Without buy-in from executive leadership to your third-party risk management program, you are not likely to get it off the ground and keep it there. Tone at the top is critical. Here are seven tips for obtaining and maintaining the support you need from the C-suite:
Although every organization is different, following these seven tips should greatly improve your chances of building and retaining executive buy-in to your third-party risk management program.
- Build a business case – To convince the leadership of your organization that they need to invest in a third-party risk management program, you need to build a compelling business case. Focus on demonstrating how a relatively modest investment in a third-party risk management program can result in a substantial reduction of annual loss expectancy from adverse events caused by third-parties.
- Leverage an executive sponsor – Unless you are a C-suite executive yourself, you need an ally in the C-suite. Recruit an executive level sponsor for your third-party risk management program and spend the time necessary to educate them. You are not finished until they are as big of a proponent of a third-party risk management program as you are.
- Build cross-functional support – Practice diplomacy to win over supporters throughout the organization. Meet with the leaders of other departments and explain the benefits of a third-party risk management program. Build alliances with the leaders of functions that can directly benefit from the program. Good candidates are the procurement, legal, IT, audit, and finance functions.
- Seek approval from a governing body – If your organization has a security steering committee, a risk management committee, an internal controls committee, or other corporate governing body, seek formal approval of a charter for the establishment of a third-party risk management program. If the governing body doesn’t approve programs, then at least present the program in that forum to improve the odds of organizational acceptance.
- Make it company policy – A third-party risk management program depends on acceptance by the individuals who build and manage relationships with third parties. One way to ensure that acceptance is to make your third-party risk management processes mandatory by codifying them within official company policies. Create a third-party risk management policy and seek approval from a governing body (see above).
- Minimize friction – The primary reason executives oppose the establishment of a third-party risk management program is the fear that the accompanying processes will create friction that unnecessarily slows the establishment of third-party relationships. You can avoid this criticism by designing efficient processes, automating workflows, and altering the robustness of the due diligence performed and the frequency of reviews depending on the criticality of the third-party.
- Keep it front and center – Support for your third-party risk management program may wane over time if executives are not regularly reminded of its benefits. Use periodic updates to continuously underscore the value of the program. When executives have ongoing insight into third-party risk, they are not likely to want to lose that visibility.
Although every organization is different, following these seven tips should greatly improve your chances of building and retaining executive buy-in to your third-party risk management program.
Bradley J. Schaufenbuel
(CISO, CISSP)Vice President and Chief Information Security Officer at Paychex, a leading payroll, human resource, and benefits outsourcing company. He is a speaker at industry conferences and author of multiple books (including two “For Dummies” titles), and has had numerous articles published in professional journals on a wide variety of topics related to information security and governance.
