Developing a Robust Third-Party Risk Management ProgramJonathan Ehret of Third Party Risk Association Offers Tips
Too many organizations around the world take a "bare minimum" approach to third-party risk management, says Jonathan Ehret, founder of the Third Party Risk Association.
"There are a lot of organizations I have spoken to that think they have a robust program in place, when, in reality, it is not robust at all," Ehret says in an interview with Information Security Media Group. "They're doing the bare minimum - what I call 'check the box' auditing. ... They may not know what depth they need to get into."
Sharing information on third-party risks can play an important role in risk mitigation, he adds.
In this interview (see audio link below photo), Ehret also discusses:
- Common mistakes made in vendor risk management;
- Whether a global third-party risk framework would work;
- Risk factors to keep in mind after mergers and acquisitions.
Ehret is the president and co-founder of the Third Party Risk Association, an Ankeny, Iowa-based non-profit professional association for third-party risk practitioners and vendors. He has more than 20 years of experience, the last 15 years specializing in information risk. He has helped to grow and mature various third-party risk teams in the finance and healthcare industries.