Too many organizations around the world take a "bare minimum" approach to third-party risk management, says Jonathan Ehret, founder of the Third Party Risk Association.

"There are a lot of organizations I have spoken to that think they have a robust program in place, when, in reality, it is not robust at all," Ehret says in an interview with Information Security Media Group. "They're doing the bare minimum - what I call 'check the box' auditing. ... They may not know what depth they need to get into."

Sharing information on third-party risks can play an important role in risk mitigation, he adds.

In this interview (see audio link below photo), Ehret also discusses:

Common mistakes made in vendor risk management; Whether a global third-party risk framework would work; Risk factors to keep in mind after mergers and acquisitions.

Ehret is the president and co-founder of the Third Party Risk Association, an Ankeny, Iowa-based non-profit professional association for third-party risk practitioners and vendors. He has more than 20 years of experience, the last 15 years specializing in information risk. He has helped to grow and mature various third-party risk teams in the finance and healthcare industries.