Professional Documents
Culture Documents
• Share risk and rewards with the vendor1 from efficiency to enhancement to transformation.2
Depending on the criticality of the relationship in
Specifically in the software services area, the value creation and its attendant risk, the third party,
relationship complexity increased as the expected for all practical purposes, became an integral driver
business value from the services grew in focus, of the host company’s destiny. Such relationships
sometimes are categorized in terms of structure
(e.g., collaboration, alliance, partnership, joint
venture) and, in other instances, they emphasize
the nature of products or services (e.g., facilities
management, human resource services, software
maintenance, telecommunications, logistics/
warehousing/distribution).
Vasant Raval, DBA, CISA, ACMA Samir Shah, CISA, CA, CFE, CIA, CISSP
Is a professor of accountancy at Creighton Is an executive director at Ernst & Young LLP. He
University (Omaha, Nebraska, USA). The has many years of experience in the IT risk, audit
coauthor of two books on information systems and governance-related practice areas. He can be
and security, his areas of teaching and research reached at samirnshahca@gmail.com.
interest include information security and
corporate governance. He can be reached at
vraval@creighton.edu.
opportunity for the host’s risk to be exposed by favorably impacting data breach consequences,
the vendor increases as well. When this happens, lowering risk of operational failures in a supply Enjoying
the emphasis on the third party diminishes greatly, chain, continuously monitoring vendor financial
this article?
for the hosts see the relationship as far more stability, and assessing the risk of governance and
closely tied to their own destiny than anticipated. regulatory disclosure.
• Read Vendor
It is as if a crucial part of the business’s success
Management Using
now resides in the vendor organization, making TPRM Methodology
COBIT® 5.
the vendor more of an “insider.” If some risk
Broadly, any risk management program is three- www.isaca.org/
materializes at the vendor level, depending on the
dimensional. It incorporates people (organization), vendor-management
nature of the relationship, cascading effects of the
compromise could engulf the host as well. This is process (operations) and technology (information
systems). Each is important to the TPRM goals • Learn more about,
considered a form of yet unaddressed or unknown
and plays a significant role in achieving the desired discuss and
“vulnerability inheritance,” triggering heightened
outcome.5 The TPRM methodology discussed here collaborate on risk
risk awareness at the host level.4 Risk in third-party
incorporates all three dimensions. management in the
arrangements of any form have always existed,
Knowledge Center.
but the mix, in terms of types and severity of risk,
To address risk exposures in TPRM environments, www.isaca.org/risk-
has been changing, leading to a reexamination
host companies consider the vendor as the target management
of the host-vendor relationship primarily from the
risk management perspective. Hence, the term of evaluation at the time of onboarding and on
“third-party management” is now more clearly an ongoing basis as well. For this, the host
emphasized as third-party risk management company should:
(TPRM). 1. Set up contract provisions (typically, in the
service level agreement [SLA]) to address risk-
related commitments
The focus of 2. Combine the vendor risk profile with the risk
profile of the engagement
multifaceted
3. Prepare for dynamic monitoring and risk
outsourcing assessment based on internal/external events
converges heavily on 4. Implement and use both traditional and
managing the risk innovative monitoring approaches for continuous
monitoring of the identified risk factors
exposures of the 5. Leverage technology solutions to integrate
relationship. procurement, performance and risk management
on a unified platform6
effectively manage. often do not quite fit the old templates. A mishap
at the third-party provider may spell new risk to
the seeker of services. To address dynamically
the changing risk scenario, an integrated risk
TPRM and Information Technology management platform is necessary. While
standards help guide the implementation of such
The rise of TPRM as a challenge probably took platforms, Statement on Standards for Attestation
place due to the now well-known hack of Target. Engagements (SSAE) 16/International Standard
While the IT-based Target compromise elevated on Assurance Engagements (ISAE) 3402 (the
TPRM to new heights in the information security revised standards for the earlier SAS 70) have
domain, many additional areas (e.g., supply chain known challenges with the coverage of a large
and logistics) are also managed through TPRM.7 And population of third parties and efficiency from
this, therefore, leads to the need for trust between time and cost perspectives. No matter how robust
the host organization and its stakeholders, including these assurance standards are, interorganizational
vendors. Presumably, the greater the criticality of dependencies are unique, and uniquely granular,
the service, the higher the need for trust, much as to a point where the solution requires customized
in the authentication of people or devices. Without due diligence. A contractual shared solution across
trust, not much can be considered in equilibrium in all vendors may not be enough, for “nothing in
the relationship. When Amazon cannot find enough business operations remains in a steady state….”9
digital streaming capacity between 11:00 p.m. and A force majeure clause in the SLA does not save
2:00 a.m. to serve Netflix customers, would Netflix either party from disasters.
Third Party
Host Dependencies
Vendor
Vendor Risk Vendor Engagement Preparedness for
Profile Risk Risk Response
Potential Vulnerability
Inheritance
Capability Maturity
Trust Level
Models
Enabler Technologies
(e.g., TPRM utility platforms)
Contract
Monitoring
Review, Evaluation