Managing continuous monitoring noise in third-party risk

When building an effective continuous monitoring program, one of the most important questions a TPRM professional must consider is "What risk domains should we address?" TPRM programs might already address multiple risk domains, such as information security, privacy, quality, financial, anti-bribery, corruption, and many others. While numerous continuous monitoring solutions exist to address these risk domains, organizations often make a crucial mistake when building their programs: Attempting to address too much, too quickly.

A common concern new clients often have is that they’re overwhelmed with the sheer number of alerts from their continuous monitoring program. An unwieldy number of alerts can occur when organizations attempt to address too many risk domains without the supporting resources or an already established program to address all the desired risk domains. Rather than maturing their TPRM programs, organizations with an unmanageable number of alerts often begin ignoring their continuous monitoring programs, which defeats the purpose of both programs.

Instead, TPRM leaders should align their continuous monitoring programs to their organization’s overall risk management strategy, prioritizing their most significant risk domains. As an example, if an organization prioritizes information security risks over other risks, implementing a cybersecurity monitoring solution might be an appropriate first phase for the program, addressing other risk domains later as the program matures.

No matter an organization’s risk management strategy, starting small with the continuous monitoring program can often lead to more effective results and provide a stronger foundation for future program maturity.

Most organizations are simply ineffective without effective technology. This reality also applies to the continuous monitoring of third parties. After identifying prioritized risk domains, organizations should then consider their options with continuous monitoring solutions. Considerations include identifying and reviewing those that best meet the needs of your organization.

First, organizations should consider any requirements to integrate with their existing risk management solutions. Many of the continuous monitoring solutions available integrate with commonly used governance, risk, and compliance (GRC) and TPRM platforms. However, understanding the integration process is vital, as the continuous monitoring solution provider’s familiarity with existing risk management solutions could be the differentiating factor.

Next, organizations should request demos of each continuous monitoring solution under consideration. During the demo, organizations should confirm that the solution addresses all required capabilities as aligned to their risk management strategy.

Each continuous monitoring solution varies in capabilities, out-of-the-box functionality, and user interfaces. However, minimizing the need to customize by selecting the solutions that best align to current processes and needs can save time and frustration when building a continuous monitoring program.

Based on the prioritized risk domains and selected continuous monitoring solutions, organizations then need to confirm the third parties in scope for the program.

When determining the in-scope third parties, organizations should first evaluate their third-party inventory, comparing the inventory against their contract management system (CMS) to confirm each third party is under an active contract. A best practice is to integrate the continuous monitoring solutions with the CMS or procurement system to automatically deactivate third parties when contracts expire and data is no longer being held by the third party. If such an integration isn’t feasible, the organization should develop a process to perform a periodic review of the status of contracts.

Next, organizations should assess third parties’ risk levels to determine the third parties in scope. Typically, organizations perform continuous monitoring on third parties that are ranked as high and medium in risk, but this process can vary depending on the in-scope risk domains and the size of the organization. If the organization lacks an existing third-party risk ranking process, they can implement an inherent risk process to initially group each third party by risk ranking.

Not all third parties should be in scope for the continuous monitoring program, and organizations should consider the costs and benefits of including each third party as in scope. Attempting to monitor all third parties might instead decrease the effectiveness of the overall TPRM program rather than support it if the organization spends valuable resources continuously monitoring third parties that only pose limited risk.

After determining the in-scope third parties, organizations should then further categorize the third parties within the continuous monitoring solution based on the organization’s risk ranking process. Higher-risk third parties require more scrutiny and attention than medium-risk third parties. Confirming that the continuous monitoring solution properly segments each third party by risk ranking can strengthen efforts in rightsizing the program.

Organizations should also categorize in-scope third parties by the services provided within the contracted engagement. As an example, organizations should not monitor third-party cloud hosting providers in the same manner as on-premises solution providers.

By categorizing the in-scope third parties in the continuous monitoring solution, organizations can more effectively identify emerging risks with the third parties, with each category denoting a different set of potential risks while directing attention away from the nonapplicable risks for that category.

The final step for implementing an effective continuous monitoring program is setting appropriate alerting thresholds. Various factors can influence these alerting thresholds, including the types of events, event frequency, significant drops in a calculated score, or a periodic review cadence. These alerting thresholds should also be specific to the categorizations of the in-scope third parties.

Even after setting alerting thresholds, false positive alerts will still occur. If organizations are unable to identify false positives, their TPRM professionals might waste resources on out-of-scope events. When identifying false positives, the TPRM team should document these events and determine how to identify similar false positives in the future, refining the alert thresholds if needed to limit future false positive alerts while still identifying true risks. 

Overall, organizations should remember that the alerting thresholds should identify potential emerging risks with third parties without overwhelming the TPRM practice with alerts. Organizations can always modify and widen alerting thresholds, but limiting the number of initial alerts will allow your team to test the accuracy of the third-party categories, confirm the appropriateness of the thresholds, and configure reports and dashboards to present to senior management while appropriately managing the noise of continuous monitoring as the program matures.

Continuous monitoring of third parties can be a resource-intensive effort for any organization. However, using a risk-based approach, aligning to your organization’s risk management strategies, and starting small will enable you to build a more efficient and effective continuous monitoring program, allowing your organization to better identify and respond to emerging risks with third parties before the risks further distract your organization from its objectives.

Need help building or managing your continuous monitoring program for third parties? Interested in participating in our TPRM benchmarking surveys? We would love to connect with you. 

As a member of the Crowe Global network, our team has access to more than 1,000 risk consultants around the world, and we can help you plan, build, and run a third-party risk management program that fits your business needs.