Third Party & Vendor Risk Management

Third-party risk Management | TPRM

Concept of third-party risk management (TPRM) is well-established. However, as the world becomes increasingly digitized, cybersecurity threats are more prominent than ever. Research on this indicates that over 60% of data breaches can be traced back to third-party vendors. Consequently, an effective TPRM strategy has become a necessity rather than a luxury.

So, what exactly is third-party risk management?

TPRM involves identifying and managing the risks inherent in outsourcing and vendor relationships. While not a new phenomenon, the recent surge in digitalization and reliance on third parties has heightened regulatory focus.

41% of companies experienced a significant third-party breach in the past year. Third-party breaches are on the rise as attackers often find third parties to be more vulnerable targets compared to larger organizations with comprehensive protection measures. Third parties may lack the same culture of data protection and cybersecurity.

The rise in digitalization and the subsequent pressure on organizations to thoroughly vet third-party relationships necessitate a robust TPRM framework. Organizations should establish a governance structure where the board and executives are responsible for TPRM activities. This structure should include a documented and periodically reviewed TPRM policy, providing the executive and board with a comprehensive view of their third-party universe, including metrics, ideally included in the board pack and governance agenda.

Another critical component is maintaining outsourcing and vendor registers, assessing third parties from a risk and criticality perspective on an ongoing basis. The classification of criticality drives the depth of due diligence.

Operational resilience is vital for a company to withstand the potential onslaught of third-party risks. Resilience encompasses the firm’s capability to identify, prepare for, and swiftly respond to major challenges. Understanding potential impacts, defining risk appetite, and setting tolerance levels are central to this concept. Firms must meticulously gauge their resilience to third-party disruptions, ensuring robust measures are in place to safeguard business operations and customer interests.

Managing third-party risks presents significant challenges. A notable concern is the risk of data breaches or security incidents due to inadequate vendor security practices, with 70% of companies expressing apprehension. The widespread nature of this concern highlights the challenges third-party risks pose to businesses across various sectors. Additionally, sourcing skilled staff capable of challenging current outsourcing service provider arrangements and enforcing appropriate oversight mechanisms is a complex task.

Reserve Bank of India circulars on vendor risk management

In 2024, the Reserve Bank of India (RBI) introduced several changes related to vendor risk management.

Let’s explore them:

  1. Guidance Note on Operational Risk Management and Operational Resilience:
  • The RBI placed this Guidance Note on its website, aligning its regulatory guidance with the Basel Committee on Banking Supervision (BCBS) Principles.
  • It covers operational risk management and resilience, adopting global best practices.
  • The systems, procedures, and tools outlined in this note should be read alongside relevant instructions issued by the RBI.
  1. Master Direction on Risk Management and Interbank Dealings (Revised):
  • Effective from April 5, 2024, this revised direction replaces the existing one from July 5, 2016.
  • It addresses risk management practices, including those related to vendor dealings and interbank transactions.

Key points regarding the RBI’s directions on vendor risk management:

  • Comprehensive Assessment: REs must assess the need for outsourcing and evaluate attendant risks.
  • Regulatory and Supervisory Requirements: Compliance with all applicable statutory and regulatory requirements is essential.
  • Governance Framework: Establishing an IT outsourcing policy, defining roles for the board and senior management, and ensuring proper IT function are crucial.
  • Evaluation of Service Providers: Due diligence on service providers is necessary.
  • Outsourcing Agreement: Legally binding agreements should cover relevant aspects.
  • Risk Management: Implementing a risk management framework, business continuity, and disaster recovery plans.
  • Monitoring and Control: Regular monitoring and control of outsourced activities.
  • Outsourcing within a Group / Conglomerate: Specific provisions for intra-group outsourcing.

Source: RBI/2023-24/102 DoS.CO.CSITEG/SEC.1/31.01.015/2023-24

How ProGReC can help

ProGReC, presents ReGoRisC integrated GRC software offers a solution to streamline governance, risk and compliance management, saving businesses valuable time. Our holistic solution provides a systematic method for handling organizational risks, offering real-time insights into risk management processes through robust analytics, heat maps, reports, and dashboards. These tools empower users to make more informed decisions based on risk assessments.

ReGoRisC, optimizes and integrates various components of TPRM programs, providing clients with a comprehensive, interconnected perspective. This approach facilitates a thorough risk assessment process, enabling clients to make informed decisions based on a comprehensive understanding of their risk landscape and provides a 360-degree view of the risk associated with a third party, equipping organizations with all relevant data needed for risk assessment.