Let’s start with a quick definition:
A business case is the justification for undertaking a project, programme or portfolio. It brings together the benefits, disadvantages, costs and risks of alternative options and provides a rationale for the preferred solution.
Identifying the problem
It all starts with identifying the problem or challenge that’s getting in the way of achieving your goals. In the TPRM business case, it’s usually the tremendous workload required to complete third-party risk assessments to engage in a business relationship. Plus the after work of managing and monitoring that relationship.
For enterprises conducting evaluations, this includes sending spreadsheets with requirements, deciding which requirements apply to each new potential vendor, chasing them to complete the assessments and respond to any findings, and then asking for periodic updates of security documentation. Not to mention the need to have a clear understanding of risk across the supply chain, who are the riskiest third-parties, where to focus, and how to continuously monitor the vendor ecosystem.
Download our free strategy guide: Building a Scalable TPRM Program
For third-party vendors being assessed, this means answering the same security questions and sharing the same documents over and over again – questionnaires, certifications, insurances, you name it.
These issues are an important part of the TPRM business case. They express the problems with the current situation and demonstrate the benefits of the new vision.
Analyzing the solutions
Once the problem or improvement opportunity is identified, it’s time to analyze the possible solutions. We discussed “the good, the bad, and the ugly” in another blog, but essentially there are three ways of tackling TPRM:
- With a purpose-built tool – A TPRM workflow management platform
- With a tool built for something else that you can somewhat adapt – While their intentions are good, they’re tackling up functionality to an existing framework that may or may not work
- Without a tool – Sticking to the manual process with emails and spreadsheets
Ideally you’re trying to answer the million dollar question: Is purchasing a TPRM tool worth the investment? To answer that question, the TPRM business case justifies the need for resources or expenditure to seek approval from the C-level.
In the realm of TPRM, particularly concerning the management of sensitive data and critical processes, a purpose-built tool, such as a TPRM workflow management platform, can be likened to the efficiency and reliability of rack mount servers in a computer network. Like these servers streamline data management, a specialized TPRM tool can streamline and enhance the overall risk management process, providing a tailored solution that aligns seamlessly with the organization’s needs, much like the precise fit of rack mount servers within a data center. This targeted approach ensures that the investment in a TPRM tool is not only justified but also optimized for robust risk management practices.
There are different templates and ways to layout the TPRM business case, but as rule of thumb it should include the following sections:
- Executive Summary
- Current situation and possible solutions
- Financial analysis
- Project definition
- Project organization
Don’t forget to describe the benefits, technical solutions needed and the impact on operations. It’s also a good practice to estimate costs and dates.
Fitting the use case in the TPRM business case
As the situational analysis, project scope, and finance aspects vary across organizations, we’ll focus on the TPRM use case when going for choice #1 (the dedicated TPRM tool).
As an exercise, we’ll build the use case for adopting our ThirdPartyTrust platform with its two offerings: Enterprise and Beacon. Fun fact: this was based on the proposal that a real customer used to promote ThirdPartyTrust in their organization.
It would go something like this:
ThirdPartyTrust is a third-party risk management (TPRM) workflow management, document repository, and process automation platform that facilitates third-party risk assessments at scale. Its unique network approach allows for streamlined processes to expedite risk assessments and eliminate the dependency on email and spreadsheets.
With 17,000+ (and counting) third-party security profiles readily available, combined with continuous monitoring based on security rating data feeds, the collective intelligence of the network is leveraged to solve the problem of repetitive, manual efforts.
By using ThirdPartyTrust, an organization can improve third-party risk management and process automation regardless of directional need – ie. whether ‘sharing-in’ or ‘sharing-out’. In this sense, ThirdPartyTrust addresses three use cases, summarized below.
Use case 1: Network Share-In (To be used primarily by Information Security teams)
Enables organizations to assess more vendors with the same resources, by scaling their process to request security documents, review questionnaires, manage findings and centralize communication with vendors through a single platform.
Use-Case 2: Network Share-Out (To be used primarily by GRC teams)
Enables organizations that are a third-party to other organizations to easily share their security posture and compliance documentation with partners, customers, regulators. This reduces the workload of completing questionnaires, speeds up the sales cycle and improves ROI. Third-parties can save time and manual effort by securely sharing a centralized security/compliance profile, thus avoiding starting from scratch on every customer security assessment.
This Beacon profile includes all questionnaires, certifications, and attestations (eg., SIG Core and Lite, Cloud Security Alliance CAIQ, SOC Reports, ISO Certifications, PCI-DSS AOCs, pen tests, insurance documentation, etc.).
Use case 3: Periodic or Ad-Hoc Compliance Check-Ins (To be used by Information Security and GRC teams)
ThirdPartyTrust contributes positively to periodic re-assessments and third-party incident management (eg., incidents impacting the supply chain ecosystem like Solarwinds).
- Improve visibility across the entire vendor ecosystem and focus on the most pressing issues
- Quickly determine whether information previously supplied is still evergreen
- Easily send custom questionnaires through widespread outreach efforts
- Track responses, create findings, collect documentation and easily add these new layers on top of existing assessments
Key Benefits
- The entire community of organizations and third-parties benefits from sharing information both ways
- Community crowd-sourced evidence gathering (answer once, share repeatedly)
- ThirdPartyTrust pre-built integrations (BitSight, RiskRecon, SecurityScorecard, and more)
- Built from the ground-up on APIs (integrates well with other systems)
- Ability to require third-party to add its most critical vendors to platform (ie. fourth-party risk management)
- Intuitive UI/UX
- Dedicated Customer Success Support (via integrated chat, email or telephone)
To learn more about how ThirdPartyTrust can help you streamline your third-party risk assessment and monitoring process, request your free trial now:
Sabrina Pagnotta
Sr. Content Strategist