(1). Framework Considerations

As a business, it’s critical to determine essential framework considerations for your overall TPRM program. For example, are you building a fully automated program incorporating third-party risk management platforms & tools/solutions (i.e., TruSight, Third Party Trust, VenMinder, OneTrust, etc.), a manual process, or a combination of both?

Centris is a leading provider of integrating our services with all of today’s available TPRM solutions, therefore, we can help determine the best type of TPRM program for your organization. While organizations do share many similarities regarding their operational life cycle, ultimately, your organization is inherently different from someone else’s – all the more reason for taking the time to best determine essential framework considerations as just mentioned.

Additional measures undertaken during this phase also include developing best practices relating to third-party on-boarding, off-boarding, along with annual due-diligence & continuous monitoring considerations. Again, depending on the type of framework being implemented, this will help drive the conversation in terms of how to best achieve optimal results for third-party onboarding, offboarding, and continuous monitoring.

With Centris our Design & Deploy TPRM solutions help organizations build comprehensive third party risk management programs for the financial, life sciences, healthcare, energy, critical infrastructure, manufacturing, retail, technology, and legal sectors.

(2). Scoping Considerations:

Third-parties come in all shapes and sizes, so stop and think about every organization that your organization actually enters into a contractual relationship with? Dozens, perhaps more, many more? If so, it’s time to get a better read on your third-parties for helping secure your organization from growing external business constraints and threats.

At Centris, our “Design & Deploy” process begins with a deep-dive in better understanding your entire third-party supply chain. Some third-parties are obviously much more important than others, no question about it, therefore, it’s essential to begin compiling a list of every organization you rely on for services. Scope is the all-important consideration that ultimately determines the depth and complexity of your TPRM program. With Centris, we’ll do the deep digging to unearth all of your third-parties.

(3). Identification & Classification

With all third-parties identified, it’s then critically important to assess core metrics for each third-party. Specific measures to consider: What type of actual third-party classification are they given (i.e., partner, agent, vendor, distributor, etc.)? What do they do? What products/services are they performing? How long have they been providing services? Have there been prior issues/constraints? Have they undergone any recent due-diligence measures? Such topics – and many more – are covered with immense detail during this essential phase.

4). Risk Assignment

With numerous risk factors to consider, we’ll assess all relevant risks applicable to each type of third-party classification. The end result is a complete risk profile of each third-party in terms of their risks. Specifically, the following risk categories are used for assessing third-party risk: Key Risks, Information Technology & Information Security Risks, PII & PHI Risks, Cardholder Data Risks, Compliance Risks, Reputation Risks, Strategic Risks, Operational Risks, Transaction Risks, Credit Risks, Country Risks, Third Party Risks, Interest Rate Risks, Liquidity Risks, Legal Risks, and Market Risks.

Our risk assignment process is effectively two-fold. First, we rank all third-parties individually in terms of key risks for each third-party alone. Second, we then rank all third-parties as a whole in terms of key risks to your organization. This type of methodology provides an incredibly comprehensive and granular set of risk metrics for increased transparency.

(5). Due-Diligence & On-boarding

Bringing on a new third-party can be both exciting, yet also stressful. It’s therefore important to undertake all necessary due-diligence measures before even considering the services of a new entity. With Centris, we can build an incredibly comprehensive, yet highly efficient and scalable due-diligence program for ensuring maximum ROI from all potential third-party candidates. Once a third-party has passed the necessary due-diligence phases, Centris can also develop a highly customized on-boarding program for ensuring full coverage of all security, privacy, compliance, and operational on-boarding issues are covered.

(6). Continuous Monitoring Efforts

A true and viable TPRM program is not static, rather, dynamic, fluid, and always involved in continuous monitoring efforts for all in-scope third-parties. There’s little value – if any – in assessing a third-party only during the on-boarding process, never to engage them again after the contract is signed. At Centris, we’ve spent years perfecting a program that includes comprehensive measures relating to continuous monitoring for third-parties. And with the integration of various third-party risk management platforms & tools/solutions (i.e., TruSight, Third Party Trust, VenMinder, OneTrust, etc.), continuous monitoring efforts can be extremely streamlined and efficient.

(7). Follow-Up/Reporting and Corrective-Action Measures

Challenges will happen with third-parties, and when they do, it’s important you have a comprehensive action-plan in place to deal with such issues. Any number of problems can occur with third-parties, yet quick and timely resolution is often the difference between relationships that remain healthy to those that turn into challenges.

With Centris, we offer a proven plan for addressing any number of potential issues that WILL arise in your third-party supply chain. The key to healthy relationships with third-parties is communication – pure and simple – something Centris clearly understands and ensures you have when implementing our world-class “Design & Deploy” TPRM program.

(8). Off-Boarding

Third-parties come and go for any number of reasons, that’s the nature of the global business environment. Key to successful third-party risk management is developing and applying appropriate controls for off-boarding third-parties when the time comes. With Centris, we’ll develop a comprehensive, rock-solid TPRM off-boarding program that protects your assets, IP, and anything else associated in the supply chain with a third-party being off-boarded.

Just a small example of “must-have” off-boarding best-practices include performing a final review of contractual termination, settling any outstanding financial issues, removing access to information systems & facilities, ensuring sensitive IP and related consumer data is permanently removed/deleted, and much more.

(9). Training

Finishing the job when it comes to TPRM requires a true commitment to training your employees on the measures just built and implemented for comprehensive third-party risk management. Every employee has a role – some more direct than others – for helping ensure the success of the organization’s TPRM program. This is where Centris truly shows our value as we take the time to work with your employees by providing all necessary training on third-party risk management.

Additionally, we can also offer TPRM training solutions to all of your third-parties in your supply chain. The more both sides are fully aware, informed, and held accountable for their ongoing TPRM requirements, the more successful the program will be.