Risk assessments essential to secure third-party vendor management

Kassidy Kelley

Associate Site Editor

21 Nov 2018

How does the level of risk for a company cafeteria’s online lunch menu compare to that associated with a cloud-based backlog of personal employee information? If you said something along the lines of, “It’s blatantly obvious,” you have the right mindset for vendor security management, according to experts at the Infosecurity North America conference in New York earlier this month.

Third-party vendor risk management strategies are not universal, and companies are responsible for putting their own spin on third-party security management, according to panelists at a session titled “Two Points of View: Third Party Risk Management.” The most essential tool when assessing and monitoring vendor risk is companies’ own due diligence.

Frank Roppelt, senior manager of security policy and vendor risk at TD Ameritrade, based in Omaha, Neb., told attendees that due diligence begins with assessing the level of vendor-associated risks by understanding what business process the vendor improves, what information they’re handling and the threat implications created by their access to your data.

“We all know that two companies that are doing two completely different things, their threats don’t mean the same thing,” Roppelt said.

Consider two different third-party vendors: One hosts your lunch menu on its platform, and the other hosts personal information of clients or other restricted information. If both of those vendors were breached or shut down, the impact would be wildly different.

It’s up to the company to determine, assess and manage each individual third-party vendor’s risk profile. Companies that treat third-party vendor management as a one-size-fits-all approach may end up spending too much — or not enough — resources protecting vendors with vastly different risk profiles, panelists added.

Critical vs. high risk

If you need a starting point for this due diligence, Roppelt suggested sorting your vendors into two categories: high-risk and critical vendors. High-risk vendors include those who bring inherent risk into an enterprise simply because of the data they collect, their regulatory impact or connectivity vulnerabilities. Critical vendors are those who are essential to a business process, or that support a core function of service.

Roppelt recommended a twofold solution that begins by giving vendors a questionnaire that covers the following factors:

  • Network connectivity.Are they cloud-based? What controls does the vendor have?
  • Essentiality. Are they handling data you could be handling yourself?
  • Business impact.If the vendor was shut down for a day, what impact would the shutdown have on your operations?
  • Financial, reputational,compliance. What regulatory and legal risks does the vendor potentially pose to the organization?

Once you’ve assessed what data the vendor will be handling when its services are implemented into your framework, sort the vendors into high-risk or critical vendors. Then, come up with a heat map of risk that organizes vendors into low, medium and high risk based on their answers to the previous questionnaire. Once vendors are sorted based on their risk profile, you can effectively distribute resources to the appropriate vendors.

“You need to have an objective approach, and it has to be standardized. You can’t go into an engagement thinking, ‘We think it’s high risk,’ without knowing why,” Roppelt said.

Extended parties

Third-party risk management is a combination of all your other risks — you just make a decision to outsource it.Michael Beck head of global supplier assurance at Barclays

Michael Beck, head of global supplier assurance at Barclays, based in London, noted that shadow IT and fourth-party risk further complicate third-party vendor management. Here, due diligence requires extending oversight to several outside parties.

“You need to think about, where is my data? Is my data going to reside in any of those 30 companies?” Roppelt said.

The panelists noted that fourth- and fifth-party vendor management is a new reality. Most companies do business with other companies and must now think about the extended business network the enterprise enters when using third-party vendor services.

These extended networks are basically granted access to your enterprise, with no ability to oversee or hold them accountable, because “that fourth or fifth party doesn’t sign a contract with you,” Roppelt added.

Create an exit strategy

Once you’ve organized vendors into risk categories, mapped their extended reach and analyzed their importance in your network, next up is to consider the worst-case scenario. The panelists noted that you can’t figure out how a vendor failure will affect you in the midst of an incident; you need to have a plan

Many companies treat third-party vendor management as a one-size-fits-all approach which may to, too much spending — or not enough — resources protecting vendors with vastly different risk profiles.


With that said, Trade Conferences International will be hosting the first Third Party Risk Management 2019 Conference in South Africa on 19- 20 March 2019.  Professionals dealing with sourcing * vendor management * procurement * compliance* KYS/KYC * regulation * innovation * reporting * financial crime * monitoring & control * risk management * cyber security *KYC *identity management * legal affairs* fraud * auditing *forensics * information technology * data management * financial regulation and supervision *financial surveillance * assurance * transactional monitoring * treasury * shared services * cyber security * procurement * contract management * supply chain will highly benefit from attending this conference.

Click here to download the conference brochure

Alternatively, contact Portia Dhlamini on 011 803-1553/ portia@tci-sa.co.za

Similar Posts