One of the most prevalent risks identified when evaluating internal controls or IT general computer controls for a company is understanding and responding to third-party service provider or vendor risk. Prior to the COVID pandemic, third-party risk management (TPRM) was already on the radar of most large organizations as reliance on third parties began to increase. Our Technology, Risk Advisory, and Cybersecurity (TRAC) team was also seeing increased inquiries from clients and prospects looking to create or enhance their vendor risk management programs.

Since the onset of COVID, TPRM programs have become even more important with small and mid-sized companies now facing new and potentially more dangerous risks. Some of which include:

• Supply chain disruption for critical components or services
• Compliance with federal, state, and local COVID guidelines and impact on vendor relations and master service agreements
• Business failure due to extended or delayed payments for COVID-impacted vendors
• Disruption of service on IT providers
• Increased risk from vendor's remote workforce
• Reliance on emerging technology or vendors without proper vetting
• Timely monitoring of vendor access and activity

If you have not considered the impact these risks have on your need to formalize a TPRM program, now is the time to call TRAC. The path to implementation of a TPRM program involves an understanding of vendor risk on three levels:

• Operational - Risks associated with the industry, line of business, company and operations/strategy
• Financial - Risk related to financial strength, stability, and going concern
• IT and Compliance - Risks related to IT infrastructure and controls, IT compliance, and cybersecurity

Risk management services are one of TRAC’s core competencies – there are few firms that can match our breadth and depth of experience. We can guide you through the entire process or specific components to meet your needs, including:

• Planning - Gain an understanding of current-state third-party vendor risk management efforts
• Program Design - Development of a third-party risk management program that is customized to fit your exact needs, including policies and procedures, questionnaires, inventory templates, etc. to be used in the next phase to assess existing vendors and any new vendors on an initial and recurring basis
• Risk Assessment - With management's assistance, accumulate a thorough inventory of existing third-party vendors (e.g., business owner survey), and perform risk assessment of existing vendors using methodology and templates developed in previous phase
• Ongoing Support - Perform and/or provide supplemental support for initial vendor assessments and reassessments of existing vendors on an ongoing, as needed, basis

If you have any questions about how TRAC can help you in evaluating or designing your TPRM process, contact Michael Camacho.