Establish policies that state the intended third-party risk outcomes. Implement standards and operating procedures to provide the framework within which the policy objectives are accomplished.
Policies formally commit the organization to the stated risk objectives. Standards and operating procedures are necessary to make good on the commitments. From these,follow investments in related people, process, and technology.
Create third-party risk management policies and related standards in collaboration with key stakeholders and executive management. Groundwork of educating decision makers on the value of third-party risk management will likely be necessary. In discussing policy options, be transparent about the bene ts, limitations, and costs.
|Policies are established that state the intended third-party risk outcomes.||Common||90%|
|Standards set the criteria against which third-party security risk is evaluated.||Common||87%|
|Procedures are implemented for measuring third-party inherent risk.||Common||77%|
|Procedures are implemented for assessing third-party risk performance.||Common||77%|
|Assessment procedures account for di erences in third-party inherent risk.||Common||60%|
|The third-party risk program is formally integrated with essential partners in the organization, such as purchasing, legal, and compliance.||Common||77%|
|Program activities are measured and reported.||Common||60%|
|Program risk outcomes are measured and reported.||Emerging||37%|