To learn more about the basics of using the FAIR model as part of your third-party risk management program, see the previous two blog posts in this series: “Using the FAIR Model to Quantify Third-Party Cyber Risk” and “How to integrate Black Kite’s FAIR analysis into a third-party risk management (TPRM) program”
Once you’ve achieved the basics, you can mature your third-party risk management (TPRM) program by incrementally optimizing vendor risks that have been categorized as critical, material, and those that have shown the probability of a high dollar impact from the FAIR report. There are several ways that this can be done.
First, you will want to conduct an inventory of what you know about the selected vendor. Procurement or the business unit may have additional details or artifacts around compliance that have been previously collected. If a questionnaire such as the SIG (Standardized Information Gathering) has already been collected, you can upload those details into the platform via the Compliance Report, Upload Compliance File. If you have an artifact such as a PCI-DSS ROC, you can go to the Compliance Reporting section, select the specific tab for the framework, then review the results column. You can add or adjust information based on the report. Be sure to recalculate when finished with these additions.
If you have more accurate details from the business unit about the vendor engagement, you can make those changes in the FAIR report, either through specific numeric data or other factors such as:
Figure 1: Data Breach Factor Options
When the new information is added to the assessment, review the three dimensions of risk (technical grade, compliance percentage, and probable financial impact numbers) to determine if direct follow-up action would be required.
- Follow-up may include:
- Work with the business unit to reduce the need to share data.
- Work with the vendor to improve their security hygiene and/or compliance posture.
- Work with your technical team to isolate vendor access to the network.
- Other refinements, as appropriate to your unique setting and relationships.
- Schedule continuous or periodic monitoring based on these results.
Full maturity and optimization
One of the keys of moving your program to full maturity is understanding the relationship between assessments and risk appetite. Many organizations base their risk tolerance on a qualitative measure of the low, medium, or high. The use of the Black Kite platform will give you the tools to elevate the third-party risk conversation to a more advanced level. The first step is to know what your organization’s risk appetite is when it comes to third parties.
When you understand what your company risk appetite and tolerance is, then you can compare that to the FAIR probability of financial loss for a vendor.
- If the FAIR impact amount is at or below your appetite, then a vendor can be scheduled for fewer recurring monitoring and assessments.
- If the FAIR impact amount is above your appetite, but within risk tolerance levels, a deeper dive into the assessment process for that vendor would be warranted to improve accuracy. If it is beyond appetite but still within your company’s risk tolerance, than a more frequent monitoring assessment schedule is suggested.
- If the FAIR impact amount is beyond your risk tolerance, then a deeper dive into the assessment process is warranted to improve the accuracy of the analysis. If it is beyond tolerance, then a plan of action should be identified for corrective action that the vendor could take to improve their risk posture. The time it takes for vendors to close any deficiencies that are identified is a good source of data for a key risk indicator (KRI), both for the vendor and your TPRM program.
Figure 2: Risk Exposure Gradient
A well-documented and justified program meets regulator questions. It’s no longer a matter of High/Medium/Low heat-maps. You can now create a process document that includes all of the analysis, review, and steps outlined above and reflects your more mature level of corporate customization. When your analysis is tied to the pre-established corporate risk picture, regulators will understand your program is mature. Developing meaningful KRIs and key performance indicators (KPIs) is an essential part of building mature processes. Meaningful measurements enable effective comparisons, which in turn enable well-informed decisions. Measurement of variance relative to expected norms (such as variance from risk appetite) is the most effective method of obtaining good KRIs and KPIs.
The purpose of this guide is not to instruct you in creating those metrics, but to help you better understand the value of good indicators. “Variance is the true enemy because variance from and intended state of control almost always exists when a significant event occurs.”– Chapter 13 of Measuring and Managing Information Risk: A FAIR Approach.
The final stage in achieving a fully mature program is understanding that nothing remains static. To that effect, adopting a strategy called the Observe, Orient, Decide, Act loops (OODA) is highly recommended. OODA is far more than a simple loop – it is a strategic way to help meet the goal of cost effectively achieving and maintaining an acceptable level of loss exposure.
Figure 3: Incorporating Continuous Monitoring in TPRM Programs
Black Kite is the only company taking a multidimensional approach to risk rating and assessment. It is not enough to simply score risk based on qualitative factors or to make business decisions on grade ratings alone. Risk assessments must be able to convey information in relatable terms to all stakeholders and result in quantifiable, tangible business outcomes. This is the key to TPRM program success.