Policy, Program and Procedures

 View Only
Expand all | Collapse all

What does an Advanced Maturity Third Party Risk Management program look like, practically?

  • 1.  What does an Advanced Maturity Third Party Risk Management program look like, practically?

    This message was posted by a user wishing to remain anonymous
    Posted 01-07-2021 02:34 PM
    This message was posted by a user wishing to remain anonymous

    Thinking about the maturity curve of a Third Party Risk Management program, would love thoughts on what attributes both a Mature program and an Advanced program look like. I think at a high level there are some attributes I can connect to (listed), but from a practical controls perspective, what are examples of controls that could be implemented by the First Line that would demonstrate achieving these levels? Milestones, lets say.

    Mature attributes - Proactive risk management, Risk management consistently and fully implemented, Key risk indicators are used for major risks, Risk processes are monitored and reviewed for continuous improvements

    Advanced attributes - Analytics proactively used to identify and monitor risks, ROI Program drives decisions and pursuit of opportunities, Advanced and sophisticated risk management processes used to manage oversight


  • 2.  RE: What does an Advanced Maturity Third Party Risk Management program look like, practically?

    Posted 01-07-2021 03:49 PM

    I was thinking of something similar as I prepare a (possibly PMI) talk regarding risk and stakeholder boundaries and gaps when looking at NIST, Mitre, TPRM, 3LOD, CMMC, AICPA/TSC, COSO, etc.

    While research those relationships, here's some links related to maturity that then move down.

    What I have found is a lack of vocabulary to foster the communication and sharing of goals and objectives that translate down to from the top all the way down to KPIs or metrics and backup in terms of reporting, dashboards, etc.    Hopefully the talk starting with 3LOD will enable each group to be aware of the others outside their organizational, or professional boundaries, that case after case I don't see them considering.   

    Larry

    PS some images and links..

    * Venminder has discussed vendor risk appetite which reflects a different type of maturity
    * The new DoD CMMC certification (https://www.acq.osd.mil/cmmc/) requirement is affective since last Nov 1st 2020.
    *  NIST SP 800-171 CMMC Level compared to 14 Control Families and Maturity of Processes, Documented procedures and resulting policies, management and automation / detection / remediation.
    * HITRUST CSF® Control Maturity Scoring Rubrics (See Hitrustalliance.net for 2page pdf) Please consult the following white paper for additional guidance:
    https://hitrustalliance.net/content/uploads/Evaluating-Control-MaturityUsing-the-HITRUST-Approach.pdf
    * Defense Acquisitions: DOD's Cybersecurity Maturity Model Certification Framework December 18, 2020 (see Congressional Research Service https://crsreports.congress.gov R46643)
    * Earlier models like Capability Maturity Model in 2008 (ISO/IEC 21827:2008) 
    I liked two graphics from complianceforge.com ( https://www.complianceforge.com/standardized-operating-procedures/