Obtaining Buy-In for Your Third-Party Risk Management Program

Third-party risk management breaches have been snowballing in recent months with no clear end in sight. However, too many healthcare organizations have maintained a status quo approach to their Third-Party Risk Management (TPRM) and Vendor Risk Management (VRM) programs.

As the saying goes, “insanity is doing the same thing over and over and expecting different results”. It’s time for healthcare entities to make major investments in the people, process, and technology required to meaningfully reduce risks introduced by third-party vendors. Those investments often require the buy-in of multiple stakeholder groups within the organization in order to release the funding and political will power necessary to effectively address third-party risk management.

This blog provides recommendations for delivering messaging to key stakeholder groups within healthcare entities to make the business case for further investments in third-party risk programs.

Boards & Steering Committees

The good news is that most healthcare boards in 2022 have some degree of awareness of third-party risks as a result of the litany of stories peppering the news for supply chain breaches. However, awareness does not always translate into funding and prioritization.

Here are some key messages to help convey the urgency and necessity of investing in third-party risk programs:

  • Provide a summary of recent third-party vendor breaches including those that have impacted organizations similar to your own or that have been “near misses” for your own organizations. Examples in 2021-2022 may include Microsoft Exchange and Office 365, Kaseya, SolarWinds, Kronos, Accellion, Log4j, etc. CORL publishes a recurring blog series which highlights the most-recent healthcare third-party risk breaches that can serve as a useful input to these discussions. Here are some recent examples that can be leveraged for your discussions:
  • Highlight the impact to operations and patient safety. The healthcare industry has moved critical business and clinical operations to the cloud and third-party platforms including Electronic Health Records, finance and billing systems, and more. This means that vendor breaches are less and less about compliance exposures and are instead being driven by the desire to limit impacts to the availability and integrity of these essential systems used for the routine delivery of care.
  • Quantify the financial impact. The costs of healthcare breaches are well documented. Leverage statistics and the latest financial loss figures to make the case for the multi-million-dollar cost of breach events and highlight the high volume of breaches that are caused by third-party vendors. Here are some good resources for quantifying healthcare breach costs:
  • Connect the dots on sources of ransomware infections. Ransomware infections can result from direct attacks on healthcare organizations or can result from attacks on third-party vendors that maintain network connections to healthcare entities. Even if healthcare organizations are not targeted directly, the downtimes and outages of strategic third-party vendors can have devastating consequences to business operations, patient safety, and financials.
  • Explain potential HIPAA compliance and regulatory exposures. Federal and state governments have been turbo charging the drafting of regulations for third-party risk management in recent months. This activity comes on the heels of several years of HIPAA Security Rule enforcement focus on business associates from the Office for Civil Rights (OCR). The following resources can help you outline the emerging regulations and penalties for non-compliance for third-party risk.
  • Highlight emerging trends in third-party risk management. Leverage resources including the following summarized trends and predictions for TPRM this year to provide context for your requests for financial and other support.
CIOs and CISOs

In addition to the points provided above for board and committee-level stakeholders, the following considerations and talking points can be leveraged with CIO and CISO stakeholders to obtain support and buy-in for your TPRM program.

  • Free up security teams through TPRM automation, workflow optimization, and managed services. TPRM teams cannot keep up with the volume of vendors assessments. Constraints on human capital for cybersecurity and TPRM programs have never been higher. Security teams are spending too much time on vendor risk data collection, communicating and hounding vendors, and producing reports rather than focusing on true risk management activities. Investments in TPRM automation, workflow, and managed services can improve the quality of assessment data and remediation results and free up security teams to work on other high-priority initiatives.
  • Improve availability of critical systems. Third-party vendor breaches can introduce devastating outages to critical business functions and systems for weeks and months on end. The ability to keep business continuity flowing depends on developing a robust TPRM program that can evaluate risk up front, take meaningful action on vendor selection and remediation, and reduce the likelihood and impact of vendor-related downtime.
  • Reduce turnaround times for assessments. Investments in automation, workflow, and managed services can reduce turn-around for third-party risk assessments from weeks to days
Compliance & Legal Counsel

Third-party vendors have access to staggering amounts of sensitive information including Protected Health Information (PHI). Vendor breaches can introduce material legal and compliance consequences for healthcare entities. Some examples of regulatory, compliance, and legal impacts may include:

  • HIPAA Security Rule compliance
  • Office for Civil Rights (OCR) enforcement for business associate compliance
  • Class action lawsuits
  • State regulations
  • Global regulations including GDPR
  • Cyber liability coverage and premiums

The following resources can help you outline specific legal and compliance challenges, costs, and remedies for third-party risk management:


Lengthy vendor security reviews are costing businesses time and money and generating frustration on all sides. Third-party risk management teams are unable to keep pace with the break-neck speed at which business operates.

As a result, Security teams can often be viewed as an obstruction to the business and procurement cycles. Key messaging to procurement stakeholders should explain how investments in your third-party risk management capabilities will increase throughput and speed so the business can operate with minimal friction from vendor security risk assessments.

Here are some specific points to make with procurement stakeholders:

  • Reduce turnaround times for assessments. Investments in automation, workflow, and managed services can reduce turn-around for third-party risk assessments from weeks to days
  • Show the stats. Here are some example statistics for typical third-party risk management program performance:
    • 5-10 business days is the most common target time frame to complete vendor risk assessments
    • 20-40 business days is the median time for actual vendor risk assessment completion
    • 5,800+ is the average number of third-party vendors used by a typical enterprise
    • 15,000 hours a year is the amount of time third-party vendors spend completing security assessments
    • 1 in 5 vendors pose a high inherent risk and potential for material impact to the business

A good resource to reference when speaking with procurement stakeholders is CORL’s infographic: The Need for Speed in Vendor Risk Assessments.

CORL Can Help: Let Us Help You Craft and Deliver Your Messaging

You are not alone. CORL’s team of third-party risk management experts can help you obtain buy-in across the organization for your TPRM program. Here are some points that can be shared to help qualify our opinion and help you gain support for your TPRM program:

  • Data Reuse and TPRM Assessment Exchange
    • CORL has already assessed over 80,000 healthcare vendors
    • Assessment data reuse delivers rapid assessment turnarounds
    • Validated third-party risk assessment data provides risk results that you can trust without further follow up with vendors
  • Automation
    • CORL’s vendor portal and automated workflow accelerate assessment data collection, analysis, and reporting
    • Automation allows CORL to scale assessments to cover your full vendor portfolio
  • Workflow & Process
    • CORL’s inherent risk intelligence for vendor types, tiering and prioritization, and remediation follow up accelerate vendor risk management cycles
  • Technology Integration
    • CORL integrates with technology solutions including GRC platforms, scorecards, and other solutions to get the right information in the right format to drive quick risk decisions
  • Managed Services
    • CORL’s elite team of specialized third-party risk management professionals get results in rapidly assessing vendors and driving them to remediate known risks
    • CORL delivers best practices for third-party risk management that are optimized for speed and efficiency

Third-party risk management exposures are not going away any time soon. Hopefully these talking points can help you get the necessary conversations moving forward to obtain buy-in for investments in your third-party risk management program.

Contact our team here at CORL to learn more about our managed services and next generation exchange for healthcare vendor risk data that gets results and lowers third-party risks.

Most Recent Posts
Essential Guide for Vendors: Key Features to Look for in a Cyber Security Assessment Tool for Healthcare TPRM   Read More
Change Healthcare Cyber Attack: Implications for Third-Party Incident Response in Healthcare Cybersecurity Read More
Do You Understand Your Vendors' SOC 2 Reports? Read More