Strengthening a retailer’s third-party risk management program
Snapshot
Working with third-party vendors — including suppliers, manufacturers, distributors, service providers, and other entities — is a great way for businesses to cut costs and take advantage of expertise that they lack in-house. That said, these parties generally fall outside a business’s scope of control, particularly when it comes to security. This turns them into a potential source of risk.
A major Northwest retailer recently underwent a reorganization and downsizing effort that created complexity within its Third-Party Risk Management (TPRM) program as it related to a critical partner data sharing contract. The retailer engaged Kalles Group to validate the current program, evaluate its compliance with contractual obligations, and provide recommendations for improvements.
Challenge
Mergers and downsizing impact critical TPRM functions
The TPRM evaluation project was complicated by the fact that the organization had recently merged with a subsidiary division that had its own internal TPRM program. Also, due to downsizing, the company had lost some key personnel that were covering a critical TPRM function.
Fast turnaround was needed to satisfy the demanding business partner. In the context of this partner contract, the company was subject to compliance requirements for partner data storage, management, and protection as well as for managing third-party service suppliers supporting those efforts.
The client looked to Kalles Group to help them reconcile these challenges and facilitate the quick restoration of the missing function so that the best of both programs could be skillfully brought together over time.
Approach
Nothing secures trust like a solid task plan that covers all the bases
Kalles Group quickly established trust by presenting a highly detailed task plan at the first client meeting. Executed over the course of eight weeks, the plan focused on determining whether the company was meeting its contractual obligations for managing high-risk partner data as well as for controlling the third-party suppliers that were contributing to it. The project scope included:
Program and Process Analysis: Inspecting process and program documentation across two divisions along with recent work products to determine the maturity of the program against industry benchmarks.
Gap Analysis: Identifying the gaps between the contract requirements and the company’s standards and operational practices.
Compliance Check: Determining whether all contract requirements were being reasonably fulfilled.
Recommendations: Formulating and prioritizing improvement recommendations to address control gaps.
A systematic approach identifies gaps and key improvement areas
Inspection against National Institute of Standards and Technology (NIST) standards confirmed that the missing function was well designed, properly executed, and optimally mature. However, the overall process within which it operated was disjointed and difficult to follow. The Kalles Group team used a systematic approach to determine which improvements would eliminate the greatest number of validated concerns and identified gaps.
Interviews with 31 key personnel yielded 97 concerns that were aligned and sorted into nine prioritized categories. The top five of these revealed a broad consensus on three key areas. Upon looking over the company’s operational practices and evaluating its contracted requirements against best practices from four industry standards, Kalles Group discovered that a significant number of contracted requirements might be at risk. These were considered gaps.
Results
Short-term and long-term recommendations delivered on-time and on-budget
The analyzed gaps were used to validate high-priority areas of concern. Together, they provided confidence for the nine prioritized recommendations that Kalles Group delivered. These recommendations ranged from short-term easy wins that would streamline cross-team interactions to a long-term vision for elevating the visibility of the program and transforming it into an enterprise function.
The project was delivered on time and on budget. However, while not part of the Statement of Work (SOW), the team stretched to provide additional value to the client. These supplementary deliverables included:
Tools Analysis: Profiles of all available in-house tools, including descriptions of how some of these could be used to support the process.
Comprehensive RACI: An executive-validated, cross-team RACI encompassing all participants in the end-to-end process.
Supplier Questionnaire: A refined third-party supplier questionnaire, updated to include current cyber threat concern areas such as phishing and mobile device management. This reduced the ambiguity of supplier responses.
With Kalles Group’s organized, step-by-step method for inspecting process and program documentation, identifying gaps, checking for compliance, and providing recommendations, the retailer was able to navigate its reorganization efforts while keeping its TPRM strategy solid.