Third-party risk management: No one size fits all

Despite predictions in the early days of the pandemic that firms would rein in outsourcing strategies, the third-party ecosystem continues to grow.
Written by Forrester Research, Contributor

Third-party risk management (TPRM) is high on the list of business priorities and risk management priorities, and that's a good thing. 

Despite predictions in the early days of the COVID-19 pandemic that firms would rein in outsourcing strategies, the third-party ecosystem continues to grow, smaller vendors and suppliers remain cybersecurity targets, the global regulatory machine continues to churn out new requirements, and disruption in the value chain has become a regular occurrence. For TPRM vendors, that's great news because, unlike in the years following the Great Recession, firms aren't pulling back on security and risk investment. 

What's in a name? Is it TRPM or IT VRM? 

To-may-to, to-mah-to, right? Not exactly. Here's some context on third-party risk nomenclature. Financial services use "third parties" to align with OCC (Office of the Comptroller of the Currency) language, healthcare references "business associates" to align with HIPAA, and manufacturing commonly uses "supplier." Everyone else gravitates to the term "vendor" because much of what we now call third-party risk management started out with (and, in some cases, is still mostly focused on) software vendors and IT services providers, where the primary concern is about complying with the IT control frameworks/standards. 

Also: The definition of modern Zero Trust

Forrester uses "third party" to refer to these entities, plus nontraditional third parties such as foreign affiliates, external legal counsel, PR firms, contingent or gig workers, and even your board of directors. If it's not an employee, then it's a third party. 

The TPRM market is not "one size fits all" 

Several types of vendors support the TPRM market, each specializing in one or more risk domains, industries, or levels of customer maturity. For us, the third-party risk is more than a cybersecurity rating or a due diligence tool. 

Forrester defines this category as: 

Platforms that identify assess, score, monitor, and report on risks to the organization stemming from their third-party relationships. They support analysis, treatment, and workflow for risk mitigation at every stage of the third-party lifecycle, including: 1) sourcing/procurement, 2) due diligence, 3) selection, 4) onboarding, 5) ongoing risk monitoring, and 6) termination/offboarding. 

There's no shortage of options when it comes to managing the risk and compliance of third-party entities. The new Forrester report, Now Tech: Third-Party Risk Management Platforms, Q1 2022, categorizes 22 of the top TPRM technologies into four segments based on their capabilities: 

  1. Dedicated technologies. These provide robust capabilities throughout the third-party risk management lifecycle. They offer a combination of domain expertise and breadth of functionality to support all levels of TPRM maturity. 
  2. GRC platforms. Governance, risk, and compliance (GRC) platforms offer robust support for a wide range of risk and compliance use cases in addition to TPRM. 
  3. Exchange sponsors. Exchange sponsors offer access to prepopulated and validated assessment results, multiple types of documentation and evidence, and analytics.
  4. Vertical-focused vendors. These providers have the depth of expertise of dedicated technologies, the range of capabilities of GRC platforms, and often provide supporting services but are singularly focused on industries with complex third-party compliance requirements. 

Each segment contains vendors that will be a good fit for different types of buyers. 

This post was written by Senior Analyst Alla Valente, and it originally appeared here

Editorial standards