Tracking key performance indicators (KPIs) will allow your organization to assess and elevate its third-party risk management (TPRM) program. By monitoring specific metrics over time, your risk management team will be able to reveal your TPRM program’s overall health and particular areas where personnel can implement changes to improve localized performance.
According to one 2023 study, about 98% of organizations worldwide are connected to at least one breached third-party vendor. Therefore, for all but 2% of organizations, TPRM is a critical necessity as many organizations will succeed and fail based on the performance of their vendor risk management program.
Keep reading to discover 15 KPIs your organization should start tracking throughout 2024, the strengths and weaknesses these risk management metrics reveal, and key TPRM strategies to protect your team from the cybersecurity risks of your supply chain.
The Pillars of Third-Party Risk Management
Your organization's KPIs should reference all pillars of third-party risk management, including vendor selection, vendor due diligence and onboarding, ongoing vendor risk assessment, and vendor relationship management.
Before we introduce specific KPIs your organization should track, here’s a quick refresher on the main pillars of TPRM:
- Vendor Selection: Successful TPRM programs start with an effective vendor procurement process. Organizations with an effective vendor selection process utilize specific selection criteria to assess disparities between vendors, a vendor’s level of professionalism, potential reputational risks, and the overall impact a vendor may have on the organization.
- Vendor Due Diligence: The next phase of the third-party risk management process is vendor due diligence, which allows organizations to examine the operational risks specific vendors present thoroughly. Professional-level risk personnel use questionnaires, security ratings, and other tools to assess a vendor’s compliance with critical regulatory frameworks and overall security posture.
- Vendor Onboarding: During vendor onboarding, providers are tiered based on risk criticality, the organization sets expectations, personnel establishes communication channels, and stakeholders create service-level agreements (SLAs) when necessary.
- Vendor Risk Monitoring: While organizations conduct vendor risk assessments before onboarding, successful TPRM programs implement strategies for ongoing risk monitoring throughout the vendor lifecycle. This pillar also includes workflows for risk mitigation and remediation.
- Vendor Relationship Management: Third-party relationships require ongoing work and attention. Effective vendor relationship management maintains communication, expectations, and performance throughout the vendor lifecycle.
UpGuard Vendor Risk can help your organization with all pillars of third-party risk management, including identifying new vendor risks, developing real-time solutions for improved business continuity and incident response, and visualizing your third-party risk exposure.
KPIs Vs. KRIs
While risk professionals often throw around “KPIs” and “key risk indicators” (KRIs) in the same conversations, the terms refer to two different risk management metrics.
- KRIs: A KRI is a metric organizations use to monitor and assess potential risks. These metrics are early warning signs of specific risks and allow organizations to streamline mitigation workflows and solutions.
- KPIs: A KPI is a metric organizations use to monitor and assess the performance of teams, programs, and individual personnel. In TPRM, personnel use KPIs to track the effectiveness of an organization’s risk management framework and highlight the strengths and weaknesses of its VRM strategies.
15 KPIs To Track For Your Third-Party Risk Management Program
The KPIs your organization chooses to track should reveal the health of all TPRM phases. All TPRM phases can be studied by calibrating your TPRM program with KPIs to measure four specific areas: third-party risk, threat intelligence, compliance management, and overall TPRM coverage.
- Third-Party Risk: What level of risk does your supply chain present? Is this risk balanced across risk tiers?
- Threat Intelligence: How aware is your organization of the third-party threats it faces? What percentage of threats has your organization identified?
- Compliance Management: Does your organization meet compliance requirements across its third-party supply chain? Are outstanding compliance checks present across the organization’s third-party channels?
- TPRM Coverage: Has your organization identified all third-party vendors? Does your TPRM program cover third and fourth-party risks?
KPIs to Measure Third-Party Risk
Choosing the right metrics to measure third-party risk will allow your organization to perceive its overall level of risk. Here are the most important metrics to measure third-party risk:
- Average Vendor Security Rating: This metric reveals how risky your third-party ecosystem is and the level of risk the average vendor presents to your organization. If your organization’s average vendor security rating is high, you do business with many high-risk vendors and should implement strategies to plan accordingly.
- % of Suppliers By Risk Tier: Another key metric for revealing your organization’s overall level of risk, % of suppliers by risk tier, allows your organization to know what risk tiers it should prioritize. If all your vendors are grouped in one or two risk tiers, then you should recalibrate your risk tiers to provide more granular distinctions between vendors.
- % of Providers Who Fail Initial Risk Assessment: How many third-party providers fail your organization’s risk assessment? A high percentage may indicate your risk assessment is too critical, while a low percentage may reveal your team’s initial assessment is too lenient.
- Mean Time to Complete Initial Risk Assessment: How long do third-party vendors take to complete your initial risk assessment? If the mean time to complete is high, vendors may be less motivated to complete the risk assessment, or the questionnaire may need to be simplified. You can also measure this KPI at different vendor tiers to visualize how vendors react to the evaluation.
KPIs to Measure Threat Intelligence
By tracking KPIs to measure threat intelligence, your organization can assess its ability to identify, mitigate, and remediate risks effectively. Here are the most important metrics to measure threat intelligence:
- % of Third-Parties Monitored with Threat Intelligence: What percentage of third-party vendors does your organization monitor with a vendor risk management solution? How many vendors are on your TPRM dashboard, and what risk tier do these vendors belong to?
- Mean Time to Action (MTTA) After Risk Trigger: A high MTTA may reveal that risk personnel are overwhelmed or do not possess the training or resources to handle a specific type of threat.
- # of Incidents Reported: This metric can be tracked over various periods to reveal the efficiency of your organization’s threat intelligence team. If the # of incidents (data breaches, information security threats, etc.) reported continues to be high, you may need to invest in more resources or hire additional risk personnel to mitigate disruptions.
- # of False Positives Reported: Is your threat monitoring process tuned effectively? If your organization receives overwhelming false positives, you should thoroughly investigate your threat identification and monitoring process.
KPIs to Measure Compliance
Measuring compliance across a third-party supply chain can be challenging. However, by tracking several KPIs, your organization can better understand the compliance and data privacy risks its third-party relationships present. Here are the most important metrics to measure compliance:
- # of Third-Parties in Regulatory Scope: How many third parties are within the scope of a specific regulatory framework? If many vendors must comply with a particular framework, then your organization should spend more resources focusing on this framework.
- # of Outstanding Compliance Requirements: How many outstanding compliance requirements exist across the third-party supply chain? If one type of requirement is consistently not completed on time, then this requirement might be too challenging or need refinement to help vendors and personnel.
- Vendor Due Diligence Completion Rate: If the percentage of vendors who haven’t completed due diligence is high, your organization may expose itself to additional compliance risks.
- Average Time Between Risk Assessment: Your organization should strike a balance with its audit cadence. You don’t want to overwhelm vendors with risk assessments, but you also don’t want to let risks fall through the cracks by not sending follow-up assessments soon enough.
KPIs to Measure TPRM Coverage
Tracking KPIs to measure TPRM coverage is one of the only ways to visualize what percentage of your third-party supply chain it is monitoring. Here are the most important metrics to measure TPRM coverage:
- Mean Time to Onboard (MTTO): A short average onboarding time could reveal your organization’s process is not comprehensive enough to cover all risks fully. In contrast, a long average onboarding time could show your process is too complicated.
- % of Third-Parties Not Monitored: What percentage of your supply chain are you not monitoring using a VRM solution? Are all high-tier vendors observed?
- # of Unboarded Suppliers on Payroll: How many suppliers on your organization’s payroll are unboarded? Your organization may expose itself to additional risks and threats if suppliers are unboarded.
How UpGuard Can Help With Third-Party Risk Management
UpGuard provides organizations with the tools to streamline their TPRM programs and manage the vendor lifecycle with automated workflows and intuitive vendor dashboards.
UpGuard Vendor Risk includes a complete toolkit of powerful features:
- Vendor Risk Assessments: Fast, accurate, and provide a comprehensive view of your vendors’ security posture
- Third-Party Security Ratings: An objective, data-driven, and dynamic measurement of an organization’s cyber hygiene
- Vendor Security Questionnaires: Flexible questionnaires that accelerate the assessment process and provide deep insights into a vendor’s security
- Stakeholder Reports Library: Tailor-made templates allow personnel to communicate security performance to executive-level stakeholders easily
- Remediation and Mitigation Workflows: Comprehensive workflows to streamline risk management processes and improve security posture
- Integrations: Easily integrate UpGuard with over 4,000 apps using Zapier
- 24/7 Continuous Monitoring: Real-time notifications and around-the-clock risk updates using accurate supplier data
- Intuitive Design: Easy-to-use vendor portals and first-party dashboards
- World-Class Customer Service: Professional cybersecurity personnel are standing by to help you get the most out of UpGuard and improve your security posture