TPRM How-To: Risk Ranking, Assessment, and Remediation
Say you are prescribed some medication. Your doctor mentions that this particular medication sometimes causes nausea, so she recommends taking it with food rather than on an empty stomach. In this situation, you need the medicine to feel better; the medicine comes with the risk of discomfort; and the nature of that risk dictates a specific mitigating action.
It's not a perfect analogy, but third-party risk management has important parallels to this medicine example. Businesses depend on their relationships with third parties to grow, but risk is often a side effect of these third-party interactions. You have to understand the type and severity of the risks to know what actions to take to protect against them.
A good TPRM program operates in exactly this way. While every step in the process is important, today we're going to focus on how your organization categorizes vulnerability through risk ranking, identifies third-party risks through security assessments, and takes action to protect itself through remediation.
What is Risk Ranking?
Risk ranking is the process of categorizing vendors and third parties into tiers of risk, determined by a set of criteria that reflect the needs and circumstances of your business. Developing a risk ranking discipline for your organization:
- Creates a consistent rubric for understanding risk in your third-party ecosystem, so you don't have to reinvent the wheel for every new vendor
- Ensures you are properly weighting the right controls and requirements for your business, so you can allocate security resources effectively
- Increases visibility and threat awareness, so you can create commensurate assessment, monitoring, and remediation processes
- Makes it easier to automate and scale your TPRM program as your needs evolve
How Do You Create a Risk Ranking Methodology?
Because every business is different, it's important to take the time and rigor necessary to understand the key factors that drive risk in your organization. Still, the most effective approaches to risk ranking share four common characteristics:
1. Strong vendor profiles and vendor inventory
Your risk-ranking methodology will depend on the quality and consistency of the data you collect from your third parties. Thorough vendor profiles provide a detailed snapshot of your third-party relationships and include:
- A list of the systems the third party has access to
- Data volume—how much data are you sharing?
- Data classification—what kinds of data are you sharing?
- Criticality—how important is the third party to the functioning of your business?
A vendor inventory is a complete list of third parties you work with, and it can be combined with vendor profiles. This information will help you develop the right ranking criteria.
2. Alignment with the vendor intake process
To ensure you are consistently collecting the data you need from every vendor, it's important that your vendor profiles and risk ranking align with your vendor intake process.
Many organizations struggle to build effective vendor profiles because disparate business units each own a portion of vendor onboarding. In many cases, these business units only collect data that is relevant to them. For example, Procurement may only focus on contract terms, Finance on payment methods, or IT on compliance. This leads to incomplete, fragmented vendor data—not to mention a time-consuming process.
Audit your existing intake process to understand which team typically interacts with third parties first; they can help streamline the process by collecting all important data with a single touch. Provide the organization with a detailed intake policy that clearly defines the types of data that must be collected before a new vendor can be added, and make sure your risk team supports any organizational change with training materials.
3. A scoring system that makes sense
In order to rank your vendors into tiers of risk, you'll need to develop a formula that generates consistent, understandable scoring. This scoring will be organized into distinct categories, and these categories should be weighted for importance based on the specific drivers of risk for your business.
There are any number of reasons your scoring system may be complex—certain controls may carry more weight for regulatory reasons, as an example—but simple, straightforward tiers can be every bit as effective. If you're just getting started with your program, designate each third party as High, Medium, or Low risk based on the data you collect to build vendor profiles.
For example, a vendor might be defined as "High Risk" if they:
- Have full system access
- Have access to data that is classified as "Confidential"
- Have access to data volume exceeding 1,000 records
- Are considered "Mission Critical" to your business
Whatever ranking criteria you decide on, make sure it accurately defines your tolerance and weighs it against your needs and resources. If your scoring system over-indexes for high risk, that might mean your scoring needs an adjustment. You may end up spending more time and effort on management than is necessary—or even possible, depending on your constraints.
If you've taken the time to develop a strong vendor intake process, the scoring system will reflect your most important risk factors, which makes it effective. But it's also simple enough to quickly digest and organize, so it's easier to act on.
4. A single system of record
We've already discussed how fragmentary third-party onboarding can be. But when different teams collect different snippets of data, they also usually store that data in several different systems. This can make it very challenging to view holistically or develop consistent criteria for ranking.
All vendor data should be stored in a single system with controlled access, so InfoSec can maintain greater visibility, reduce the number of "owners" in the vendor onboarding process, and make it simple to organize vendors by type.
How Does Risk Ranking Support Security Assessments and Remediation?
Your ranking formula helps you look objectively at your environment and say, "Here's where risk might occur and here's how serious it would be if it did." Based on this degree of risk, you know exactly what kind of vendor security assessment is appropriate to identify trouble spots and take action to protect against them.
The right assessment for the right risk
In other words, a consistent scoring system for risk ranking dictates the questions your vendor needs to answer so you can move forward with confidence.
If you don't have strong risk ranking, it can be very easy to focus on the wrong kinds of assessments and overlook a critical vulnerability. If you know you've strong doors but creaky windows, it's more important for your vendor to have strong window protection than door protection. A security assessment that only focuses on doors will miss the mark.
Your security assessment process should correspond to your risk categories and include:
- Questionnaire type—Decide which questionnaire is appropriate for your needs; can you rely on industry standards, or is a customized questionnaire necessary?
- Frequency of assessment—How often should you reassess a third party based on their risk score?
- Review type—What kinds of additional information do you require to validate the assessment? This could mean specific documentation for key controls, attestation, or even on-site inspection.
- Issue focus—How are you tracking the issues that might arise from security assessments?
Building blocks for your remediation plan
Once you've conducted the right security assessment based on the risk ranking of your vendors, you can ensure you have the proper remediation plan in place. Again, the specifics of your process will depend on your organization's needs, but these common elements form a solid foundation:
- Issue inventory—Much like your vendor inventory, you'll want to create an ongoing list of the risks that surface during security assessments. If you've been consistent with your ranking, this inventory will make it easier to allocate proper resources to issue management.
- Documentation—Once you've cataloged the risks, it's important to document an issue management plan, including controls and mitigation tactics for known vulnerabilities.
- Centralization—A single system of record increases visibility for your InfoSec team. The right TPRM platform can serve as the hub of your entire risk management process, including issue management.
- Stakeholder engagement—Maintain regular communication with both external, third-party stakeholders and internal business partners that utilize the vendor.
- Regular reporting—Awareness and visibility are your greatest assets when it comes to ongoing risk management. Maintain a consistent cadence of reporting on potential vulnerabilities and share them with stakeholders. Consider a TPRM solution that will allow you to customize and automate your reporting process.
Combine Risk Ranking and Assessments in a Single, Powerful Platform
At Whistic, we've helped many customers build strong third-party risk management programs based on five essential pillars: vendor profiles, vendor inventory, risk ranking, assessment, and remediation.
We also understand there are many ways you might choose to manage these in your own organization. But if you've developed discipline around your process, there are many good reasons to consider a software solution like Whistic Assess:
- Automate the process—Our customers have access to more than 40 industry-standard questionnaires and frameworks. Whistic incorporates your risk ranking formula to automatically issue the right assessment to the right vendor. You can also proactively assess vendors in the Whistic Trust Catalog, so you don't have to wait weeks or months of responses.
- AI-powered insights—Contextual smart search in our AI-driven Knowledge Base makes it easy to quickly find specific security documentation instantly.
- Single source of truth—Whistic is an all-in-one TPRM platform than can help you manage everything from vendor intake and inventory to remediation and issue management. Having all these tools in a single solution makes it easy to generate reporting, communicate with stakeholders, or even share your own security posture with Whistic Profile.
- Integrations with the tools you use most—With Whistic, you don't have to transform your entire program to start realizing value. Our platform has uses APIs to seamlessly integrate with tools you use most, like Salesforce, Slack, or marketplaces like G2. We work the way you work.
Whistic also supports our software with professional services, so even if you're just getting started, we'll help you:
- Identify key drivers of risk so you can allocate resources where they matter most
- Build a meaningful risk ranking model based on your specific requirements
- Automate that model in our platform
- Document a remediation playbook that can be repeated and scaled
We believe that Whistic is the only TPRM solution you'll ever need, but don't take our word for it. Schedule a hassle-free demo with our team today, and find out what Whistic can help you put security first.