Unfortunately, there is generally no common understanding of the level or type of assurance a third party should provide nor how the assurances should be provided. As a result, organizations may seek a greater level of assurance from a third party than is warranted, resulting in program inefficiencies and excess cost, or they may not seek enough assurance from a third party and subsequently expose themselves to more risk than intended.
HITRUST addresses this problem via a 6-step third-party risk management (TPRM) methodology.
Step 1 – Initiate. Prior to contract award or as part of a routine or special reassessment (e.g., annually or after a material change in the relationship, respectively), formally initiate the TPRM process and, if necessary, request information from internal departments or external stakeholders.
Step 2 – Collect. Gather proposals, contracts, and other documentation about the third-party and the products, services, etc., the third-party provides or will provide, including documentation received from the third-party (e.g., a short questionnaire about their business practices) and then route to the SMEs within the organization for review.
Step 3 – Qualify. Evaluate the information about the third-party and the products, services, etc., the third-party provides or will provide and assess the level of risk they pose to the organization.
Step 4 – Accept. Formally accept or decline to accept the level of risk posed to the organization should they enter or continue a formal relationship (for the products, services, etc., provided). Note that failure to accept the risk should result in dropping the third-party from consideration in a competitive bid or canceling/modifying the contract or other agreement if a current relationship exists.
Step 5 – Select. If entering into a new relationship via competitive selection, select the appropriate third-party, execute all necessary legal contracts, and complete other onboarding activities; if an existing relationship, make any changes needed in legal contracts or other documentation to reflect any changes in the third-party relationship (e.g., the amount of data the third-party receives or how it is processed).
Step 6 – Monitor. Continuously monitor the third-party for changes in potential business risk, including information security, privacy, and compliance risk.
The organization should re-enter the Initiate step to review existing third-party relationships and determine if there have been any material changes in the relationship, e.g., in the amount of data to which they have access or how they process the information. The Initiate stage may be entered periodically (e.g., annually) or aperiodically when a specific condition or trigger is encountered (e.g., the third-party reports a breach).
Figure 24. Generic Third-Party Risk Management Process Model
