In recent years third-party risk management (TPRM) has become a critical focus for organizations worldwide. Amar Badri, a seasoned technologist with nearly three decades of experience, currently working within Technology/Cybersecurity Risk Management at Mastercard, shares his insights on the evolution, challenges, and future of TPRM.
The Evolution of Third-Party Risk Management
Historically, third-party risk management was a straightforward process known as supplier or sourcing management. This involved bespoke questionnaires and occasional site visits to assess potential suppliers. However, the landscape has changed dramatically. Today, TPRM is a complex and multifaceted discipline that is deeply integrated into the core operations of any business. Key drivers of change include:
Global Supply Chains: Modern businesses are inherently global, sourcing materials and services from a vast network of suppliers worldwide. This globalization has introduced numerous complexities, including regulatory compliance, geopolitical risks, and ethical standards.
Increased Focus on Security and Privacy: With the rise of high-profile data breaches and stringent regulatory requirements, security and privacy have become top priorities for businesses. TPRM now involves extensive assessments of a supplier's cybersecurity posture and data protection practices.
Regulatory and Industry Standards: Industry frameworks and regulations have significantly expanded their focus on TPRM. Frameworks such as NIST CSF and ISO 27001 now dedicate substantial sections to third-party risk, reflecting its critical importance in maintaining a robust cybersecurity posture.
Challenges and Best Practices in TPRM
The complexity of managing third-party risks cannot be overstated and realistically, it’s not just third party, it’s fourth and fifth and so on. From global sourcing to regulatory compliance, businesses face numerous challenges in ensuring their supply chains are secure and resilient.
Key Challenges in TPRM include:
- Global Complications: Businesses must navigate a myriad of global challenges, including sanctions, ESG (Environmental, Social, and Governance) concerns, and ethical standards. These factors add layers of complexity to TPRM.
- Multi-Tier Supply Chains: Risk management extends beyond direct suppliers to include sub-suppliers and further down the supply chain. Understanding and mitigating risks at every level is crucial.
Best Practices in TPRM include:
- Thorough Risk Assessments: Begin with a comprehensive understanding of the engagement and conduct detailed risk assessments. Evaluate the risk posture of each third party and their sub-suppliers.
- Focused Due Diligence: Tailor the due diligence process based on the nature of the engagement. For engagements involving data, particularly sensitive data, conduct deep dives into data protection practices.
- Embrace Industry Frameworks: Utilize established industry frameworks like NIST CSF and ISO 27001. These frameworks provide structured processes and controls that can significantly enhance an organization’s TPRM efforts.
The Role of Technology and Human Intelligence
While automation tools play a crucial role in TPRM, human intelligence remains indispensable. Automated tools can streamline processes and provide valuable data, but the interpretation and application of this data require human expertise. In Badri’s own words, “tooling alone is not going to suffice.”
Human Element in Risk Management: Despite advancements in AI and machine learning, the human element is essential in making informed decisions. Combining automated insights with human expertise ensures a more robust risk management strategy.
Continuous Learning and Adaptation: The TPRM landscape is constantly evolving. Professionals must stay updated with the latest trends, tools, and best practices to effectively manage third-party risks.
The Career Path in Third-Party Risk Management
In discussing TPRM, it’s important to note the career opportunities as well. Badri shared that a career in TPRM offers a unique blend of opportunities and challenges. It is a specialization within enterprise risk management that touches on various aspects of a business, including security, financial health, and data governance. Professionals in this field need a broad understanding of these areas and must collaborate extensively across the enterprise. Key opportunities include:
TPRM professionals gain insights into multiple facets of the business, making it an excellent career path for those who enjoy continuous learning and cross-functional collaboration.
With experience in TPRM, professionals can branch into various directions within risk management, cybersecurity, and compliance, leveraging their comprehensive understanding of enterprise operations.
