It seems that one of the most difficult initial tasks in TPRM is just developing and maintaining an inventory of third parties. What procedures or strategies are you using to make sure no vendors slip through the cracks?
Tales from the field: We frequently speak with companies who struggle with this first step...which drives trepidation in moving to the other steps in the process. While I wish software could solve this challenge, it's really about culture and process. In some organizations, security carries a heavy hand. In others, it's an necessary evil and can't "get in the way of business." Engaging your colleagues in the procurement department to build a process that weaves TPCRM into the process is key. Without this step, TPCRM becomes a roadblock or fire-drill, rather than a valuable part of protecting the business from easily avoidable cyber risk.
Many of the vendor management challenges that companies face seem to all stem from the same issue of not having a centrally managed list of vendors. It seems like every company, big or small, struggles with this same key issue which is the identification of the vendor population.
This issue is especially challenging for firms that have been operating for a number of years and have just recently started working on vendor risk. At this point they may have hundreds or thousands of vendors that do not exist within one source of truth. There can be multiple procurement teams that work in silos, payment to vendors can be done through means other than the official procurement process such as using corporate cards for payment, and organizing all of this through a manual process will often times miss certain vendors being introduced to the firm.
Creating a VRM process and ensuring all requests go through this process will help solve the issue associated with new vendors coming into the firm; however you still have to work on the backlog of vendors in your environment and identify the business relationship owner, the vendor relationship owner, triage questions to understand the inherent risk, among other things. There does not seem to be one streamlined solution to do this and requires a lot of manual work whether up front or throughout the lifecycle.
The good news is, once this identification and classification process is complete then you quickly move the needle and arrive at a sustainable VRM process.