Today, insurance companies and investment enterprises tend to prioritize third-party risk management in the wake of several global trends. Namely, accelerated outsourcing in a milieu of increased prices, dependence on digital technology, and the awareness that many organizational breaches originate from trusted vendors who have themselves been compromised.

如今，随着全球趋势的发展，保险公司和投资企业倾向于优先考虑第三方风险管理。 就是说，加快了外包的步伐，这是价格上涨，对数字技术的依赖以及人们意识到许多组织违规行为的源头，这些可信供应商本身已经受到损害。

Hence, the reason third-party risk assessments and risk management programs have become imperative.

因此，必须进行第三方风险评估和风险管理计划。

什么是第三方风险评估？ (What is Third-Party Risk Assessment?)

To understand the definition and necessity of third-party risk assessment, you must first note the causes of third-party risks. Various organizations, depending on their capacity, outsource certain operations to third parties. Those third parties may include suppliers, vendors, sub-contractors, contract manufacturers, resellers, distributors, partners, captives, or affiliates.

要了解第三方风险评估的定义和必要性，您必须首先注意第三方风险的原因。 各种组织根据其能力将某些业务外包给第三方。 这些第三方可能包括供应商，卖方，分包商，合同制造商，转售商，分销商，合作伙伴，俘虏或附属公司。

Why do some organizations outsource certain operations?

为什么有些组织将某些运营外包？

To decrease expenditures; accelerate production, distribution, and sales; or to increase profits, all of which lead organizations to have competitive advantages in their respective industries. Most commonly, organizations outsource to allow them to focus on their core areas of expertise and to leverage the expertise of these providers to incorporate into their overall offerings.

减少支出； 加快生产，分销和销售； 或增加利润，所有这些都使组织在各自的行业中具有竞争优势。 最常见的是，组织外包以使他们能够专注于其核心专业知识领域，并利用这些提供商的专业知识来整合其整体产品。

So, once you have these third parties incorporated in support of your service offerings, how can you come up with a risk management program for your organization?

因此，一旦合并了这些第三方来支持您的服务产品，您将如何为您的组织提出风险管理计划？

Enter third-party risk assessment, which will aid your organization in gauging how (and on what terms) risky each of these third-parties is. With a well-designed risk assessment program, your business will be able to reduce third-party risks to your operations and growth.

输入第三方风险评估，这将帮助您的组织衡量每个第三方的风险(及风险)。 通过精心设计的风险评估程序，您的企业将能够减少对您的运营和成长造成的第三方风险。

为什么要进行第三方风险评估？ (Why Should You Do a Third-Party Risk Assessment?)

Creating and maintaining third-party relationships are associated with multiple risks.

建立和维护第三方关系与多种风险相关联。

What kinds of risks?

有哪些风险？

Reputation, strategy, management, information security, and economic burdens. Other risks include data compromise, illegal use of information by third parties, the detrimental and damaging effects of non-compliance, and irregularities in supply chain management.

声誉，策略，管理，信息安全和经济负担。 其他风险包括数据泄露，第三方非法使用信息，不合规的有害和破坏性影响以及供应链管理中的违规行为。

Particularly, the globalization of industrial operations has led third parties to emerge throughout the world. In turn, the graph of operation- and distribution-related risks has seen an upward trend.

特别是，工业运营的全球化已导致第三方在世界范围内兴起。 反过来，与运营和分销相关的风险图也呈上升趋势。

Any natural, artificial, or deliberate disruption in any part of the modern world adversely affects the production and services offered by enterprises.

在现代世界的任何部分，任何自然，人为或故意的破坏都会对企业提供的生产和服务产生不利影响。

If a multinational enterprise lacks a strong risk management program to tackle such third-party risks, it may suffer economic as well as reputational losses. This creates the need for efficient risk assessment and risk management and entails the search for effective associated assessment services.

如果跨国企业缺乏强大的风险管理程序来应对此类第三方风险，则可能会遭受经济损失和声誉损失。 这就需要进行有效的风险评估和风险管理，并且需要寻找有效的相关评估服务。

如何进行第三方风险评估 (How to Perform a Third-Party Risk Assessment)

Now that you have a better understanding of risk management and what a third-party risk assessment is, and why you should do one, let’s take a look at the step-by-step process of how you can perform one.

现在，您对风险管理以及什么是第三方风险评估有了更好的了解，以及为什么要进行一次，现在让我们看一下如何执行风险评估的逐步过程。

1.建立供应商风险标准 (1. Establish Vendor Risk Criteria)

Create a list of vendor risk criteria. It should include the most destructive third-party risks that your organization could possibly face.

创建供应商风险标准列表。 它应包括您的组织可能面临的最具破坏性的第三方风险。

For instance, enterprises managing or outsourcing confidential data should have various information security risks as part of their vendor risk criteria.

例如，管理或外包机密数据的企业应将各种信息安全风险作为其供应商风险标准的一部分。

This, in turn, informs your organization’s risk assessment scope. Additionally, it impacts your actions and strategies and the techniques you will use for a third-party or vendor risk assessment. Based on such risk criteria, you can also narrow down your third-party or vendor choices.

反过来，这将通知您组织的风险评估范围。 此外，它还会影响您的行动和策略以及用于第三方或供应商风险评估的技术。 基于此类风险标准，您还可以缩小第三方或供应商的选择范围。

This brings you to the next step for your risk management program: classifying vendors. Basically, you create an actionable list of high-risk third-parties with whom you will perform risk assessments.

这将带您进入风险管理程序的下一步：对供应商进行分类。 基本上，您将创建一个可操作的高风险第三方列表，您将与他们一起执行风险评估。

2.进行第三方入职和筛选 (2. Conduct Third-Party Onboarding and Screening)

To predict and protect against any possible risk, you must create a detailed picture of third-party or vendor relations. The first step is to mandate standard processes of risk management throughout your company.

为了预测并防范任何可能的风险，您必须创建详细的第三方或供应商关系图。 第一步是在整个公司中强制执行标准的风险管理流程。

Experts suggest that you construct a third-party risk management program with a framework that will standardize all third-party onboarding and screening. If possible, you can also use a thorough approach of real-time risk checking and containment measures.

专家建议您使用框架对第三方风险管理程序进行构建，该框架将对所有第三方入职和筛选进行标准化。 如果可能，您还可以使用全面的实时风险检查和遏制措施。

Well-designed frameworks for your risk management program offer a win-win situation:

为您的风险管理计划精心设计的框架提供了双赢的局面：

You can keep abreast of any probable third-party risks (and risky vendors) prior to risk assessments. Furthermore, a framework for your risk management program will help you optimize time and undertake insightful risk assessments.

在进行风险评估之前，您可以随时了解任何可能的第三方风险(和有风险的供应商)。 此外，风险管理计划的框架将帮助您优化时间并进行有见地的风险评估。

3.使风险评估更易于管理 (3. Make Risk Assessments Easier to Manage)

As the quality of your assessment will directly impact your risk management program, you must ensure the quality of your assessments, simple check-box assessments do not suffice. For this purpose, you must comprehensively analyze if any vendor is risky, why they are, and how you (or they) can address those risks.

由于评估的质量将直接影响您的风险管理计划，因此您必须确保评估的质量，简单的复选框评估是不够的。 为此，您必须全面分析任何供应商是否存在风险，为何存在风险以及您(或他们)如何应对这些风险。

Thereafter, an agreement with a risky third-party will warrant meticulous and consistent monitoring.

此后，与有风险的第三方达成的协议将保证进行细致而持续的监控。

Next, you will require specialized experts who will aid in the analysis of the data you have gathered. For example, professionals from policy, tech, cybersecurity, or account backgrounds can conduct holistic analyses and issue detailed reports. Today, powerful organizations deploy entire teams for such risk analysis programs.

接下来，您将需要专业的专家，他们将协助您分析收集到的数据。 例如，来自政策，技术，网络安全或帐户背景的专业人员可以进行整体分析并发布详细报告。 如今，强大的组织将整个团队部署到此类风险分析程序中。

4.评估绩效结果，不仅是风险 (4. Assess Performance Results, Not Only Risks)

Results are symptoms of whether and to what degree your third-party relations are risky. For instance, information security ratings will enable you to consistently supervise your vendors’ compliance and unpredictable risks.

结果是您的第三方关系是否具有风险以及在多大程度上具有风险的症状。 例如，信息安全等级将使您能够始终监督供应商的合规性和不可预测的风险。

In case you have contracts with multiple third parties, keeping tabs on their information security and compliance scores will:

如果您与多个第三方签有合同，则保持其信息安全性和合规性得分的标签将：

• Enhance and ease third-party risk assessment,增强和简化第三方风险评估，
• Note any faults with security posture; and以安全状态记录任何故障； 和
• Demand solutions to risky problems of the involved third parties.要求解决相关第三方的风险问题。

5.发挥技术力量 (5. Leverage the Power of Technology)

Capital and resource availability are essential prerequisites for undertaking vendor risk assessments. To save on expenditures, you should consider purchasing and deploying software that eases the entire process of third-party risk assessment and management.

资金和资源的可用性是进行供应商风险评估的必要先决条件。 为了节省开支，您应该考虑购买和部署可简化第三方风险评估和管理整个过程的软件。

As a technology that provides assessment services, it will also standardize a cross-departmental framework for risk assessment in your organization.

作为一种提供评估服务的技术，它还将标准化组织中跨部门的风险评估框架。

Technology utilization is crucial to conducting holistic and thorough risk assessments and management.

技术利用对于进行全面而彻底的风险评估和管理至关重要。

Why?

为什么？

For a number of reasons, including:

由于多种原因，包括：

• It gives you control over a platform through which you can regularly supervise any number of third parties and the related risks.它使您可以控制一个平台，通过该平台您可以定期监督任何数量的第三方和相关风险。
• It increases your ability to predict and analyze internal and external third-party risks while influencing your assessment scope.它可以在影响评估范围的同时提高预测和分析内部和外部第三方风险的能力。
• It helps you collect and macro-analyze solid data on third-party risks over multiple assessments, which will enhance your organization’s future decisions about any vendor.它可帮助您通过多次评估收集和宏观分析有关第三方风险的可靠数据，这将增强您组织对任何供应商的未来决策。
• It enables you to gauge the efficacy of risk assessment metrics, which marks the quality and reliability of your data.它使您能够评估风险评估指标的有效性，从而衡量数据的质量和可靠性。

准备开始您的第三方风险评估了吗？ (Ready to Get Started with Your Third-Party Risk Assessment?)

Regardless of the size of your company, you will likely maintain business relationships with many third parties who will help you streamline your operations.

无论公司规模大小，您都可能与许多第三方保持业务关系，这些第三方将帮助您简化运营。

However, exchanging operational data and confidential information with third parties can make that data and information vulnerable to misuse and exploitation, adding risk to the equation. Especially if the parties in question are lacking in optimum information security measures or compliance.

但是，与第三方交换运营数据和机密信息可能会使这些数据和信息易于滥用和利用，从而增加了等式的风险。 特别是当有关各方缺乏最佳的信息安全措施或合规性时。

This makes it necessary for you to work on a risk management program.

这使您有必要从事风险管理程序。

As a stakeholder, it is your responsibility to conduct thorough third-party risk assessments to protect your company from risky businesses and supervise their operational standards and results at multiple levels.

作为利益相关者，您有责任进行全面的第三方风险评估，以保护您的公司免受风险业务的影响，并在多个层面上监督其运营标准和结果。

About Author:

关于作者：

Steve Kosten is a Principal Security Consultant at Cypress Data Defense and an instructor for the SANS DEV541 Secure Coding in Java/JEE: Developing Defensible Applications course.

Steve Kosten是赛普拉斯数据防御部门的首席安全顾问，并且是Java / JEE：开发防御性应用程序课程中SANS DEV541安全编码的讲师。