You built the business case for your third-party risk management program. The program was funded, and it is now fully operational. It is only a matter of time before the leadership team of your organization asks for evidence that they are getting value from the resources they have allocated to you.
How will you prove that your organization’s TPRM investment is paying off? Here are three ways.
Nothing shows value to a C-suite audience better than dollars and cents. Demonstrate that your TPRM program creates a reduction in annual loss expectancy (ALE) grater than the cost of the program itself. You can, for instance, calculate an annual loss expectancy from a third-party data breach by multiplying the odds of such a breach materializing in the next year by the financial impact of such a breach to your organization should it occur (e.g., public relations costs, disruption to your operations, legal costs, etc.).
The implementation of a third-party risk management program should both reduce the probability of a third-party data breach occurring as well as its impact on your organization if it does. The resulting reduction in annual loss expectancy from this one risk alone should fully justify the cost of your third-party risk management program.
When there is a security breach at a third-party that was rejected based upon findings from your third-party due diligence process, share this information with your executive team.
When a risk crystallizes at a third-party and the impact of that event is less than it would have been if you had not put additional controls in place as a result of your third-party risk assessment process, share this information with your executive team.
When an independent auditor or regulatory examiner cites the effectiveness of your third-party risk management program in its audit or examination report, make sure to highlight that to the executive team.
You cannot show what you cannot measure. If you want to show your third-party risk management program is delivering value, you need to measure and report on it. You will want to start by measuring the quantity of activity, e.g., number of third-party due diligence engagements performed, number of third-party risk assessments conducted, number of periodic third-party risk reviews performed, number of third-party incidents managed, etc. You will then want to move quickly towards measures of efficiency, e.g., average number of third-party due diligence engagements conducted per risk analyst over a specific time period, average number of periodic third-party risk reviews conducted per analyst over a specific time period, etc. Finally, you will want to graduate to measures of efficacy or effectiveness, e.g., reduction of annual loss expectancies over time due to third-party risk management activities.
Of course, to execute any of these ideas, you need a forum in which to share this information with the leaders of your organization. Hopefully you can add TPRM to the agenda of an existing information security or enterprise risk oriented executive steering committee (whatever it may be called at your organization). If not, creating such a forum should be high on your ‘to do’ list.
Read More: Obtaining And Retaining Executive Buy-in To Your Third-party Risk Management Program
Some of these ideas may be more well received than others at your organization. Make sure to gauge feedback and adjust your approach depending on what does and does not resonate. However you do it, make sure to keep the value of the TPRM investment and the program bring front and center to ensure ongoing leadership support.
How will you prove that your organization’s TPRM investment is paying off? Here are three ways.
1. Leverage economic quantitative risk management
Nothing shows value to a C-suite audience better than dollars and cents. Demonstrate that your TPRM program creates a reduction in annual loss expectancy (ALE) grater than the cost of the program itself. You can, for instance, calculate an annual loss expectancy from a third-party data breach by multiplying the odds of such a breach materializing in the next year by the financial impact of such a breach to your organization should it occur (e.g., public relations costs, disruption to your operations, legal costs, etc.).
The implementation of a third-party risk management program should both reduce the probability of a third-party data breach occurring as well as its impact on your organization if it does. The resulting reduction in annual loss expectancy from this one risk alone should fully justify the cost of your third-party risk management program.
2. Highlight TPRM investment wins
When there is a security breach at a third-party that was rejected based upon findings from your third-party due diligence process, share this information with your executive team.
When a risk crystallizes at a third-party and the impact of that event is less than it would have been if you had not put additional controls in place as a result of your third-party risk assessment process, share this information with your executive team.
When an independent auditor or regulatory examiner cites the effectiveness of your third-party risk management program in its audit or examination report, make sure to highlight that to the executive team.
3. Deliver TPRM metrics
You cannot show what you cannot measure. If you want to show your third-party risk management program is delivering value, you need to measure and report on it. You will want to start by measuring the quantity of activity, e.g., number of third-party due diligence engagements performed, number of third-party risk assessments conducted, number of periodic third-party risk reviews performed, number of third-party incidents managed, etc. You will then want to move quickly towards measures of efficiency, e.g., average number of third-party due diligence engagements conducted per risk analyst over a specific time period, average number of periodic third-party risk reviews conducted per analyst over a specific time period, etc. Finally, you will want to graduate to measures of efficacy or effectiveness, e.g., reduction of annual loss expectancies over time due to third-party risk management activities.
Of course, to execute any of these ideas, you need a forum in which to share this information with the leaders of your organization. Hopefully you can add TPRM to the agenda of an existing information security or enterprise risk oriented executive steering committee (whatever it may be called at your organization). If not, creating such a forum should be high on your ‘to do’ list.
Read More: Obtaining And Retaining Executive Buy-in To Your Third-party Risk Management Program
Some of these ideas may be more well received than others at your organization. Make sure to gauge feedback and adjust your approach depending on what does and does not resonate. However you do it, make sure to keep the value of the TPRM investment and the program bring front and center to ensure ongoing leadership support.
About the author:
Bradley J. Schaufenbuel
(CISO, CISSP)Vice President and Chief Information Security Officer at Paychex, a leading payroll, human resource, and benefits outsourcing company. He is a speaker at industry conferences and author of multiple books (including two “For Dummies” titles), and has had numerous articles published in professional journals on a wide variety of topics related to information security and governance.
