The Third-Party Security Risk Management Playbook (Playbook) is the definitive study of third-party security risk management practices. Based on in-depth interviews of risk executives from 30 domestic and
global firms, it reveals the real-world capabilities and practices employed to manage third-party cyber risk, distilled into 14 capabilities with 72 common, emerging, and pioneering practices.
Compare your own program with the Playbook data about what other organizations are doing. Use it to
identify your own goals and objectives and refer to the Playbook to determine which capabilities and practices make sense for you.
The Playbook data show that there is a common set of widely adopted third-party risk management practices, founded on strong program management practices and and periodic risk assessments rooted in questionnairebased information collection and analysis. However, innovative organizations are aggressively breaking out of the traditional periodic attestation-centric model, developing capabilities to gain continuous insight into third-party risk and act on that information. They are seeing promising results from their early efforts in these areas, reporting better risk outcomes and better scale.
The Playbook focuses on capabilities and practices unique and interesting to third-party risk management.
Common business management practices such as budgeting and staffing, while prerequisite to the success of third-party risk management, are intentionally excluded.
Thank you to the executives from 30 enterprises leading third-party risk management initiatives who shared their program practices and expert insight to provide this Playbook. They each joined in third-party risk round table discussions, participated in formal interviews, and reviewed drafts to bring this study to publication.