How Procurement, Risk Management and TPRM can collaborate against cyber risks

You might have heard about the friendship between the Procurement and Risk Management (RM) departments. TPRM, or third-party risk management, is the new kid on the block. If you're still not convinced, there are a few good reasons to become friends with TPRM:

• It reduces the burden on your Procurement and RM teams and processes.
• It has an impact on your credibility in the market as an organization.
• It makes a competitive difference in the market when you are a vendor or service provider with a good security rating.
• It helps to have an informed discussion at a board level about your organization's cybersecurity posture.

In this article, the focus is on the first point. On the one hand, we consider the individual viewpoints of the teams responsible for vendor selection, due diligence, onboarding, and monitoring. On the other hand, we will share a view on how Procurement, RM, and TPRM could collaborate to better protect the business from cyber risks.

It is common for the above vendor management responsibilities to be shared and split between the Procurement team/department and the RM team/department. However, some organizations manage third parties in a different team. As such, this can result in having a siloed approach to managing third parties instead of a coherent end-to-end process.

Procurement teams that manage business partner/vendor relationships are core to the well functioning of any business. Inside the organization, procurement plays a key role in aligning the business's risk appetite with how third party risk is managed.

The collaboration between these two teams have historically protected the business from risk.

Criteria to integrate TPRM, risk management and procurement

Fast forward to the current context, to third-party cybersecurity threats and pandemic-driven supply chain failures. Add to that increasing regulatory scrutiny over third-party risk management and faulty vendor risk management processes.

Given this volatile context, we can all understand why the new kid on the block, TPRM, is not easy to befriend. This article shares the view that to mitigate the increasing cyber risk, it is important to develop and integrate TPRM alongside Risk Management and Procurement.

Now, there could be as many approaches to managing risk, as there are organizations. What will work for one, might not work for another. Therefore, here are a few criteria to consider for your organization:

• Consider the three lines of defense organizational set-up or risk framework to have a coordinated approach to TPRM. It could be a framework approach where IT security, finance, legal, and risks are tackled in the existing set-up.
• Consider introducing an early IT security due diligence starting from the vendor selection phase while respecting the as-is organizational set-up and maturity of the Procurement and Risk departments.
• Perform a risk analysis during the vendor onboarding phase, mapping the different risk levels and assigning risk ownership.
• Regularly monitor the high and medium risks to ensure that they're still in the business's risk appetite.
• A result of the point above could be deciding on whether a risk needs to be escalated to higher management or even terminating the contract with the vendor.

As organizational change goes, it can take a while for organizations to find their way to what works best for their business context. So the sooner TPRM is introduced, the more time the organization has to iterate and improve how cyber risk is managed.

If you need help getting started, Ceeyu can support you take the first steps. Connect with us via [email protected]