TPRM & SCRM
While NIST does not have a definition for Third-Party Risk Management (TPRM), NIST defines Supply Chain Risk Management (SCRM) as, "the implementation of processes, tools or techniques to minimize the adverse impact of attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle."
Why Is TPRM / SCRM Something GRC Professionals Should Be Familiar With?
Third-Party Risk Management (TPRM) / Supply Chain Risk Management (SCRM) involves implementing measures based on program-level guidance to manage supply chain risks (e.g., risks associated with external suppliers, external vendors, and/or service providers). TPRM / SCRM is crucial in an organization because third-parties can be potential weak points to the organization’s processes and security structure.
While TPRM / SCRM processes vary depending on the industry, the overall goal is for the organization to be proactive in identifying and managing risks, rather than reactive. TPRM / SCRM can reduce both the possibility of a risk occurring and its associated impact if it is managed and mitigated accordingly.
TPRM / SCRM processes generally consist of five (5) key steps to create a “vendor management lifecycle” approach to risk management:
- Identification;
- Due Diligence;
- Procurement;
- Due Care; and
- Offboarding.
How Is TPRM Different From Supply Chain Risk Management (SCRM)?
TPRM differs slightly from Supply Chain Risk Management (SCRM) because TPRM focuses on risks associated with immediate third-parties (e.g., risks associated with external suppliers, external vendors, service providers, etc.), while SCRM focused on the broader view of risks associated with the entire supply chain (e.g., suppliers, vendors service providers, materials sourcing, subcontractors, geopolitical influences, etc.).
The relationship between TPRM and SCRM is akin to Russian nesting dolls, also referred to as Matryoshka dolls, which contain a series of increasingly smaller wooden figures, each tucked securely within the other. Comparing TPRM and SCRM to Matryoshka dolls, the organization would be the smallest doll at the center. TPRM would be the next layer of the Matryoshka dolls, since it deals with the immediate third-parties, including the vendors, contractors, cloud service providers, and business partners that an organization relies on to function. Finally, SCRM is the outer layer because, in addition to encompassing TPRM, it goes beyond and deals with third-party subcontractors, manufacturing sources, logistics providers, and even geopolitical influences.
How Is TPRM / SCRM Different From Vendor Risk Management (VRM)?
The key difference between TPRM / SCRM and VRM is the scope of risk management activities. TPRM / SCRM encompasses risk management over all third-party relationships, while VRM focuses on risks associated with vendors (e.g., suppliers).
Is TPRM / SCRM A Risk Questionnaire?
No. TPRM / SCRM is not a risk questionnaire. However, a risk questionnaire is a key component to a TPRM / SCRM program, since properly scoped questionnaires can help organizations identify risks and potential weaknesses among third-parties that could impact the organization and its operations. A risk questionnaire is a TPRM / SCRM tool that helps an organization evaluate a third-party’s ability to manage risks.
Why Is A TPRM / SCRM Policy Not The Same Thing As A TPRM / SCRM Program or Questionnaire?
A TPRM / SCRM policy is not the same thing as a questionnaire or TPRM / SCRMprogram because it only establishes management’s intent.
A questionnaire, is a data collection instrument used to gather information to determine the third-party’s risk posture as part of TPRM / SCRM processes.
A TPRM / SCRM program incorporates both the TPRM / SCRM policy and questionnaire, including also risk assessment template, among other items, to create a full-fledged TPRM / SCRM capability (e.g., program).