a QuestionPro risk expert. During this
30-minute discussion, organizations will gain valuable insight into risk management best practices,
risk management requirements driven by top regulatory agencies, the steps to properly classify
and profile third-parties, and key questions to identify risk exposure. To take advantage of this
limited offer, contact us at 1(800) 531-0228 or visit www.QuestionPro.com.

For more information, contact our sales team at +1 (800)531-0228

© 2017 QuestionPro Survey Software
Third-Party Risk Management: Critical Steps to
Safeguard Your Business Relationships

About QuestionPro Assessments

QuestionPro is changing how businesses think about vendor risk.

The dramatic increase in regulatory requirements aimed at safeguarding consumer information has
forever changed the risk exposure landscape. Risk intelligence must be baked into every decision
a company makes.

Once the realm of data security and privacy specialists, risk exposure has worked its way into all
aspects of the enterprise. Procurement, Legal, and Client Management teams all have a vested
interest in understanding the level of risk inherent in their business relationships.

Expensive software, lengthy implementations, high maintenance costs, and systems that are
difficult to use have left many companies without the solutions and insights they need to run their
business.

Those days are over. QuestionPro has created an affordable, innovative, cross-enterprise
solution that produces on-demand IT risk intelligence. Through our patent-pending methods,
we standardize and quantify risk information–turning it into actionable risk intelligence for real-
time business decisions. We offer software-as-a-service solution so there is no software to learn
or install, just give us a list of vendors and we’ll provide you scored reports/dashboards. We also
provide you with risk management tools through our portal that allows you to manage an entire
population from assessment through remediation and monitoring.

Led by a management team with extensive experience in every aspect of data security and privacy,
QuestionPro is transforming the way companies manage risk with their third parties/vendors.

Take us for a test drive. Call us now at 1(800) 531-0228 to setup a discovery call and
if interested, we’ll even offer to generate a QuestionPro Assessment Vendor Report
for (3) of your third party/vendors, at no cost.
Online Research Made Easy
Why more organizations are choosing QuestionPro

Superior Technology QUESTIONPRO

The system has been designed from the ground up to
accommodate the needs of anyone conducting online 548 Market St #62790
research. Our simple interface, cutting edge features, and San Francisco, CA
ompetitive price have landed us in the top tier of web- 94104-5401 USA
based survey software providers. We truly believe that you
will not find a better value on the web today. USA
+1 (800)-531-0228
Reliability and Commitment
United Kingdom
Our absolute commitment is to the success of our clients.
+44 20 7193 4722
We recognize what our clients need to make their online
research a success and we’re 100% focused on creating
Germany
solutions that meet and exceed these requirements.
+49 30 9160 7401

Proven Track Record Australia

Thousands of clients worldwide have chosen our system +61 2 8005 0459
to conduct their online research. Companies, both large
and small have chosen us as their trusted partner for India
conducting online research. +1 (800)-123-0228

Security UAE
Our system adheres to the highest level of security +971 58 882 1594
standards on the internet. Data security and privacy are
addressed at all levels starting with survey delivery all the
way through protecting your survey results.

Support
Our customers have access to an expert team of
developers who are responsible for ensuring 100% client
success.

For more information, contact our sales team at +1 (800)531-0228

© 2017 QuestionPro Survey Software