3 Ways to Start Modernizing Third-Party Risk Management
If you’re in charge of third-party risk for your business, there are some emerging trends that might keep you up at night.
In our recent survey of more than 500 InfoSec and Risk Management decision-makers, we learned that:
- 68% of respondents have experienced a recent breach (vs. 55% in 2023)
- 88% report this breach was the result of a third-party vulnerability (vs. 77% in 2023)
- 50% of companies work with 100 or more vendors (vs. 38% in 2023)
- 93% of companies aren’t assessing as many vendors as they’d like, and 96% aren’t doing the depth of assessment they’d like due to resource constraints
In short, that means the average company can’t do the right vendor security assessments, but they are working with more vendors, taking on greater risk, and experiencing more breaches as a result. Something isn’t working when it comes to the common approach to third-party risk management (TPRM)
Consequences of the status quo in third-party risk
When businesses are forced to cut corners on vendor security assessments and assume more risk, it’s often because they are stuck in what’s called a “legacy” approach to third-party risk management. Legacy TPRM relies exclusively on questionnaire-based assessments, which are highly manual: sending the questionnaire, back-and-forth with the vendor, and sifting through documents line-by-line—if there is a response at all.
This legacy approach:
- Doesn’t scale—Manual processes make it impossible to keep up with increased demand.
- Consumes time and resources—The bulk of your finite capacity goes to administrative tasks.
- Creates longer purchasing cycles—These delays mean it takes more time and energy to get business units the valuable tools they need.
- Doesn’t utilize a wide range of vendor info/documents/data—When your process is built entirely around questionnaire responses, it becomes difficult to incorporate a wider variety of security insights into your decision-making.
- Vendor fatigue—Vendors receive dozens, hundreds, or even thousands of questionnaire requests, and their own manual processes make it impossible to respond to every individual questionnaire, so you may never get all the answers you need.
And of course, your business is less secure because you’re managing questionnaires instead of managing risk.
Modernizing the TPRM Process
Okay, so we need to move away from “legacy TPRM”...what does that actually look like in practice? Modern TPRM combines sound, fundamental processes and access to a wider variety of data sources with the automation possible through AI. The key outcomes of Modern TPRM are:
- More assessments—Stop cutting corners on the number of vendors you assess and taking on unnecessary risk.
- More effective process—Improve the efficiency and pace of your TPRM.
- Reduce costs—Greater efficiency reduces waste, and the increased pace of assessments mean your team can accomplish more without additional headcount.
- More in-depth insights—Access a wider range of security data to make smarter purchasing decisions.
- More risk mitigation—The time and resources saved on manual assessments can be applied to actually managing risk (instead of managing emails, links, and spreadsheets).
Building the foundations of Modern TPRM
Modern TPRM isn’t a total reinvention of vendor risk management; it’s still essential to have a strong foundation in place that can be built on with new approaches and AI automation. The core pillars of Modern TPRM include:
- Defined workflows—Clearly defined roles and responsibilities coordinating all business units in the TPRM process (e.g. InfoSec, IT, Procurement, Risk, and Compliance)
- System of record—Centralized information for easier communication and collaboration
- Continuous monitoring—Move beyond the “point-in-time” view of the assessment and collect ongoing data from high-risk vendors. Outside sources like RiskRecon can provide support for continuous monitoring, and specific contract language with high-risk vendors can also expedite routine reassessments.
Taking the next step
These foundations are a start, but for many organizations, it can feel like a big leap from sound principles to fully automated vendor security assessments. What needs to be in place in order to make that jump?
In a second, we’ll discuss the three things your organization can start to do today to begin this transition to Modern TPRM. But it’s worthwhile to understand what the finished product will look like to guide you on the journey. These transitional steps include:
- Dual-sided information exchange—Evolve past the questionnaire-only assessment to easily exchange public and private trust center data, security documentation like a SOC 2, and even responses to completed questionnaires proactively with your vendors.
- Trained AI models—The pipeline of information you create through a dual-sided exchange combines with your security controls and requirements to train AI-powered large language models (LLMs). Generative AI then makes collected documentation queryable in plain language.
- Automated assessment engine—You can now import your customized questionnaires into the Modern TPRM framework, and AI can identify context-rich responses from myriad available data sources simultaneously. The AI engine also provides document citations and source materials; summarizes complex reports (so you don’t have to manually); and analyzes the overall security posture of your vendor.
To recap, fully realized Modern TPRM
- Broadens the scope of usable vendor-security data
- Uses your specific controls and requirements to define security thresholds
- Leverages AI trained on your controls to analyze vendor data and automate the assessment
Getting started on modernizing third-party risk management
Shifting your approach to such an important business function doesn’t happen overnight. And it pays to evaluate developments in AI to find the right fit for your organization (more on that in a sec). But there are some important steps you can take right now to get the journey started.
1. Identify the friction in your processes
TPRM is growing in complexity as the reliance on vendors increases. This complexity manifests in several ways:
- Inconsistent procurement processes and easy access to applications mean shadow IT is still a problem; this leads to poor visibility into your vendor ecosystem.
- More teams involved in the purchasing process and greater scrutiny from senior leaders place a premium on streamlined communications and reporting capabilities.
- Decentralized security information means that assessments involve copious manual wrangling from multiple systems; often, valuable decision-making info is missed entirely.
If you’re experiencing any or all of these challenges, the move to Modern TPRM will be more challenging. Focus on building and reinforcing a consistent, organization-wide approach to TPRM that includes:
- Program governance—Establish an oversight plan for TPRM to determine lines of accountability and communication, generate reporting for continuous improvement, and remain compliant with regulatory requirements.
- Policies, standards, and procedures—Document your approach to risk identification and assessment, mitigation and control, crisis and incident response, and vendor relationships.
- Risk ranking—Understand the risk factors that most impact your business, create a consistent rubric for assigning risk levels to potential and existing vendors, and define due diligence practices for vendor selection.
- Program management—Determine the key stakeholders in your TPRM process, define key performance indicators (KPIs) to track and drive success and improvement, and build transparent lines of communication.
2. Evaluate your existing tools/solutions
Before we dive into this step, it might be helpful to take a look at another set of related trends from our survey data:
- 88% of companies are using some kind of tool to assist in their vendor assessments
- 72% of vendors proactively share some or all of their security posture publicly
- 95% of companies say this pre-existing information is enough to start an assessment
I’m sure you’re wondering, “So what? What do these have to do with Modern TPRM?” Well, if so many vendors are sharing information, and so many buyers are willing to use it, and so many of them also have a tool that is supposed to help them use it…why do 93% of companies say they don’t have the resources to do all the assessments they want?
It’s often because their tool doesn’t help them centralize a wide range of security data or analyze that data automatically. Without easy, thorough access to the data they need, VRM teams are stuck with the questionnaire-only approach. It’s either that or go hunting, line-by-line across multiple documents and repositories, for the answers they need.
It always pays to scrutinize your tech investments. When evaluating your TPRM tools, ask:
- Are we using every available feature of this solution to its fullest? Secondary functionality is often overlooked, meaning software capabilities go underutilized.
- Is my assessment tool attuned to my security posture? If your tool isn’t adaptable to your specific controls, it can’t help you analyze data. It may be nothing more than a glorified document repository.
- Is this tool the right fit for my organization? Many companies “over-buy” software; an enterprise-level GRC tool may not be nimble enough for small or medium-sized businesses, or they may require onerous configurations.
- Is automation an option? If your tool can’t help you automatically synthesize information from multiple sources, it may hinder your road to Modern TPRM.
3. Develop a strategic organizational view of AI
There’s no way around it: AI is critical for Modern TPRM. It’s the engine of LLMs and generative AI that makes it possible to train a system on your specific security controls and pull insights from a wide variety of sources, understand the intent of your customized security questionnaires, identify the right evidence from all available data, and respond in plain language.
AI isn’t “new” technology by any means, but there is a bit of a “gold rush” feverishness to the constant AI barrage. It’s not an easy landscape to navigate, but with AI proliferating, your business needs a strategic outlook. If you’re just dipping a toe into the AI waters, here’s a few helpful questions you should be able to answer before making an investment:
- How is AI used in this product? Your vendor should be able to get very specific (and put it in writing) about exactly what the AI is doing and how it’s doing it.
- Was AI used in the development of this product? AI coding is a huge part of software development, so make sure you have clarity on how your solution was built.
- How is the AI model trained? Understand the data sources that inform the AI model—and have clarity on whether your data is used to train the system for other customers.
- What controls do I have over AI capabilities? You should be able to customize the amount of data the AI engine can draw from, validate any outputs from the system, and cordon off any proprietary data you choose.
Turn legacy TPRM into a modern, automated assessment engine
If you’re tired of taking on unnecessary risk, begging for questionnaire responses, and neglecting true risk mitigation because of endless manual administrative tasks, then you’re ready for Modern TPRM.
Whistic’s AI-powered platform makes it possible for buyers to assess all the vendors they want in greater detail, all without additional time or resources (use those to actually mitigate risk!) with our newest suite of capabilities: Assessment Copilot.
Assessment Copilot builds on the foundational TPRM pillars with solutions focused entirely on a modern approach to vendor assessments:
- SOC 2 Summary: Create a summary with a click of a button to extract key details and risk insights from SOC 2 audits, eliminating the need to read lengthy reports.
- Vendor Summary: Using a vendor's documentation or trust center, quickly identify, assess, and measure risk and compliance against your controls.
- Automated Review: Click to generate a vendor’s final assessment report, review the findings, and make a risk-based decision informed by AI insights and automation.
If you’d like to learn more about how Whistic’s industry-leading AI can transform your TPRM, schedule a 30-minute demo and we’ll show you the Whistic difference.