MANAGING THIRD-PARTY AND SUPPLY CHAIN RELATIONSHIPS

Managing Third-Party and Supply Chain Relationships

Vendor relationships, even trusted ones, create significant operational and data risks for an organization. Attackers can use vendors as a stepping stone to attack a company’s network. According to Gartner, more than 60 percent of companies work with more than 1,000 third parties during their course of business, and each one opens exponentially more vulnerabilities. Cyberattacks can disrupt the corporate supply chain, inhibit operations, and result in data breaches that originate from third parties, costing an average of $200,000 dollars, according to a recent IBM study ¹ .

To address these challenges, companies need clear and comprehensive visibility into their vendors. MorganFranklin helps businesses develop scalable third-party relationship management (TPRM) programs that align to their business and regulatory needs. These programs leverage automation to enable rapid risk mitigation and data collection.

Supporting TPRM Readiness and Resiliency

MorganFranklin’s framework for third-party risk management (TPRM) aims to improve companies’ ability to effectively manage third-party risk by providing greater visibility into their extended enterprise. Our TPRM services cover the entire vendor lifecycle, from vendor selection and onboarding to monitoring and offboarding.

The following are the key components of our TPRM services:

1. Planning and Risk Tiering – We help companies develop a strategic plan for supply chain risk management, including budgeting and defining risk tiers.
2. Due Diligence and Selection – We utilize program metrics to assist in the classification and assignment of appropriate risk-based scoring for third-party vendors.
3. Onboarding – We assist in contract review and negotiation, inherent risk rating/tiering/criticality, highlight residual risks, develop exit strategies, and capture appropriate metrics.
4. Continuous Monitoring – We monitor security controls, identify and remediate issues, and track vendor risk profiles on a continuous basis.
5. Offboarding – We terminate third-party digital identities, reclaim corporate property, destroy unnecessary data, and cease payments.

Third-Party and Supply Chain Risk Management Services

MorganFranklin Advisors support all aspects of an organization’s TPRM efforts by applying industry best practices and delivering optimal services tailored to each company’s specific needs. Our services include:

• • Strategy Development. We can help develop a TPRM strategy that aligns with existing processes and business needs and provides long-term scalability and manageability.
  • TPRM Roadmap Creation. We assess an organization’s current TPRM maturity level and target maturity level and create a roadmap for implementing the TPRM strategy that delivers quick wins and faster time to value.
  • Compliance Management Support. Our team can identify key regulations and compliance standards that apply to an organization’s environment and incorporate requirements into the TPRM roadmap.
  • Tool Selection, Configuration, and Deployment: We can help identify the best-suited tools for an organization’s needs and environment and provide support throughout the deployment process.
  • Vendor Risk Management Assessments. Our team can implement vendor risk assessments that promote partnership and shared security, rather than being a burden to third-party partners/vendors.
  • Metrics Development and Reporting. We identify key program metrics and develop tracking and reporting capabilities to ensure the TPRM provides tangible benefits and avoids checkbox compliance.
  • Managed Services Support. Our team can maintain the TPRM program through continuous risk monitoring, regular vendor assessments, targeted assessment campaigns, and ongoing evaluation of the dynamic threat environment.

Roadmap: Define where your security programs need to go

A 3-year security roadmap considers an organization’s implementation of security programs, aligned with its business objectives. The roadmap outlines existing security programs and their advancements, while remaining agile to include new tools and technologies.

When developing a security roadmap, MorganFranklin considers the organization’s business needs, objectives, and risk strategy. A well-planned roadmap can minimize risk exposure, define clear actions in the event of a compromise, and prevent confusion and panic during an attack, all while prioritizing the organization’s goals.

¹IBM Security. (2020). Cost of a Data Breach Report. https://www.ibm.com/downloads/cas/RZAX14GX