Cyberattacks caused by supply chain vulnerabilities mean organizations need a renewed perspective on how to address third-party security.
In a developing market, third-party risk management (TPRM) software and tools could be the answer to helping organizations fill the gap. Also known as vendor risk management (VRM), TPRM goes beyond the general risk management and governance, risk, and compliance (GRC) solutions by specializing in the onboarding, risk assessment, and due diligence for organizations working with third parties.
This article looks at the top third-party risk management vendors and tools and offers a look into TPRM solutions and what buyers should consider before purchasing.
Best Third-Party Risk Management (TPRM) Tools
Launched in 2000 to address the growing need for enterprise supplier management, Aravo Solutions now offers SaaS-based supplier information management (SIM) technology. Aravo’s TPRM solution offers three product tiers (Express, Standard, and Advanced) for a range of organization complexity needs. Additional features include intake of new vendors, automating risk assessments, and conducting due diligence.
On Gartner Peer Insights, Aravo currently holds an average score of 4.6/5 stars with 21 ratings. BitSight’s highest reviews and ratings cited pricing and contract flexibility, configurability, and expert consultation in vendor risk evaluation. Aravo was named a Leader in Forrester Wave for TPRM and a Challenger in the Gartner Magic Quadrant for IT VRM Tools in 2020.
BitSight Security Ratings Platform
Ten years after BitSight became a pioneer in the security ratings space, the Boston-based company holds 32 patents and has rated over 40 million companies. Using sophisticated algorithms and daily security ratings, the BitSight Security Ratings Platform helps organizations in a handful of areas include third-party risk management. BitSight also integrates with other VRM tools like ServiceNow and ProcessUnity to get the best of the TPRM market.
On Gartner Peer Insights, BitSight holds an average score of 4.5/5 stars with 183 ratings. BitSight’s highest reviews and ratings cited timeliness of vendor response to product questions and patching cadence. BitSight is a Leader in the Forrester Wave report for Cybersecurity Risk Rating Platforms in 2021.
Black Kite Cyber Risk Rating System
With roots in NATO’s cybersecurity efforts and ethical hacking methods, Black Kite launched in 2016 to build a cyber risk rating platform capable of identifying, monitoring, and scaling risk management for third parties. The Black Kite platform applies common frameworks developed by MITRE to calculate ratings, assign grades, and communicate financial and compliance implications. Using the Open FAIR model, Black Kite can provide data-backed forecasts of potential risk impacts.
On Gartner Peer Insights, Black Kite holds an average score of 4.7/5 stars with 37 ratings. Black Kite’s highest reviews and ratings cited timely responses, ease of deployment, controls for assessing, validating, and monitoring. Black Kite is a Contender in the Forrester Wave report for Cybersecurity Risk Rating Platforms in 2021.
Acquired in February 2021 by GRC vendor Diligent for $1 billion, Canadian vendor Galvanize offers a software platform for audit, risk, and compliance solutions. With the ThirdPartyBond solution, organizations can have end-to-end third-party risk management with resources for vendor onboarding, automated evidence collection, and assessment surveys. ThirdPartyBond also tracks service level agreements (SLA), maintains updated intelligence feeds, and provides tangible reporting for senior management.
On Gartner Peer Insights, Galvanize holds an average score of 4.4/5 stars with 63 ratings. Galvanize’s highest reviews and ratings cited responses to product questions, integration and deployment, and increased efficiency. Galvanize was a Leader in the Forrester Wave’s TPRM report and the Gartner Magic Quadrant for IT VRM in 2020.
A bonafide unicorn, OneTrust launched in 2016 to offer privacy management and marketing compliance solutions. To comply with a growing list of global regulations, the Atlanta-based compliance monitoring provider offers Vendorpedia to help organizations evaluate customer, employee, and vendor data transfers. Vendorpedia offers privacy impact assessments, data inventory mapping, remediation actions, and recurring audits on a web-based portal.
On Gartner Peer Insights, Vendorpedia holds an average score of 4.5/5 stars with 139 ratings. Vendorpedia’s highest reviews cite usability and access, quality of technical support, and automation for vendor management. In 2020, OneTrust was a Leader in the Forrester Wave’s TPRM report and the Gartner Magic Quadrant for IT VRM.
OneTrust made our list, see who else did in the Top Cybersecurity Companies for 2021.
Prevalent TPRM Platform
Started in 2004, Prevalent is an IT consulting firm specializing in governance, risk, infrastructure, and compliance technology. The New Jersey-based company offers a suite of third-party risk management solutions and software options, including inherent risk scoring, offboarding and termination, and vendor risk assessment and monitoring. With Prevalent’s sourcing and selection, organizations can reduce cost, complexity, and exposure from the start by picking trusted vendors.
On Gartner Peer Insights, Prevalent holds an average score of 4.4/5 stars with 57 ratings. Prevalent’s highest reviews and ratings cited integration and deployment, profile management, and technical support. Prevalent was a Strong Performer in the Forrester Wave’s TPRM report and a Leader in the Gartner Magic Quadrant for IT VRM in 2020. Prevalent is a Contender in the Forrester Wave report for Cybersecurity Risk Rating Platforms in 2021.
ProcessUnity offers SaaS solutions for managing governance, risk, and compliance (GRC). With its Vendor Risk Management software, ProcessUnity empowers organizations to assess, monitor, and conduct due diligence when working with business partners. Across vendor risk assessment processes, ProcessUnity’s VRM solution can help identify, manage, and remediate issues. The tool also includes periodic vendor performance reviews to ensure ongoing security posture.
On Gartner Peer Insights, ProcessUnity holds an average score of 4.5/5 stars with 91 ratings. Prevalent’s highest reviews and ratings cited timely support responses, product configurability, and added features. ProcessUnity was a Strong Performer in the Forrester Wave’s TPRM report and a Leader in the Gartner Magic Quadrant for IT VRM in 2020.
RSA Archer Insight
Encryption pioneer RSA Security’s products include their integrated risk management solution known as Archer. Specifically, Archer Insight is the enterprise-ready risk quantification software for aggregating risks and safeguarding the organization from disruption. Critical features for Archer Insight include customizable controls and risk indicators, risk profile metrics, and advanced visualization tools to compare risk consequences.
On Gartner Peer Insights, Archer holds an average score of 4.3/5 stars with 100 ratings. Archer’s highest reviews and ratings cited history and reporting, integration and deployment, and comprehensive management of third-party SLAs. RSA Archer was a Leader in the Gartner Magic Quadrant for IT VRM Tools in 2020.
SAI Global SAI360
Hailing from Sydney, Australia, SAI Global provides risk management, compliance, safety, and ethics software solutions. Their cloud-based platform, SAI360, is a configurable module with advanced compliance and up-time standards to provide effective risk management. SAI360 features include third-party risk screening, vendor profiling, automated due diligence, continuous monitoring, and analytics.
SAI Global was a Leader in the Gartner Magic Quadrant for IT VRM Tools in 2020.
Considered a pioneer in the TPRM space, SecurityScorecard is an NYC-based cybersecurity service provider with a patented rating technology. Boasting over 1,000 organizations as clients and a million companies continuously rated by extension, SecurityScorecard has come a long way in less than a decade. Organizations can analyze their digital footprint and fill cybersecurity gaps with instant risk ratings mapped to vendor cybersecurity questionnaire responses.
On Gartner Peer Insights, SecurityScorecard holds an average score of 4.5/5 stars with 190 ratings. SecurityScorecard’s highest reviews and ratings cited were ease of deployment, customer support, and compatibility for public-facing infrastructure risk. SecurityScorecard is a Leader in the Forrester Wave report for Cybersecurity Risk Rating Platforms in 2021.
The publicly traded cloud solution provider ServiceNow is one of the largest companies on our list and offers a list of tools for enterprise operations. Launched in 2004, ServiceNow’s IT suite of workflow tools works great for organizations looking to bundle and also offers GRC tools separately. ServiceNow’s vendor risk management features for formal tiering, integration of third-party security scores, and regular automated assessments and escalations within this product line.
On Gartner Peer Insights, ServiceNow VRM holds an average score of 4.3/5 stars with 84 ratings. ServiceNow’s highest reviews and ratings cited remediation and exception management, standard API integration, and contract efficiency. ServiceNow was a Leader in the Gartner Magic Quadrant for IT VRM Tools in 2020.
UpGuard Vendor Risk
Started in 2012, UpGuard offers a cyber resilience platform to help manage IT business risks. Boasting their proprietary technology, UpGuard can test an organization’s IT infrastructure and forecast risks of future intrusions and outages. Its TPRM solution, Upguard Vendor Risk, provides for the evaluation of third-party companies. Vendors get assigned a CSTAR score wherein the client organization can identify risk level and act appropriately. CSTAR scores have the added functionality for use as evidence for cybersecurity insurance. UpGuard also strives to understand fourth-party risk exposure through third-party assessments.
On Gartner Peer Insights, UpGuard holds an average score of 4.5/5 stars with 66 ratings. UpGuard’s highest reviews and ratings cited ease of deployment, access and user controls, and negotiable pricing. UpGuard is a Contender in the Forrester Wave report for Cybersecurity Risk Rating Platforms in 2021.
Out of Elizabethtown, Kentucky, Venminder launched in 2003 and today is a SaaS vendor with a solution for streamlining third-party risk management. Venminder provides administrators with oversight and contract management frameworks, risk assessments, due diligence requirements, questionnaires, SLA management, vendor onboarding, and more. In the Venminder Exchange, clients can access the platform’s repository for assessments of vendor security status, SOC reports, contracts, financials, business continuity and disaster recovery, and more.
On Gartner Peer Insights, Venminder holds an average score of 4.7/5 stars with 97 ratings. Venminder’s highest reviews and ratings cited quality of end-user training, profile management, and evaluation and contracting. Venminder was a Challenger in the Gartner Magic Quadrant for IT VRM Tools in 2020.
What is Third-Party Risk?
Third-party risks are the vulnerabilities presented by an organization’s supply chain partners. With the increasing globalization of markets, organizations can choose from a list of competitive international suppliers. Supply chains for IT and software development become even trickier with the use of open-source code and no adequate transfer of a software bill of materials (SBOM).
Read more about future SBOM prospects in our coverage of the SolarWinds saga: Protecting Against Solorigate TTPs: SolarWinds Hack Defenses.
To manage third-party risk, a concerted effort by an enterprise’s compliance team could do the job, but why waste the effort if a tool can do the job better and faster? For many organizations, third-party risk management solutions could be the better choice.
Trends in 3rd-Party Risk Management
- Supply chain disruptions like SolarWinds and Kaseya raise awareness and alert levels surrounding access, data loss protection (DLP), and anti-fraud management.
- Federal institutions are actively seeking public-private partnerships and developing standards for regulating and reducing supplier risk.
- Purchase decisions remain based on economic competitiveness, outweighing the perceived risk of working with untrusted third-party suppliers.
Common 3rd-Party Risks
- Operational risks directly impact an organization’s ability to function. Cyberattacks like the Colonial Pipeline blocked access to network data, forcing the pipeline offline and nearly crippling the U.S. East Coast.
- Financial and reputational risks affect an organization’s budget, revenues, or brand. The integrity of vendors’ solutions can heavily rely on a supplier’s contribution.
- Legal and regulatory risks speak to a growing list of governance and compliance standards resulting in civil or criminal consequences.
What are Third-Party Risk Management (TPRM) Solutions?
Third-party risk management (TPRM) solutions are software tools that provide processes, guidance, and programmatic features for managing third-party risk and relevant compliance standards.
TPRM solutions utilize data from ERP systems, GRC software, CRM tools, and supply chain management software to offer a collective look at vendor data concerning compliance objectives.
Why Do You Need Third-Party Risk Management?
Adopting digital systems – as widely beneficial as they’ve been – comes with inherent vulnerabilities, including the threat of breach, data loss, and human error. The risks noted earlier mean network stakeholders must protect sensitive data, from personal consumer information to proprietary records and intellectual property (IP).
While network infrastructure vulnerabilities have long been the responsibility of security and network professionals, supply chain vulnerabilities are a prescient concern due to their upstream ripple effect. Without the necessary regulation or standards, which are a work in progress, organizations must practice vigilance in safeguarding their privacy, operations, and reputation. With a universe of supply chain vendors interacting with organizations, TPRM tools make the effort of organizing, optimizing, and securing those relationships seamless for business continuity purposes.
Buying Considerations for TPRM Solutions
Now that you know our take on the best third-party risk management tools and vendors, here’s what you need to consider in evaluating TPRM solutions.
- How will the solution improve your third-party risk exposure?
- How does the TPRM enable compliance reporting and operational management?
- Does the vendor offer flexible pricing fit for scaling third-party exposure?
- What training, deployment, and implementation support comes with purchase?
- What integrations are compatible or are configurable for use?
- What advanced features make this TPRM solution stand out?
Features of TPRM
- Self-service portals for suppliers and vendors to provide pertinent documentation
- User-friendly reports on risk monitoring and risk exposure to inform action steps
- Processes and templates for supplier risk control, oversight, and assessments
- Continuous monitoring of vendor performance and changes to supplier risk status
- Structured steps for working with third-parties from sourcing to relationship termination
- Built-in compliance features for internal policies and external mandates for supplier risk
- Quantitative data to show progress in reducing third-party risk exposure
Taking estimates from Adroit Market Research, Markets and Markets, and Data Bridge Market Research reports over the last two years, the third-party risk management industry was valued at over $3 billion in 2019. With a CAGR up to 16%, the TPRM market expects to grow to $8 billion by 2025 and more than $12 billion by 2028.
TPRM market segments include:
- Audit management
- Compliance management
- Contract management
- Financial control management
- Managed TPRM services
- Operational risk management