An effective third-party risk management program starts with asking the right questions, says Brad Keller, chief strategy officer and senior vice president, the Santa Fe Group, a strategic advisory company.
"It starts with: What risks am I taking on?" Keller says in an interview with Information Security Media Group. "What am I exposing my company to? And what kind of controls do I have to put in place? This goes all the way through to: What happens if I have to replace this vendor?"
In this interview (see audio link below image), Keller also provides insights on a number of other vendor risk management topics, including:
How various business units within an organization can help manage third-party risks; How to deal with the issue of managing fourth-party - or subcontractor - risks; The role of continuous monitoring services; Insights on forming a vendor risk management team.Keller is chief strategy officer and senior vice president at the Santa Fe Group, which has been developing a third-party risk assessments program. He led the development of Shared Assessments Vendor Risk Management Maturity Model and the Certified Third Party Risk Professional program. During his years in banking, Keller was responsible for risk management, privacy and regulatory compliance, including third-party oversight.