Industry Healthcare and Life Sciences
Solution Type Cyber Risk Quantification
Needs This large healthcare organization provides health insurance to over 3 million people. As part of its Information Security Program its small, but growing, information security team needed to conduct a third-party assessment so they engaged TUV Rheinland OpenSky. This company needed to implement a vendor risk assessment and scoring system as part of its third-party risk assessment program.
- Phase I: Definition of requirements. This phase involved defining taxonomy, mapping processes and identifying future capabilities.
- Phase II: Analysis. This phase involved analysis of available data sources, risk management processes, tools and other sources.
- Phase III: Development. This phase involved creating a risk quantification standard and vendor risk assessment tool.
Our team proposed developing a vendor risk quantification tool and model to help the client establish a repeatable and improvable process to implement and manage third-party risk.
By attaining risk quantification and scoring capabilities, our client would be able to qualify and quantify the level of risk associated with a given vendor based on potential impacts and event probabilities.
Vendor Risk Quantification Tool: Our team designed a custom vendor risk quantification tool to enable our client to quantify inherent and residual risks of working with third-party vendors. Moreover, this tool offered a third vector assessment score to monitor and assess vendors using publicly available information.
Model Risk Quantification: Our team conducted a deep dive into the client‘s Third-Party Risk Management (TPRM) program to help them develop a formal risk-based quantification model for vendors, which included inherent, TPRM and publicly available scores for risk assessment.
At the end of the day
Using the vendor risk quantification tool and model created by our team, this large healthcare organization can now score the risk of working with vendors in a standard, disciplined and repeatable manner that can be improved over time. Our client can now evaluate the risk associated with their vendors and monitor the maturity of its TPRM program.
The assessment score and rating calculated by the model will help this company’s Vendor Governance and Oversight Committee to determine priorities.