TPRM Interview questions and answers

1.What is the role of TPRM?

Third-Party Risk Management (TPRM) is the process of analyzing and minimizing
risks associated with outsourcing to third-party vendors or service providers. There
are many types of digital risks within the third-party risk category. These could
include financial, environmental, reputational, and security risks.

2. What are the 5 phases of third-party risk management?

It's a relationship that must be managed throughout the third-party management

(TPM) lifecycle, from screening, onboarding, assessment, risk mitigation, monitoring,
and offboarding.

3. The goal of any third-party risk management program is to reduce the following
risks: Cybersecurity risk: The risk of exposure or loss resulting from a cyberattack, data
breach or other security incidents.

4. The six phases of an appropriate TPRM program address the entirety of the third-party
lifecycle, making it one of the most effective risk management strategies businesses have at
their disposal. These phases provide a framework for dealing with the overall risk of working
with third parties.

Managing third parties is more than a one-time assessment. It’s a

relationship that must be managed throughout the third-party
management (TPM) lifecycle, from screening, onboarding, assessment,
risk mitigation, monitoring, and offboarding.

There are areas for automation throughout the lifecycle that can help your
organization streamline workflows and scale their TPM program, saving
time, resources, and reducing risk.

Why does the TPM lifecycle matter?

As security and risk management teams spent the last year adapting to
rapid digital transformation in the wake of increased, large-scale,
successful cyberattacks, TPM has become a key focus for organizations.
Security teams are receiving board-level pressure to implement
management programs, causing them to assess all aspects of their TPM
lifecycle.

When given a closer look, the importance of the role that the third party
and third-party risk assessments play in maintaining a strong security
posture across the organization is magnified. Despite the vendor
ecosystem being critical to mitigating risk throughout an enterprise, many
organizations aren’t appropriately assessing their third parties (and in
some cases, aren’t at all).
As a result, security teams — unless they own TPM — have little visibility
into their organization’s third-party ecosystem, how they’re used, and
what measures those third parties have in place to protect their data. This
leads to an increased risk in cybersecurity, privacy, ethics and
compliance, and environmental, social, and governance (ESG) concerns.
So, where should organizations start when pivoting to a TPM program built
around holistically understanding the lifecycle?

TPM programs and lifecycle

Organizations must have clear visibility into their vendor ecosystem, and
it starts with having a strong working knowledge of the TPM lifecycle.

The TPM lifecycle is a series of steps that outlines a typical relationship

with a third party. TPRM is sometimes referred to as “third-party
relationship management.” This term better articulates the ongoing
nature of third-party engagements. Typically, the TPM lifecycle is broken
down into several stages. These stages include:

 Third-party identification and screening

 Evaluation & selection
 Risk assessment
 Risk mitigation
 Contracting and procurement
 Reporting and Recordkeeping
 Ongoing monitoring
 Third party offboarding

Phase 1: Third Party Identification and Screening

There are many ways to identify the third parties your organization is
currently working with, as well as ways to identify new third parties your
organization wants to use. To identify third parties already in use and
build a third-party inventory, organizations take multiple approaches,
which include:

 Using existing information

 Integrating with existing technologies
 Conducting assessments or interviews
 Leveraging external risk ratings data

Many organizations screen third parties against sanctions lists and other
sources at this point to determine if there are any ethical or compliance
concerns that would make the relationship too risky to start.

 Using this information, you can identify unique risks that

vendors may pose to your organization and align an
appropriate assessment and/or monitoring approach that is
better aligned with the inherent risk of the relationship. Not
 all third parties are equally important, which is why it is
critical to determine which third parties matter most. To
improve efficiency in your TPM program, segment your third
parties into criticality tiers.

Phase 2: Evaluation and Selection

During the evaluation and selection phase, organizations consider RFPs
and choose the third parties they want to use. This decision is made using
many factors that are unique to the business and its specific needs.

Phase 3: Risk Assessment

Third-party risk assessments take time and are resource intensive, which
is why many organizations are using a third-party risk exchange to access
pre-completed assessments. Others have focused on automating what
once were manual tasks across this portion of the lifecycle. Either way,
the primary goal of understanding the risks associated with the third party
is the same. These assessments leverage automated risk flagging to
identify issues based on third party responses.

When considering a TPM program, many organizations immediately think

about cyber risks, but TPM entails so much more.

Phase 4: Risk Mitigation

After conducting a control assessment, risks can be calculated and
mitigation can begin. Common risk mitigation workflows include the
following stages:

1. Risk flagging and score designation

2. Evaluation of risk against your organization’s risk appetite
3. Treatment and control validation in the scope of your
desired residual risk level
4. Continual monitoring for increased risk levels (e.g., data
breaches)

When a third-party risk is flagged, automatically assign a risk owner to

oversee remediation actions. Then, provide remediation advice within any
delegated tasks based on regulations, standards and frameworks
embedded into your TPM lifecycle.

Phase 5: Contracting and Procurement

Sometimes done in parallel with risk mitigation, the contracting and
procurement stage is critical from a third-party management perspective.
Contracts often contain details that fall outside the realm of TPM. Still,
there are key provisions, clauses and terms that TPM teams should look
out for when reviewing third party contracts.
Phase 6: Reporting and Recordkeeping
Building a strong TPM program requires organizations to maintain
compliance. Maintaining detailed records in spreadsheets is nearly
impossible at scale, which is why many organizations implement TPM
software. With auditable recordkeeping in place, it becomes much easier
to report on critical aspects of your program to identify areas for
improvement.

A TPM program can automatically schedule reports to quickly generate

and share key details with critical stakeholders. Additionally, use metrics
as automation triggers. For example, when a new high risk emerges,
automatically send a notification to the appropriate stakeholder.

Phase 7: Ongoing Monitoring

An assessment is a “moment-in-time” look into a third party’s risks;
however, engagements with third parties do not end there – or even after
risk mitigation. Ongoing monitoring throughout the life of a third-party
relationship is critical, as is adapting when new issues arise. There is a
growing field of risk data providers that can greatly enhance real-time
monitoring of your riskiest third parties.

Additionally, use contract or security certifications expirations as

automation triggers, such as when a third-party security certification
expires, automatically trigger an action (create a new risk, send a
reassessment, or notify a stakeholder). The same can be said of detected
third-party breaches and sanctions.

Phase 8: Third-Party Offboarding

A thorough offboarding procedure is critical, both for security purposes
and recordkeeping requirements. Many organizations have developed an
offboarding checklist for third parties, which can consist of both an
assessment sent internally and externally to confirm that all appropriate
measures were taken. Critical, too, is the ability to maintain detailed
evidence trail of these activities to demonstrate compliance in the event
of regulatory inquiry or audit.

Those who have an ability to leverage data, automate manual tasks and
set risk appetites will have an advantage over their peers in the next two
to three years, enabling risk-based business decisions at speed.

More About OneTrust

The OneTrust Third-Party Management solution makes it easier to
confidently work with third parties by reducing blind spots across trust
domains, enabling greater time to value when onboarding new third
parties, enhancing business resilience with ongoing monitoring, and
embedding data-driven decision-making into the third-party lifecycle.
 5. What is the vendor life cycle?
The vendor management lifecycle describes each stage you complete while working
with a seller or service provider, from initial sourcing until you end the contract.

What is the vendor management lifecycle?

The vendor management lifecycle describes each stage you complete while working
with a seller or service provider, from initial sourcing until you end the contract.

It provides a structured and consistent way to manage your relationships with

vendors throughout your engagement.

3 stages of the vendor management lifecycle

The specific steps and actions within each stage of the vendor management lifecycle
might vary from business to business.

But, we want to provide you with a good starting point to work from. Here are the
three main components included in the vendor management lifecycle:

1. Pre-contract
2. Contract
3. Post-contract

Read below for details on each stage and what they involve.

1. Pre-contract
The vendor management lifecycle begins when you recognize a good or service that
you’ll need to procure from a third party.

From there, you can engage in the pre-contract phase to help you find the right
vendor for your needs, which typically includes the following actions:

Identify potential vendors

First, you need to come up with a list of potential vendors who could supply the
goods or services you need.

Internally, set some criteria about the specific requirements or qualifications a vendor
should have to be considered, such as:

 Number of years of experience

 Pricing
 Certifications or licenses
  Good reputation in the industry

Then, you can start exploring your options with a simple online search, asking your
peers for recommendations, or attending trade shows.

Do some initial research on the vendors you identify during this process to see which
have the capabilities and values that align best with your business objectives.

Issue a request for proposal (RFP) or invitation to bid (ITB) to those that meet your
standards. Review their responses, and come up with a shortlist of suppliers you’d
like to proceed with.

Qualify and evaluate

You can evaluate and qualify vendors further with thorough due diligence. This step
will help you narrow down your list and make your final selection.

This is an important part of the vendor management lifecycle because it allows you
to assess supplier risk, ensuring you’re only working with companies that are
legitimate and reliable.

In other words, this is when you determine whether the vendor has the capacity to
supply the amount of goods or services you require.

Here is a list of some of the information and documentation you should request from
each vendor candidate for due diligence purposes:

 Legal business name

 Headquarters address
 Website
 Articles of incorporation
 Business license
 Tax ID
 Ownership structure
 Certificate of Good Standing
 List of subcontractors
 Compliance history

For smaller vendors that aren’t critical to your ongoing operations, this step may not
carry as much weight.

For example, if you’re working with an agency to redesign your packaging, you may
only need to request a few of these details. But, if you’re working with a vendor to
supply the majority of the products you sell, you’ll want to conduct a more thorough
assessment.

Final selection

At this point in the process, you should have a solid understanding of which vendors
you want to work with.
If it’s helpful, you can request references from past and current customers or get
input from key stakeholders to reinforce your decision.

Otherwise, with the information you’ve gathered so far, you should be able to assess
which vendors meet your requirements and have passed the relevant risk and
compliance checks to get on your approved vendor list.

Then, you can request the appropriate approvals to move forward and proceed to
the next stage of the vendor management lifecycle.

2. Contract
With the research and prep work out of the way, you can move on to the next step of
the lifecycle.

This is where you’ll make things official with the vendors who have met your
requirements and begin procuring their goods and services.

In most cases, this is the longest stage in the vendor management lifecycle, as it will
last as long as you continue doing business with a vendor.

Here are the main components of the contract stage:

Negotiations

The first step of this stage is negotiating contract terms with your selected vendors.
During this process, you’ll outline items like:

 Scope of work
 Deliverables
 Timeline
 Pricing
 Payment terms
 Service-level agreements (SLAs)

Your contract will provide the foundation for your partnership, and clearly spells out
the expectations you have for the vendor.

Later in the vendor lifecycle, you can always return to the contract terms to ensure
they continue to meet your requirements.

Though you want to secure favorable pricing and payment terms, you also want the
vendor to feel they are benefitting from the deal.

Be fair during negotiations so you end up with a contract that is mutually beneficial to
both parties. Doing so will help you establish a trusting and long-lasting relationship
for the rest of the lifecycle.

Learn more: How to negotiate with vendors effectively

Onboarding

The vendor onboarding process is where you ensure you have the necessary
information to integrate a new supplier into your systems–like your accounting
software, procurement system, and enterprise resource planning (ERP) tool.

It’s likely that you already gathered a good portion of this information during the
evaluation stage, such as their legal name, address, and tax ID.

But, be sure to review any final details you need to collect to complete their vendor
profile and officially start doing business together.

If there is any training necessary to get the vendor caught up to speed on using your
systems, this is when you should deliver it.

The same goes for anyone on your team who will be involved in the procurement
process.

During onboarding, give the relevant staff directions on how to submit a purchase
order and use the vendor’s systems. Then, you’re ready to start making orders.

Performance monitoring

The contract stage continues even after you’ve started to procure their goods and
services.

As long as you’re working together, you need to keep tabs on certain metrics or KPIs
to ensure the vendor is meeting the expectations laid out in the contract.

This helps you determine whether they’re holding up their end of the deal, how they
stack up against your other vendors, and where you could make possible
improvements.

Using a vendor scorecard gives you a straightforward way to evaluate their

performance, helping you track KPIs like:

 Accuracy: the portion of orders that arrive without errors

 Availability: the percentage of orders that are fulfilled on time
 Lead time: the time between when you make the order and when it’s
delivered
 Responsiveness: the amount of time between when you make a complaint
and when it’s resolved‍
 Quality: the amount of items delivered that pass inspection

6. What are the 5 Ts of risk management?

Risk management responses can be a mix of five main actions; transfer, tolerate,
treat, terminate or take the opportunity. Transfer; for some risks, the best
 response may be to transfer them. need to be set and should inform your
decisions. Treat; by far the greater number of risks will belong to this category.

7. Is TPRM part of GRC?

TPRM is a component of GRC designed to address specific risks associated with
external parties.28 Dec 2023

8. What is the TPRM standard?

Third-party risk management (TPRM) definition

This allows organizations to make risk-informed decisions and reduce the risk
posed by vendors to an acceptable level.

9. What is an example of TPRM?

Example of TPRM KRI: Number of critical vendors with open issues. An increase
in critical vendor issues (cybersecurity, compliance, financial health, business
continuity and disaster recovery, performance, etc.)29 May 2024

10. Who is responsible for third-party risk?

Even though senior management and the board of directors don't manage day-
to-day third-party risk management activities, they have a regulatory, legal, and
ethical responsibility for the effectiveness of the third-party risk management
program at the organization.11 Jan 2023

11. What is the difference between TPRM and VRM?

Enterprise Risk Management, or ERM, is the process of identifying and addressing
any potential risks or threats to an organization. While VRM is focused on vendors
and TPRM has a wider focus ERM is an even broader concept, where TPRM and
VRM fall under its umbrella.

Who Should Own Third-

Party Risk Management?
By: Hilary Jewhurst on January 11 2023
4 MIN READ

Third-party risk management entails multiple interrelated processes and

requirements, typically requiring several stakeholders' involvement. After
all, no single individual can handle the escalating demands of a third-party
risk management program alone. But, who actually owns third-party risk
management? It may seem like a complex question, but it can be
answered when roles and responsibilities are defined and understood.

Third-Party Risk Management Stakeholders

Effective third-party risk management processes naturally rely on various
stakeholders' collaboration, communication, and engagement, each
with separate roles and responsibilities. Let's examine some of the
most common roles and responsibilities.

Key Stakeholder Roles and Responsibilities

 The third-party risk management team owns the third-party risk

management framework. This team (or individual) is responsible for
developing and maintaining the framework, including
the policy, processes, workflows, tools, rules, requirements, and
reporting. They ensure that all necessary processes are executed on time,
with the expected level of quality. They also track and report issues and
manage escalation. If there is an audit or exam, this team prepares and
organizes any requested audit information. The third-party risk
management team oversees the execution of third-party risk management
processes by the stakeholders. They also provide formal reports and
updates to the board, senior management, and any risk or vendor
committees.
 The third-party (or vendor) owner owns the third-party
relationship and its risks. These individuals oversee day-to-day vendor
matters and perform third-party risk management tasks as required by the
organization's policy and as instructed by the third-party risk management
team. They must identify and manage the risks posed by the vendor's
products and/or services and the relationship. They’re also responsible
for managing vendor performance, addressing any issues, and monitoring
the vendor for new or changing risks.
 The subject matter experts (SMEs) are responsible for evaluating
a vendor's risk practices and controls and providing a qualified
opinion on their sufficiency. SMEs may be internal or external experts
who review vendor risk questionnaires and due diligence
documentation to evaluate the sufficiency of a vendor's controls. They
provide a documented report detailing the information evaluated and any
gaps, weaknesses, or other findings relevant to the assessment. Most
SMEs specialize in a single risk domain and hold professional credentials
or certifications.
 Internal auditors are responsible for evaluating your
organization's third-party risk management program. Regulatory
and legal compliance are top priorities for most internal audit teams.
Internal auditors perform systematic evaluations of documentation,
processes, and controls and document any weaknesses that must be
addressed. They report their findings to the board and senior
management. Internal auditors are also responsible for tracking any audit
issues until they are successfully remediated.

 Other stakeholders or departments in your organization may

interact with or advise on your third-party risk management
program. A few examples include procurement, sourcing, and supply
chain management. Other possible stakeholders are information
security, accounts payable, compliance, legal, and finance. As additional
stakeholders are identified, it’s important to define their roles and
responsibilities related to third-party risk management and your
organizational structure.
  Third parties (vendors) are responsible and accountable for
providing the product or service as expected. They’re also
responsible for meeting the agreed-upon contract service level
agreements (SLAs). Third parties must also participate in the due diligence
process by completing questionnaires, providing necessary due diligence
documents, and remediating issues. Other responsibilities include
monitoring their third parties (your fourth parties) complying with
regulations, training their staff to be aware of standards and laws, and
developing detailed business continuity and disaster recovery plans.

Each of the stakeholders listed above has a unique role to play in the
effective execution of third-party risk management. Still, none of these
stakeholders own all of third-party risk management, so it's time to shift
our focus to the roles and responsibilities of senior management and
the board of directors.

Senior Management and the Board Own Third-Party

Risk Management
Even though senior management and the board of directors don’t manage
day-to-day third-party risk management activities, they have a regulatory,
legal, and ethical responsibility for the effectiveness of the third-party risk
management program at the organization. They must ensure the effective
development, implementation, and maintenance of the third-party risk
management policy, program, and processes and communicate that third-
party risk management is an organizational priority by setting the "tone-
from-the-top."

Beyond general third-party risk management oversight, other

responsibilities include reviewing and approving the third-party risk
management policy and addressing issues brought to their attention.
Keep in mind that the board and senior management must provide
sufficient resources for the third-party risk management program to
operate effectively. These resources include enough qualified and skilled
staff, access to industry experts, tools, technology, and adequate
budgets.

The buck stops with senior management and the board of directors as the
ultimate owners of third-party risk management at the organization. If the
program doesn’t function effectively, and risks aren’t identified, assessed,
and managed properly, senior management and the board of directors are
wholly responsible.
Third-party risk management is a "team sport" that requires various
stakeholders' participation and unique skill sets. While stakeholders may
"own" various aspects of third-party risk management, ultimately, senior
management and the board are responsible overall. For third-party risk
management to succeed, they must oversee, guide, and support
stakeholders by setting a tone-from-the-top, managing issues, providing
resources, and, most importantly, holding people accountable.

11. How many tiers are in the TPRM risk tier methodology?
12. Vendors are often divided into three distinct categories—Tier 1, Tier 2,
and Tier 3. Classifying vendors allows your cybersecurity teams to streamline
third-party risk management (TPRM) while also holding vendors to a higher
standard of securi
How to manage third parties?
1. Manage and Assess Third-Party Risks: ...
2. Conduct Third-Party Screening, Onboarding, and Due Diligence. ...
3. Focus on Fourth Parties. ...
4. Establish a Tone at the Top with Board-level oversight. ...
5. Focus on IT Vendor Risk. ...
6. Ensure Appropriate Investment and Staffing. ...
7. Evaluate the Effectiveness of the TPM Program. ...
8. Build Mature TPM Processes.

9.
10. The 3 Steps of Risk Management

The risk management process consists of three parts: risk assessment and
analysis, risk evaluation and risk treatment.

What are the 5 customer life cycle?

What is the Customer Lifecycle? The customer lifecycle refers to the process of
prospects becoming aware of a product, making a purchase from a brand, and
ideally becoming a company's longtime customer. The process is made up of five
stages: reach, acquisition, conversion, retention, and loyalty.

What are the four stages of vendor management?

While vendor management strategies can vary across organizations, the
process typically includes stages such as the following:
 Segmentation. Segmentation involves the classification and selection of
vendors. ...
 Collaboration. ...
 Implementation. ...
 Evaluation.

How to select a vendor in procurement?

Having a well-defined vendor selection process is essential for selecting the

right vendor for your business.
1. Identify Decision Makers: ...
2. Communicate Clearly: ...
3. Consider Vendor Reputation: ...
4. Set Clear Expectations: ...
5. Be Open to Options: ...
6. Cost Savings: ...
7. Quality Assurance: ...
8. Time Savings:

9. What are the 5 pillars of risk management?

10.

11. The pillars of risk are effective reporting, communication, business

process improvement, proactive design, and contingency planning. These
pillars can make it easier for companies to successfully mitigate risks
associated with their projects.
What are the 7 types of risk management?
Types Of Risk Management
 Liquidity Risk Management. Banks must safeguard long-term asset funding
using short-term liabilities. ...
 Interest Rate Risk Management. ...
 Market Risk Management. ...
 Credit Risk Management. ...
 Operational Risk Management. ...
 ESG Risk Management. ...
 Reputational Risk Management.

7 Types of Risk
Management You Must
Know About
2023-04-13T12:46:20 |3.30 min read

The COVID-19 pandemic has caused major

disruptions in banking operations. Consumers have
become more demanding and so, risk management
must be robust. According to leading banking
professionals participating in the Deloitte Banking
Risk & Regulatory Academy, financial institutions
must focus more on credit risk management. The
banking structure must restructure and be prepared
for forbearance.

Apart from commonly known risk management

strategies, leading banks also focus on
Environmental, Social, and Governance (ESG) by
improving data management strategies and
analytics. Moving to the cloud is the next inevitable
step to navigating complex risks and ever-changing
regulatory requirements.

Types Of Risk Management

Risk in the banking sector refers to unplanned

incidents with major financial consequences, such
as reduced or lost earnings. Risk management
involves establishing a series of protocols and
multi-step procedures that can precisely and
accurately mitigate risks. Risk management
planning should help financial institutions to
recognise threats, assess the damage, and take
control measures to prevent risk and minimise the
damage.
1. Liquidity Risk Management

Banks must safeguard long-term asset funding

using short-term liabilities. Funding risk for banks
increases when the net outflows increases. This can
be due to the non-renewal of different types of
retail and wholesale deposits or unexpected
withdrawals. Funding institutions must also be
prepared to deal with time risk when the expected
fund inflows are delayed. Risk management is
essential when the non-performing assets increase.
Call risk happens when contingent liabilities
crystallise, and no viable business opportunities are
available.
2. Interest Rate Risk Management
Determining the right interest rate that is beneficial
for the banks and also for the customers is always
challenging. NBFCs that offer lower interest rates to
beat the competition must be careful because the
adjustments must not result in reduced Market
Value of Equity (MVE). The interest rate risks can
affect the banks’ earnings and the economic value
of the off-balance sheet.
3. Market Risk Management

Market fluctuations can lead to market risk when

the mark-to-market value of trading portfolios goes
down. Also called price risk, the market risk can
dramatically increase when the transactions have
to be liquidated. Different factors, such as volatility
in commodities, equities, currencies, and interest
rates, can influence market risks.
4. Credit Risk Management

As NBFCs try to capture market share by disbursing

more loans to underserved markets, their credit risk
increases dramatically. The NPA level of the Indian
banking system is high. When the borrowers fail to
fulfil their obligations, the counterparty risk and
country risk for banks increase. Loan portfolio
management and detailed evaluation of borrowers
are crucial to managing credit risks.
5. Operational Risk Management

Banks risk a huge financial loss when internal

processes and systems fail. Global financial links
have increased as the banking and financial sector
adopt automation. As a result, the potential for
operational risks also increases. Transaction risk
can result in failure in business continuity.
Compliance risk can affect the integrity and
credibility of banks.
6. ESG Risk Management

ESG risk is the new age risk for financial institutions

as they have to comply with inclusion and diversity
policies. The pressure from multiple governments to
contribute to climate change policies also affects
investment value for the banks. Proactive risk
management using models that integrate ESG and
climate data must be used.
7. Reputational Risk Management

In the highly competitive banking sector,

reputational risk can result in a loss of trust by
customers and stakeholders. This risk can be
caused by poor customer service, corruption, and
fraud. Banks can prevent class-action lawsuits and
other punitive damages with proper reputational
risk management.

Mitigate Risks With Risk Management Framework

Banks and financial institutions must build a robust

and scalable risk management model. The
framework should include all risk parameters with
adequate risk grading. The framework should be
updated continuously based on updated risk
tolerance levels. The model risk management
framework must be built into banking operations for
effective risk mitigation.

What is TPRM framework?

Third-party risk management (TPRM) frameworks provide organizations with a
roadmap to build their TPRM programs based on industry-standard best practices.
Frameworks can be used as a foundation for building a TPRM program and as a
source of baseline control requirements for third-party vendors and suppliers.

Setting up a third-party risk management program is a complex process that involves

managing hundreds, or even thousands, of vendors across multiple continents and
legal jurisdictions. For every vendor a company takes on, they must consider dozens
of third-party risks, including financial risks, cyber security exposures, legal actions,
and performance failures that could ultimately disrupt their organization. Building a
comprehensive TPRM program is increasingly important as organizations outsource
more significant portions of their workloads to third-party suppliers.

There is no single approach to TPRM, but some commonly used frameworks serve
as a solid starting point. These include frameworks provided by organizations such
as the National Institute of Standards and Technology (NIST) and the International
Standards Organization (ISO). Third-party risk management policies guide
organizations on building, applying, managing, and implementing best practices.
When implementing a third-party risk management framework, companies must
examine the nature of the risk involved and deal with the changing business,
regulatory and legal environments – and their potential impact on the organization’s
operation. Effectively utilizing TPRM frameworks will reduce risks to both your
organization and your customers.

What Is a Third-Party Risk Management Framework?

Third-party risk management (TPRM) frameworks provide organizations with a
roadmap to build their TPRM programs based on industry-standard best practices.
Frameworks can be used as a foundation for building a TPRM program and as a
source of baseline control requirements for third-party vendors and suppliers.

Third-party risk management frameworks fall into two categories. There are
frameworks specific to designing a TPRM or supply chain risk management
(SCRM) program, such as Shared Assessments TPRM Framework and NIST 800-
161. Then there are ancillary information security frameworks that can supplement a
TPRM program or help design vendor risk assessment questionnaires, such as NIST
CSF v2.0, ISO 27001, and ISO 27036.

Both ISO 27001 and the NIST CSF v2.0 can prove invaluable in building a third-party
risk management program. These standards are focused on providing an outline for
how organizations can build an effective information security program, and both
include controls related to effectively managing third-party risk. For example, NIST
CSF v2.0 includes provisions requiring that organizations have:

 a well-defined risk management policy

 security controls selected for third-party suppliers
 a policy codified in supplier agreements where appropriate
 suppliers managed and audited to the requirements and controls
This clearly isn’t enough to build a TPRM program on, but NIST CSF v2.0 can
provide far more value than that to your program. NIST CSF is widely considered to
be the gold standard for building a competent information security program. Many
organizations choose to build their vendor risk management and vendor risk
assessment processes on a framework such as NIST in order to ensure suppliers
are incorporating industry-standard best practices in their risk management program.

Why Are Third-Party Risk Management Frameworks

Important?
Third-party risk is an increasingly relevant part of any enterprise risk management
strategy. Companies today are reliant on a dizzying array of suppliers and vendors
located throughout the world. For that reason, organizations are also susceptible to
business disruptions ranging from mild to severe, based on adverse events
impacting third parties such as bankruptcies, geopolitical events, and data breaches.

Third-party risk management and information security frameworks provide valuable

controls and information for organizations looking to mitigate their level of risk from
third-party relationships. For example, the Shared Assessments TPRM framework
consists of 4 fundamentals and 8 processes critical for a successful TPRM program
and encompasses the entire vendor risk management lifecycle. Using a third-party
risk management framework can help ensure that you have a fully fleshed out and
comprehensive program.

Frameworks such as NIST 800-161, ISO 27036, and Shared Assessments can help
provide a basis for developing a TPRM program. Information security-specific
frameworks like ISO 27001, NIST CSF, and NIST 800-37 can be used to guide the
vendor risk assessment process and to create vendor assessment
questionnaires that accurately assess a company's cybersecurity maturity.

Considerations When Choosing a TPRM Framework

No single framework is likely to provide your organization with every control to
comprehensively meet regulatory, risk management and due diligence goals. Many
organizations choose to work exclusively with NIST or ISO, and draw from multiple
frameworks and guidance documents from that organization when developing their
program. For example, an organization may choose to base their supply chain risk
management program on NIST 800-161, and draw on elements of NIST 800-53,
NIST CSF v2.0 and NIST 800-37 RMF to more fully develop their program and
develop their vendor assessment approach.

The following considerations and how they impact your organization are critical to
understand as you select a TPRM framework. Understanding the organizational risks
is the first step in choosing the proper framework for your company. These risk
categories include (but may not be limited to):

 Market/Reputational
 Financial
  Legal and Regulatory
 Strategic
 Technology
 People/Culture
 Fraud
 Operational Risk
 Intellectual Property
 Cybersecurity and Data Privacy Risks

One of the most frequent complaints about the assessment process is that it is time-
consuming for vendors to complete without outstanding business value to their
organization. TPRM isn’t just about ensuring that a partnership does not expose your
organization to intolerable risk potential; it is also about rewarding vendors that
reduce your organization's risks through their practices. That’s why it’s important to
select the correct TPRM framework and understand its impact on your ecosystem of
external vendors. When you are selecting the frameworks to help build your TPRM
program, consider the following:

 Does the framework enable automation for data gathering?

 How does the framework integrate with your existing workflows?
 Does the framework have or publish available benchmarks?
 Is the framework updated frequently to address changing levels of risk such
as cybersecurity risk, geo-political changes, and changes in the legal
environment?
 Are there standard definitions of high, medium and low risk?
 What TPRM frameworks do your customers use and require you to respond
to?
 Are there standard remediation processes in the literature associated with the
TPRM framework?
 Are there specific regulatory requirements that need to be considered? (such
as for financial institutions or healthcare providers)
 How broadly is the TPRM adopted? i.e., can it be used to address fourth-party
risk concerns?

Once you have considered which specific business problems you need a framework
to help you address, it’s worth examining some individual information security and
supply chain risk management frameworks. Shared Assessments, NIST 800-161,
and ISO 27036 can provide specific examples of important SCRM and TPRM
controls, while information security frameworks such as NIST CSF can help drive
your third-party risk management processes.

Keeping Up With Changing Third-Party Risk Management Frameworks

Join our compliance experts in this on-demand webinar as they provide their best
practices for staying on top of the ever-evolving world of third-party risk management
compliance frameworks.

Shared Assessments Frameworks

Shared Assessments TPRM Framework
Shared Assessments has published a comprehensive set of TPRM best practices.
This framework is designed to help organizations establish, monitor, optimize and
mature their TPRM program using a standardized set of controls. The framework is
divided into two sections: fundamentals and processes. Fundamentals include four
sections; introduction, basics, buy-in, and governance. Processes include 8 families
ranging from outsourcing analysis and due diligence to ongoing monitoring.

Shared Assessments is one of the few frameworks that is focused solely on third-
party risk rather than on broader topics such as supply chain risk management or
organizational information security. However, it does have the drawback that
accessing the framework requires a membership fee, which can price some
organizations out of using it.

Shared Assessments Standardized Information Gathering

Questionnaire (SIG)

Shared Assessments also publishes a standardized information gathering

questionnaire that can enable organizations to easily employ a standardized third-
party risk assessment that is pre-mapped to other standards such as ISO, HIPAA,
NIST, GDPR and PCI DSS. It also includes a management tool that can enable you
to draw from a predefined set of questions, an implementation checklist, and
guidance on what documentation to request from third-party vendors. SIG can be
particularly useful for organizations that are just beginning their TPRM program.

NIST Third-Party Risk Management Frameworks

NIST Supply Chain Risk Management Framework (NIST 800-161)

NIST 800-161 is supplemental guidance to NIST 800-53 Rev 5 specifically focused

on helping federal entities manage supply chain risks. Although geared towards
federal entities, NIST SCRM can also prove extremely useful for designing a TPRM
or SCRM program for private sector organizations. NIST 800-161 divides the supply
chain risk management process into four phases: frame, assess, respond, and
recover. It includes 19 control families ranging from awareness training to system
and service acquisition.

While supply chain risk management and third-party risk management are not
precisely the same, there is a great deal of overlap. Taking guidance from NIST 800-
161 could provide an excellent basis for building a competent TPRM program. NIST
800-161 might prove particularly useful for large, multinational organizations with
complex supply chains and advanced SCRM needs.

NIST Risk Management Framework (RMF) 800-37 Revision 2

NIST has also released a comprehensive risk management framework that enables
companies in all sectors to integrate third-party risk management and information
security management seamlessly. NIST 800-37 provides a solid foundation for
managing risk across the enterprise, including those related to third and fourth
parties. Section 2.8 of the NIST RMF is worth paying particular attention to when
considering issues around supply chain risk. NIST 800-37 can be particularly useful
when considering risk mitigation strategies for onboarding new third-party vendors.

NIST Cybersecurity Framework (CSF) v2.0

When designing vendor questionnaires, the best practices outlined in the NIST
Cybersecurity Framework can prove invaluable. This library of best practices
provides a set of standards that gives all participants the same reference model
when discussing problems. The NIST CSF is widely considered the gold standard for
building a cybersecurity program and can help you accurately measure a potential
vendor's cyber risk profile as part of the assessment process. Building your vendor
risk questionnaire based on controls found in NIST CSF can be particularly useful for
organizations that have strong data privacy or regulatory compliance concerns.

ISO TPRM Frameworks

ISO 27001, 27002 and 27018

The ISO 27001, 27002, and 27018 standards set requirements for establishing,
implementing, maintaining, and continually improving an information security
management system. ISO requirements are much broader than purely third-party
risk but do include a significant section on how to manage supplier risk as part of a
broader information security program. When designing your TPRM program, it is
worth considering not only the ISO provisions that relate to third-party risk, but also
the broader information security controls that could be applied to your vendor risk
assessment process.

ISO 27036

If your organization has third-party vendors and customers internationally, it may

also be fitting to leverage the International Standards Organization processes
specific to TPRM and information security. The ISO 27036 series has undergone
multiple revisions and is currently under revision for alignment with other ISO
standards. The ISO 27036 series is focused on information risks regarding the
acquisition of goods and services from suppliers. The standard includes professional
physical risks such as security guards, cleaners, delivery services, and equipment
servicing, and more standard processes regarding the use of cloud services, data
domiciles, shared compliance processes, and requirements. It can also be integrated
with ISO 27036 processes to provide a more holistic cybersecurity standard.

ISO 27036 is designed to manage the entire business relationship lifecycle to

include:

 Initiation - scoping, business case/cost-benefit analysis, comparison of

insourcing versus outsource options as well as a variant or hybrid approaches
such as co-sourcing
 Definition of requirements including the information security requirements
 Procurement including selecting, evaluating, and contracting with supplier/s
  Transition to or implementation of the supply arrangements, with enhanced
risks around the implementation period
 Operation including aspects such as routine relationship management,
compliance, incident and change management, monitoring
 Refresh - an optional stage to renew the contract, perhaps reviewing the
terms and conditions, performance, issues, working processes
 Termination and exit

Align Your TPRM Program with ISO, NIST, SOC 2 and More
Download this guide to review specific requirements from 11 different cybersecurity
authorities, identify TPRM capabilities that map to each requirement, and uncover
best practices for ensuring compliance.
Read Now

Closing Thoughts on TPRM Frameworks

Taking guidance from NIST, ISO, Shared Assessments, and other framework
providers can help cut out much of the manual labor of designing your TPRM
program. Frameworks such as NIST 800-161 and ISO 27036 can provide valuable
information for commonly adopted controls in TPRM and SCRM programs. Other
frameworks such as NIST CSF, ISO 27001, and NIST 800-37 can be extremely
helpful in designing your vendor risk assessment process.

Prevalent’s third-party risk management software makes it easy to build an effective

and streamlined TPRM program. With Prevalent, you can easily gather and correlate
intelligence on a wide range of vendor controls, including IT security, compliance,
performance, contract adherence, business continuity, financial position, reputation,
ethics, anti-bribery & corruption, ESG, diversity and more. The Prevalent TPRM
platform is a cloud-based solution that offers automated, standardized vendor risk
assessments from many of the frameworks and regulations mentioned in this post,
combined with vendor risk monitoring and remediation management across the
entire vendor life cycle. Prevalent’s TPRM platform offers pre-built workflows and
questionnaires mapped to industry standards, making establishing and managing
your TPRM program dramatically faster and less expensive than trying to do it
yourself. The platform is complemented by vendor intelligence networks offering on-
demand access to completed, standardized risk reports on thousands of companies.
Our solutions are backed by expert professional services and managed services to
help you optimize and mature your TPRM program.

Next Steps
Wondering how to evolve your TPRM program? Start with a free Third-Party Risk
Program Maturity Assessment. It's built on Prevalent’s proven model with more than
15 years of experience serving hundreds of customers. After completing a 45-
question survey, you'll have a one-hour consulting session with Prevalent experts
and walk away with an in-depth report on the state of your current TPRM program,
plus practical recommendations for how to bring it to the next level.

Tags:BEST PRACTICESCOMPLIANCENEEDS - ASSESSMENT

Share:

Brenda Ferraro
Vice President of Third-Party Risk
LinkedIn|Published Work
Brenda Ferraro brings several years of first-hand experience addressing the third-
party risks associated with corporate vendors, services and data handling
companies. In her quest to economize third-party risk, she organized a myriad of
stakeholders and devised an approach to manage risk, receiving recognition from
regulators and a multitude of Information Security and Analysis Centers (ISACs). In
her role with Prevalent, Brenda works with corporations to build single-solution
ecosystems that remove the complexities of Third-Party Risk Management by way of
a common, simple and affordable platform, framework and governance
methodology. Prior to joining Prevalent, Brenda led organizations through control
standardization, incident response, process improvements, data-based reporting,
and governance at companies including Aetna, Coventry, Arrowhead Healthcare
Centers, PayPal/eBay, Charles Schwab, and Edwards Air Force Base. She holds
certifications in vBSIMM, CTPRP, ITIL and CPM.

Who is responsible for TPRM?

Instead, it is a shared duty that spans various enterprise levels. From the operational
and procurement teams on the front lines, engaging directly with third and fourth
parties, to the strategic oversight of senior management and the board, each plays a
vital role in the
Third-Party Risk Management Roles and

Responsibilities
April 24th, 2024 • Hannah Tichansky • Reading Time: 6 minutes

Established roles and shared responsibilities within an organization are

fundamental to an effective TPRM program. Well-defined positions ensure
a resilient, effective, and secure operational ecosystem, laying the
foundation for success amid evolving threats and challenges.

As companies increasingly engage with external partners, managing and

mitigating the risks associated with these third-party relationships
becomes paramount. Each stakeholder must take ownership of their part
in the TPRM process.

Who is responsible for third-party risk?

Responsibility for third-party risk is not confined to a single department or
role within an organization. Instead, it is a shared duty that spans various
enterprise levels. From the operational and procurement teams on the
front lines, engaging directly with third and fourth parties, to the strategic
oversight of senior management and the board, each plays a vital role in
the TPRM framework.

Operational teams, including vendor managers and procurement

specialists, take ownership of the initial risk detection during scoping and
onboarding. They are the first to encounter potential risks in their
interactions with third and fourth parties. Their firsthand experiences and
assessments crucially provide the initial identification and management of
these risks.

However, the responsibility extends beyond these roles. For example, risk
management and compliance departments take ownership of the broader
organizational risk perspective, working with these teams. This ownership
applies a larger organizational strategy to the risk assessment process
and ensures that practices align with regulatory and stakeholder
requirements and company policies.

Senior management and the board of directors are at the pinnacle of this
shared responsibility structure. They are tasked with setting the strategic
direction for TPRM, establishing strategy that guides the organization’s
approach to third-party risk, and ensuring that these foundations are
implemented and adhered to throughout the organization.

Acknowledging TPRM as a collective effort fosters a more collaborative,

integrated approach to mitigating third and fourth-party risks.

What are TPRM roles and responsibilities?

In TPRM, roles are distributed across an organization to effectively
manage and mitigate risks associated with external parties. These roles
are categorized within a structured framework known as the three lines of
defense, each playing a distinct part in the overarching strategy of risk
management:

 First Line of Defense: Direct interaction with third parties, focusing on

operational management and vendor performance.
 Second Line of Defense: Oversight of risk management and
compliance, providing support and guidelines to operational teams.
 Third Line of Defense: Independent assessment through internal audits,
ensuring the effectiveness of TPRM practices.

Understanding these roles within the three lines of defense framework

clarifies the structure of TPRM. Furthermore, not all organizations have
these roles broken out in this fashion. However, it is important to note that
each function is equally integral to overall security and success- each one
is dependent on the other. It sets the stage for a deeper dive into each
level’s responsibilities and activities, ensuring a comprehensive approach
to third-party risk management.

First Line of Defense: Operational Roles

The first line of defense in third-party risk management consists of roles

directly involving third parties, such as procurement functions. These
individuals are at the forefront of the organization’s interactions with
potential third parties, directly managing operational risk and ensuring
that third-party engagements align with the organization’s objectives and
risk appetite.

These roles work closely with potential third parties to negotiate terms,
establish SLAs, and monitor the ongoing performance of these external
partners. This interaction identifies and mitigates risks that could impact
the organization’s operations.

They assess vendor performance against agreed metrics, ensuring that

third parties meet contractual obligations and performance standards.
This continuous monitoring and feedback loop is integral to maintaining
robust vendor relationships and enhancing operational resilience.

In this context, operational risk refers to the potential for losses resulting
from inadequate or failed internal processes, people, systems, or external
events. Managing this risk involves a comprehensive understanding of the
third parties’ operational capabilities and the possible threats they pose to
the organization’s stability and success.

Through diligent monitoring and management of these relationships, the

first line of defense helps to safeguard the organization against
operational disruptions and reputational damage, ensuring a stable and
reliable supply chain.

Second Line of Defense: Risk Lifecycle Management and

Compliance

The second line of defense involves TPRM lifecycle and compliance teams,
with a strong focus on information security. These individuals are pivotal
in ensuring organizational adherence to regulatory requirements and
safeguarding sensitive data.

Risk domain professionals, especially those in information security, are

tasked with identifying, assessing, and mitigating risks associated with
third-party engagements. They work to prevent data breaches and secure
organizational assets. With continuous monitoring, they ensure third
parties’ adherence to stringent standards that protect sensitive
information.

Compliance teams contribute to TPRM by verifying that contractual

relationships with third parties comply with legal and regulatory
frameworks. Their work helps the organization comply with applicable
laws and regulations, thus preserving its reputation and avoiding legal
issues.

In crisis management and incident response, risk management and

information security professionals develop and implement strategies to
efficiently manage incidents involving third parties. Their preparedness
and quick response are essential in minimizing the impact of such
incidents on the organization.

The second line of defense, which focuses on risk management and

information security, ensures regulatory compliance and strengthens
defenses against third-party threats.

Third Line of Defense: Internal Audits

Internal audits form an additional line of defense in TPRM, independently

assessing how the organization manages third-party risks. This function
tests the organization’s risk management practices, identifying strengths
and pinpointing opportunities for improvement, especially in preventing
and responding to data breaches.

The role of the internal audit extends beyond compliance. Auditors

proactively scrutinize third-party risk management processes and
outcomes, confirming compliance with industry standards and alignment
with the organization’s strategic objectives. Their audits yield insights into
the operational aspects of managing third-party engagements and
fostering strategic enhancements.

Internal auditors perform detailed post-incident audits in crisis

management, evaluating how the organization responds to incidents
involving third parties. These assessments aim to strengthen the
organization’s defenses against future risks. The insights gained drive the
continuous enhancement of the TPRM strategy, contributing to a more
resilient and proactive risk management framework.

Ultimately, internal audits ensure that TPRM practices are comprehensive

and aligned with broader organizational goals, bolstering resilience
against third-party related risks.

Collaboration and Communication Across

TPRM Roles and Responsibilities
Effective TPRM hinges on every stakeholder taking ownership of their role,
fostering quality communication and collaboration across all
organizational levels. This ownership often goes beyond the specific
responsibilities defined within each line of defense. The dynamic between
operational roles, risk management, compliance teams, and internal audit
functions directly leads to a unified and effective TPRM policy.

Strategies to enhance communication include regular cross-departmental

meetings, integrated centralized reporting systems, and a shared,
dynamic platform for risk assessment and management. These
approaches ensure the timely delivery of crucial information on third-party
risks, aligning all stakeholders in their understanding and risk
management efforts.

For example, when procurement specialists (in their operational roles)

collaborate with other risk roles, they can jointly, swiftly, and more
accurately identify potential risks. This collaboration leads to quicker and
more informed decision-making and strategy development.

Executive leadership ideally fosters a culture where strong communication

and collaboration serve as procedural necessities and strategic assets. By
advocating these principles, senior management establishes a philosophy
where shared responsibility and collective action are standard, resulting in
more resilient third-party relationships and a more potent TPRM strategy.

Executive Leadership: Senior Management

and the Board
The ultimate responsibility for risk management rests with senior
management and the board, which are pivotal in ensuring their strategy is
put into practice. Establishing the corporate tone ensures a steadfast
commitment to effective third-party risk management principles.

Central to their role is fostering an organizational culture of compliance

that values open communication and collaboration as foundational
elements. This group also defines the strategic framework for all risk-
related activities, ensuring that transparency and cooperation are
fundamental across the organization.

Engaging deeply in strategic decisions affecting the company, the

leadership team ensures thorough integration of cross-departmental
teamwork into the TPRM framework. This integration fosters a unified
approach to managing third-party risks, enhancing the organization’s
defenses against external and internal threats through streamlined
information flow and united efforts.

By nurturing this environment, company leadership demonstrates a firm

commitment to vigorous risk management practices and ensures
consistency and effectiveness. They advocate for a corporate ethos
emphasizing continuous vigilance and proactive strategies.

Under their guidance, TPRM embodies a strategic vision that merges risk
awareness with operational efficiency, securing the organization’s
resilience amid evolving threats and challenges.
Enhancing TPRM Roles through Technology
Technology streamlines TPRM processes across all organizational levels,
from operational teams to executive leadership. Its integration into TPRM
systems allows for more effective and efficient management of third-party
risks, optimizing how they are identified, assessed, monitored, and
mitigated.

Utilizing centralized, advanced technological tools and systems,

organizations can achieve greater insight into their third-party networks,
enabling real-time monitoring and risk analysis. This technological
backbone supports the uninterrupted flow of information, ensuring that all
TPRM roles have access to the data they need to make informed decisions
swiftly.

Next Steps
To enhance TPRM effectiveness, organizations must prioritize the
understanding and organization of roles and responsibilities. This clarity
facilitates a coordinated effort across the organization, which is essential
for managing third-party risks efficiently.

Leaders should periodically review and refine their TPRM processes,

ensuring roles are well-defined and aligned with the organization’s
strategic goals. Proactively managing relationships with third and fourth
parties enhances competitive advantage, positioning the organization for
long-term success.

Interested in learning more? Speak with our experts today!

Hannah Tichansky

Hannah Tichansky is the Senior Content Marketing Manager at Aravo

Solutions, the market’s smartest third-party risk and resilience solutions,
powered by intelligent automation. At Aravo, she manages all content and
thought leadership produced for products and campaigns, and contributes
as an author for articles and blog posts.

Share with Your Friends:

How to conduct TPRM?

To help you get started, we've outlined the workflow for getting started with
your Third-Party Risk Management Program.
1. Design a TPRM framework. ...
2. Create a list of all third-party vendors. ...
3. Classify each vendor. ...
4. Calculate the risk the vendor has to the organization. ...
5. Assign a security risk rating to each vendor.

Your guide to
creating a Third-Party
Risk Management
Program to assess
your vendors

by

Usman Khan
What is a TPRM strategy and
what is the ideal workflow for
getting started assessing
vendors' risks?
When it comes to cybersecurity, outsourcing, or the use of third
parties, inherently comes with risks. These risks include
everything from operational risk to compliance risk. Although you
will never be able to eliminate all vendor risks, you can manage it
by identifying and mitigating the risks with each vendor. Third-
Party Risk Management (TRPM) is an ongoing evaluation
process for organizations that want to manage the risks that
occurs with using vendors and outsourcing services and products.
A TPRM strategy helps shine a light into areas of potential
business risks. One key component of TPRM includes Third-Party
Vendor Assessments.

A Third-Party Assessment (TPA) or Vendor Assessment (VA) is an

assessment that evaluates the risk associated with an
organization’s new and ongoing vendors. When outsourcing any
product or service, organizations should identify the risks of
working with a particular vendor or third party. The risk rating an
organization assigns to its vendors could be based on:

 The type of data, like Personally Identifiable

Information (PII) or Nonpublic Personal Information (NPI).
 Services that the vendor provides that assist the
organization to maintain compliance with laws,
regulations, and standards, such as GLBA, HIPAA, PCI-
DSS, CCPA, GDPR, etc.
 Any other critical factors that an organization deems aligns
within its risk profile.
A properly designed and implemented TPRM program will help
identify and manage the risk of all your organization’s vendors. To
help you get started, we’ve outlined the workflow for getting
started with your Third-Party Risk Management Program.

Design a TPRM framework

Given its general acceptance within both the federal and
commercial sectors, at MindPoint Group, we use the National
Institute of Standards and Technology (NIST) Special Publication
800-53 as the risk management framework for our security
assessments. During an assessment with your organization,
MindPoint Group will work to develop/implement additional
organization-specific security controls to the framework that
addresses your organization’s industry requirements. Once
complete, the risk management framework is utilized to assess
vendors to ensure regulatory requirements are in place, address
risk pertaining to the organization as a whole and at the product
and/or service level.

An important question to consider at this point in the process

is: Who is considered a third-party for my organization?

Create a list of all third-

party vendors
Maintaining a central repository of all the vendors that are
providing services or products to your organization is
essential. From vendors who provide core business functions to
smaller vendors providing support services, all vendors and the
services they provide should be documented. Each department
will need to be involved in this process to identify areas of risk
and where the vendors and the services they provide potentially
overlap. It is crucial to maintain transparency through each step
of the TRPM process, so no stone lays unturned. Remember, risk
can come from any vendor, no matter the size.

Classify each vendor

Now that a vendor list is created, each vendor needs to be
classified using some type of risk rating, many organizations
choose high, medium, low, some organizations use A, B, or C.
Develop an intuitive rating system and be sure to communicate it
to all stakeholders within the organization. Identify the risk based
on the systems, networks, and data the vendors have access to.

For the purposes of classifying all your organization’s third

parties, MindPoint Group can assist with developing a vendor
onboarding and an annual questionnaire. This process is essential
for capturing important details regarding the service, such as
information on the location and level of data stored/processed
and various other elements that dictate the type of assessment
required.

The classification may also depend on the service or the

product solutions the vendor provides. You can classify vendors
based on the following questions:

1. What service or product does the vendor provide?

2. Who owns/ manages the vendor relationship?

3. Does this vendor provide any core business services?

4. What data does this vendor have access

to? Confidential, Private Data, Corporate Financial, Sensitive,
Public, PII?

5. How much data does the vendor have access to?

 6. What access to data does the vendor have? Is vendor
access to that data required?

7. Does the vendor have a fourth-party provider for any of the

services they are providing?

Calculate the risk the vendor has to

the organization
Every vendor poses different risks to the organization. Vendors
who provide critical business processes or have access to
sensitive data pose a larger threat to the organization than
vendors with limited access. If you’re examining a new vendor, it
may be difficult to calculate the risk since you’re probably less
familiar with the cybersecurity processes they have in place. This
is where a Third-Party Assessment (TPA) is performed
to identify the risks of the vendor from a managerial,
operations, and technical standpoint. Once the risks are
identified, they can be calculated the likelihood they may occur
and their impact if they happen. Once you enter these inputs, you
can determine how much your organization should spend to
mitigate each risk. It is best practice to perform a TPA on an
annual basis for your high and medium vendors to
address previously identified risks and to identify new risks.

Assign a security risk rating to each

vendor
Based on the risks of each vendor, they will be assigned a
security risk rating. Once a security risk rating is assigned, senior
management should prioritize the higher-risk vendors and risks
associated with that vendor. For the
varying risks, the organizations should follow the guidelines for
the risk categories:
  High – Develop corrective measures immediately
 Medium – Develop corrective measures within a
reasonable time period
 Low – Decide whether to accept the risk or to mitigate

High and medium risk vendors are considered any vendor who
handle critical business operations or work with sensitive
data. Lower-risk vendors would be any vendors who have limited
to no access to sensitive data or do not interact with critical
systems and networks.

Areas of High Risk

TPAs can identify certain areas of your risk profile as “high risk”
when an assessment is completed. This can include an
organization’s cybersecurity practices, or their business continuity
and disaster recovery planning. Once these higher areas of risk
are identified, the organization can place additional controls in
those areas. If the assessment was performed pre-contract, the
organization should enforce the vendor to mitigate or remediate
the high risks before contractually committing. MindPoint Group
will then perform additional testing as needed to ensure that the
correct remediation of the vendor took place.

Performing TPAs is best practice and is the first step to identify

any potential unwanted risk. TPAs are essential for businesses to
help combat and avoid costly and unanticipated breaches or
incidents in the future by knowing the risk upfront and, acting on
them.

Ideally, these assessments will help set a foundation for your

cybersecurity strategy, so you can identify where additional
controls are needed and limit your exposure to risk.

Address the security risks

Once all the vendors have been identified and associated with a
risk rating, management can decide how to respond to each
vendor accordingly. Risks within each vendor can be accepted,
refused, mitigated, or transferred. All risks, regardless of the
designation, need to be thoroughly documented for management
review and an official record of risk. Implementing
controls like utilizing encryption, firewalls, and multi-factor
authorization can help protect assets and help mitigate risk. It is
essential to address risks by writing your controls and your
requirements into your contracts with your vendors, so they
understand expectations and take action when needed. It is
crucial to monitor your vendors on an ongoing basis to ensure
they are implementing and mitigating risks that may arise.

TPRM Assessment Process

with MindPoint Group:
 Assist your organization in developing a TPRM program
 Guide your organization through the assessment framework
development process
 Assist with developing templatized documentation for the
entire process
 Contact your third-party vendor to schedule the assessment
 Work with your teams to gather preliminary assessment
information, documentation, and if available, evidence
 Conduct assessments, either on-site, remote-based, or
reliance testing
 Develop assessment findings report for your organization
 Brief you and your vendor of all assessment findings

As a best practice, it’s important to note that vendors should

be assessed on an annual basis, as risks can change over
time.
Need help with your Third-Party Risk Management program and
Third-Party Assessment? Contact us to get started.

Additional TPRM Resources:

Third-Party Risk Management Services

Understand the Role Fourth-Party Vendors Play in Your Risk Profile

>

*Special thanks to Bilal Khan and Nick Vaccariello for help with
this article as well!

What is a third party in TPRM?

Third-party risk management (TPRM) is a form of risk management that focuses on
identifying and reducing risks relating to the use of third parties (sometimes referred
to as vendors, suppliers, partners, contractors, or service providers).

What is Third-Party Risk Management?

Third-party risk management (TPRM) is a form of risk management that
focuses on identifying and reducing risks relating to the use of third
parties (sometimes referred to as vendors, suppliers, partners,
contractors, or service providers).

The discipline is designed to give organizations an understanding of the

third parties they use, how they use them, and what safeguards their third
parties have in place. The scope and requirements of a TPRM program are
dependent on the organization and can vary widely depending on
industry, regulatory guidance, and other factors. Still, many TPRM best
practices are universal and applicable to every business or organization.

While exact definitions may vary, the term “third-party risk management”
is sometimes used interchangeably with other common industry terms,
such as vendor risk management (VRM), vendor management, supplier
risk management, or supply chain risk management. However, TPRM is
often thought of as the overarching discipline that encompasses all types
of third parties and all types of risks.

Why is Third-Party Risk Management Important?

While third-party risk isn’t a new concept, upticks in breaches across
industries and a greater reliance on outsourcing have brought the
discipline into the forefront like never before. Disruptive events, have
impacted almost every business and their third parties – no matter the
size, location, or industry. In addition, data breaches or cyber security
incidents are common. In in 2021, the impact that third parties have on
business resilience was highlighted through outages and other third-party
incidents. Some of the ways you can be impacted are:

 Internal outages and lapses in operational capabilities

 External outages affecting areas across the supply chain

 Vendor outages that open your organization to supply chain vulnerabilities

 Operational shifts that affect data gathering, storage, and security

Most modern organizations rely on third parties to keep operations

running smoothly. So, when your third parties, vendors, or suppliers can’t
deliver, there can be devastating and long-lasting impacts.

For example, you may rely on a service provider such as Amazon Web
Services (AWS) to host a website or cloud application. Should AWS go
offline, your website or application also goes offline. An additional
example could be the reliance on a third party to ship goods. If the
shipping company’s drivers go on strike, that can delay expected delivery
times and lead to customer cancellations and distrust, which will
negatively impact your organization’s bottom line and reputation.

Outsourcing is a necessary component of running a modern business. It

not only saves a business money, but it’s a simple way to take advantage
of expertise that an organization might not have in house. The downside
is that if a proper TPRM program is not in place, relying on third parties
can leave your business vulnerable.

What are the Top TPRM Best Practices?

There are endless TPRM best practices that can help you build a better
program, regardless of whether you’re just beginning to make TPRM a
priority, or you want to understand where your existing program could be
improved. We’ve outlined what we believe are the 3 most critical best
practices that are applicable to nearly every company.

1) Prioritize Your Vendor Inventory

Not all vendors are equally important, which is why it is critical to

determine which third parties matter most. To improve efficiency in your
TPRM program, segment your vendors into criticality tiers.

Most companies segment vendors into three groups:

  Tier 3: Low risk, low criticality

 Tier 2: Medium risk, medium criticality

 Tier 1: High risk, high criticality

In practice, organizations will focus their time and resources on tier 1

vendors first, as they require more stringent due diligence and evidence
collection. Typically, tier 1 vendors are subject to the most in-depth
assessments, which often includes on-site assessment validation.

Many times, especially during initial evaluation, these tiers are calculated
based on the inherent risk of the third party. Inherent risk scores are
generated based on industry benchmarks or basic business context, such
as whether or not you will be:

 Sharing proprietary or confidential business information with the vendor

 Sharing personal data with the vendor

 Sharing sensitive personal data with the vendor

 Sharing personal data across borders

 Serving a critical business functions

Additionally, impact of the vendor can be a determining factor. If a third

party can’t deliver their service, how would that impact your operations?
When there is significant disruption, the risk of the vendor will inevitably
be higher. Determine this impact by considering:

 The impact of unauthorized disclosure of information

 The impact of unauthorized modification or destruction of information

 The impact of disruption of access to the vendor/information

Another way to tier vendors is by grouping based on contract value. Big-

budget vendors may automatically be segmented as a tier 1 vendor due
to the high risk based solely on the value of the contract.

2) Leverage Automation Wherever Possible

Efficiencies emerge when operations are consistent and repeatable. There

are a number of areas in the TPRM lifecycle where automation is ideal.
These areas include, but are not limited to:

 Intaking and onboarding new vendors. Automatically add vendors to your inventory using an intake form or via integration with contract management or other systems.

 Calculating inherent risk and tiering vendors. During intake, collect basic business context to determine a vendor’s inherent risk, and then automatically prioritize vendors
posing the highest risk.

 Assigning risk owners and mitigation tasks. When a vendor risk is flagged, route the risk to the correct individual and include a checklist of mitigation action items.
  Triggering vendor performance reviews. Set up automation triggers to conduct a review of the vendor each year, and if the vendor fails the review, trigger off-boarding actions.

 Triggering vendor reassessment. Send a reassessment based on contract expiration dates and save the previous year’s assessment answers so the vendor doesn’t have to start
from scratch.

 Sending notifications and other alerts. When a new risk is flagged or a new vendor is onboarded, send an email or alert the relevant stakeholder through an integration with an
existing system.

 Scheduling and running reports. Set up automated reports that run on a daily, weekly, or monthly basis and automatically share them with the right person.

Every TPRM program is different, so start by looking internally at the

repeatable processes that are ripe for automation. From there, start small
and take practical steps to automate key tasks. Over time, these small
automations will compound, saving your team valuable time, money, and
resources.

3) Think Beyond Cybersecurity Risks

When considering a third-party risk or vendor risk management program,

many organizations immediately think aboutcybersecurity risks. But TPRM
entails so much more. While starting small and focusing only on
cybersecurity risks is a good first step, there are other types of risks that
need to be prioritized. These risks include:

 Reputational risks

 Geographical risks

 Geopolitical risks

 Strategic risks

 Financial risks

 Operational risks

 Privacy risks

 Compliance risks

 Ethical risks

 Business continuity risks

 Performance risks

 4th party risks

 Credit risks

 Environmental risks

The key takeaway here is that understanding all relevant types of risk
(and not just cybersecurity) is imperative to building a world-
class TPRM program.
What is the Third-Party Risk Management
Lifecycle?
The third-party risk management lifecycle is a series of steps that outlines
a typical relationship with a third party. TPRM is sometimes referred to as
“third-party relationship management.” This term better articulates the
ongoing nature of vendor engagements. Typically, the TPRM lifecycle, is
broken down into several stages. These stages include:
1. Vendor identification

2. Evaluation & selection

3. Risk assessment

4. Risk mitigation

5. Contracting and procurement

6. Reporting and Record-keeping

7. Ongoing monitoring

8. Vendor off-boarding

Phase 1: Third-Party Identification

There are many ways to identify the third parties your organization is
currently working with, as well as ways to identify new third parties your
organization wants to use.

To identify vendors already in use and build a vendor inventory,

organizations take multiple approaches, which include:

 Using existing information. Organizations often consolidate vendor information from spreadsheets and other sources when rolling out third-party risk software.

 Integrating with existing technologies. Technologies that are in use often contain detailed vendor information, such as CMDBs, SSO providers, contracts, procurement, and other
systems. Organizations will often plug into these sources to centralize their inventory in a single software solution.

 Conducting assessments or interviews. A short assessment to business owners across the company, such as marketing, HR, finance, sales, research and development, and other
departments can help you uncover the tools in use at your organization.

To identify new third parties, organizations will often leverage a self-

service portal as part of their third-party risk management program. With
a self-service portal, business owners can build their inventory. Share the
portal with your business by linking to it from your intranet or SharePoint.
Self-service portals also help gather preliminary information about the
third party, such as:

 Personal information involved

 Hosting information

 Privacy Shield and

 other certification
  Business context

 Scope of engagement

 Vendor Name

 Expected procurement date

 Business purpose

 Primary vendor contact (email, phone, address)

 Data type involved

 Prior security reviews or

 certifications, if applicable

Using this information, you can classify third parties based on the inherent
risk that they pose to your organization.

Phase 2: Evaluation and Selection

During the evaluation and selection phase, organizations consider RFPs

and choose the vendor they want to use. This decision is made using a
number of factors that are unique to the business and its specific needs.

Phase 3: Risk Assessment

Vendor risk assessments take time and are resource-intensive, which is

why many organizations are using a third-party risk exchange to access
pre-completed assessments. Other common methods include using
spreadsheets or assessment automation software. Either way, the primary
goal of understanding the risks associated with the vendor is the same.

Common standards used for assessing vendors include:

 ISO 27001 & ISO 27701

 SIG Lite & SIG Core

 NIST SP 800-53

 CSA CAIQ

As well as industry-specific standards, such as:

 HITRUST

 HECVAT

Phase 4: Risk Mitigation

After conducting an assessment, risks can be calculated, and mitigation
can begin. Common risk mitigation workflows include the following
stages:

 At this stage, risks are flagged and given a risk level or score.

 During the evaluation phase, organizations will determine if the risk is acceptable within their defined risk appetite.

 When treatment occurs, a risk owner must validate that the required controls are in place to reduce the risk to the desired residual risk level.

 At this phase, organizations monitor risks for any events that may increase the risk level, such as a data breach

Phase 5: Contracting and Procurement

Sometimes done in parallel with risk mitigation, the contracting and

procurement stage is critical from a third-party risk perspective. Contracts
often contain details that fall outside the realm of TPRM. Still, there are
key provisions, clauses, and terms that TPRM teams should look out for
when reviewing vendor contracts.

Some of these include:

 Defined Scope of Services or Products

 Price and Payment Terms

 Term and Termination Clauses

 Intellectual Property Ownership Clause

 Deliverables or Services Clause

 Representation and Warranties

 Confidentiality Clause

 Disclaimers or Indemnification

 Limitation of Liability

 Insurance

 Relationship Clause

 Data Processing Agreement

 4th Party or Subprocessor Change Clauses

 Compliance Clause

 Data Protection Agreement

 Service Level Agreements (SLAs), Product Performance, Response Time

Home in on these key terms to report on requirements in a structured
format. Simply determine if key clauses are adequate, inadequate, or
missing.

Phase 6: Reporting and Recordkeeping

Building a strong TPRM program requires organizations to maintain

compliance. This step is often overlooked. Maintaining detailed records in
spreadsheets is nearly impossible at scale, which is why many
organizations implement TPRM software. With auditable recordkeeping in
place, it becomes much easier to report on critical aspects of your
program to identify areas for improvement.

In practice, a sample reporting dashboard may include:

 Total supplier count

 Suppliers sorted by risk level

 Status on all supplier risk assessments

 Number of suppliers with expiring or expired contracts

 Risks grouped by level (high, medium, low)

 Risks by stage within the risk mitigation workflow

 Risks to your parent organization and risks to your subsidiaries

 Risk history over time

Phase 7: Ongoing Monitoring

An assessment is a “moment-in-time” look into a vendor’s risks; however,

engagements with third parties do not end there – or even after risk
mitigation. Ongoing vendor monitoring throughout the life of a third-party
relationship is critical, as is adapting when new issues arise.

For example, new regulations, negative news stories, high-profile data

breaches, and evolving usage of a vendor, may all impact the risks
associated with your third parties. Some key risk-changing events to
monitor include:

 Mergers, acquisitions, or divestitures

 Internal process changes

 Negative news or unethical behavior

 Natural disasters and other business continuity triggering events

 Product releases
  Contract changes

 Industry or regulatory developments

 Financial viability or cash flow

 Employee reduction

Phase 8: Vendor Offboarding

A thorough offboarding procedure is critical, both for security purposes

and recordkeeping requirements. Many organizations have developed an
offboarding checklist for vendors, which can consist of both an
assessment sent internally and externally to confirm that all appropriate
measures were taken. Critical too is the ability to maintain detailed
evidence trail of these activities to demonstrate compliance in the event
of regulatory inquiry or audit.

Which Department Owns TPRM?

There is no one-size-fits-all approach to third-party risk management. All
companies are different, and as a result, there is no set-in-stone
department that owns vendor risk responsibilities. Some mature
organizations may have a third-party risk or vendor management team,
but many organizations do not. As a result, common job titles and
departments that “own” third-party risk include:

 Chief Information Security Officer (CISO)

 Chief Procurement Officer (CPO)

 Chief Information Officer (CIO)

 Chief Privacy Officer (CPO)

 Information Technology (IT)

 Sourcing and Procurement

 Information Security

 Risk and Compliance

 Supply Chain Manager

 Third-Party Risk Manager

 Vendor Risk Manager

 Vendor Management

 Contract Manager
The list above is by no means comprehensive; however, the diverse
variety of titles and departments can shed some light on the diverse
approaches taken to third-party risk management.

Ultimately, these stakeholders and departments must work together to

manage vendors throughout the third-party lifecycle. As such, TPRM often
extends into many departments and across many different roles.

What are the Benefits of Third-Party Risk

Management Software?
With third-party risk software, your organization can develop and scale a
successful TPRM management program that adds value to your bottom
line. The return on investment (ROI) is significant when leveraging the
automation opportunities that purpose-built software provides. The
biggest benefits include:

 Improved security

 Improved customer trust

 Increased time savings

 Increased cost savings

 Less redundant work

 Better data visibility

 Faster vendor onboarding

 Simpler assessments

 Better reporting capabilities

 Easier audits

 Less risks

 Better vendor performance

 Less spreadsheets
 What is inherent risk in TPRM?
 

 Inherent risk is a practical tool to differentiate and categorize each one of

them, analyzing how a company is using their vendors, suppliers, and
providers, and what risk they pose to the organization. Different companies
engage with vendors in different ways, and that's why measurement is unique
to each organization.3 Mar 2023

What is Inherent Risk in

Vendor Management?
VENDOR RISK MANAGEMENT

Written by Sabrina Pagnotta March 03, 2023

SHARE

 Facebook

 Twitter
  LinkedIn

As organizations expand their digital supply chains and adopt new

technologies to be more efficient, third-party risk goes up. In the context
of vendor risk management ( VRM), inherent risk is a useful tool to
measure and manage the risk associated with each third-party vendor.

What is Inherent Risk?

Inherent risk is the threat a certain element, such as a third party
vendor, poses to the organization before executing any mitigation
activities or doing anything to reduce the likelihood of a mishap.

How Do You Measure Inherent Risk?

The Bitsight VRM solution measures inherent risk based on custom risk
categories defined by our users, which automate the scoring and
prioritization of third-party vendors.

It takes into account how a company is using their vendors, including but
not limited to the levels of engagement, the amount, and types of data
shared with them.

Why is Inherent Risk Relevant to Third-Party Risk

Management?
Companies can have hundreds or thousands of third-party vendors in
ever-growing supply chains. They need to be able to focus on the
highest risks, as opposed to subjecting every vendor to the same
scrutiny.

Inherent risk is a practical tool to differentiate and categorize each one

of them, analyzing how a company is using their vendors, suppliers, and
providers, and what risk they pose to the organization.

Different companies engage with vendors in different ways, and that’s

why measurement is unique to each organization. The inherent risk of a
third-party vendor that handles sensitive data and network access, such
as a cloud provider, will be much higher than that of a janitorial services
provider. Therefore, it will need a much more thorough assessment and
deliberate third party risk management .

How to Calculate Inherent Risk

It is very important to put a framework in place. The first step is to
understand what categories are important to you, as well as the way you
want to weigh them — is one more important than the other? How?

You must take into account the following questions:

 What type of information are you sharing? (i.e. PHI, PII, Financial
and Proprietary data)
 How much data are you sharing with the vendor?
 Is this data in scope for legal or regulatory concern?
(i.e. GDPR, CCPA, NYDFS, etc.)
 How large is your engagement with the vendor and how important
is it for your business operation?
 How easy is it to replace the vendor with another one?

After you create your framework, you will be able to map your inherent
risk measurement and then gather data to actually perform your
measurements. Those two things should be done early on in the risk
management process, because they will make it easier on the backend.

How Can Bitsight Facilitate Measuring Inherent

Risk?
Bitsight VRM allows you to use your custom risk categories to measure
and score inherent risk on each third-party vendor across your supply
chain, helping you simplify and automate the process.

From a reporting perspective, this allows for unparalleled visibility and

metrics around inherent risk of vendors for the following reasons:
  It allows you to tie your inherent risk framework to your
entire vendor due diligence process.
 It makes it very easy to see what third parties have high and low
inherent risk, and to report on that specific score across a number
of different types of filters.

Organizations using Bitsight VRM are more readily addressing their

inherent risks and are working in a more efficient and strategic way.
Inherent risk will definitely grow in importance because it is a much more
strategic way to segment third-party vendors and to perform due
diligence.

What are 3 examples of risk management?

Some examples of risk management strategies include leveraging existing
frameworks and best practices, minimum viable product (MVP) development,
contingency planning, root cause analysis and lessons learned, built-in buffers, risk-
reward analysis, and third-party risk assessments.16 Au

Effective risk management takes a proactive and preventative

stance to risk, aiming to identify and then determine the
appropriate response to the business and facilitate better
decision-making. Many approaches to risk management focus on
risk reduction, but it’s important to remember that risk
management practices can also be applied to opportunities,
assisting the organization with determining if that possibility is
right for it.
Risk management as a discipline has evolved to the point that
there are now common subsets and branches of risk management
programs, from enterprise risk management (ERM), to
cybersecurity risk management, to operational risk management
(ORM), to supply chain risk management (SCRM). With this
evolution, standards organizations around the world, like the
US’s National Institute of Standards and Technology (NIST) and
the International Standards Organization (ISO) have developed
and released their own best practice frameworks and guidance for
businesses to apply to their risk management plan.
Companies that adopt and continuously improve their risk
management programs can reap the benefits of improved
decision-making, a higher probability of reaching goals and
business objectives, and an augmented security posture. But,
with risks proliferating and the many types of risks that face
businesses today, how can an organization establish and optimize
its risk management processes? This article will walk you through
the fundamentals of risk management and offer some thoughts
on how you can apply it to your organization.

What Are Risks?

We’ve been talking about risk management and how it has
evolved, but it’s important to clearly define the concept of risk.
Simply put, risks are the things that could go wrong with a given
initiative, function, process, project, and so on. There are
potential risks everywhere — when you get out of bed, there’s a
risk that you’ll stub your toe and fall over, potentially injuring
yourself (and your pride). Traveling often involves taking on some
risks, like the chance that your plane will be delayed or your car
runs out of gas and leave you stranded. Nevertheless, we choose
to take on those risks, and may benefit from doing so.
Companies should think about risk in a similar way, not seeking
simply to avoid risks, but to integrate risk considerations into day-
to-day decision-making.

 What are the opportunities available to us?

 What could be gained from those opportunities?
 What is the business’s risk tolerance or risk appetite – that
is, how much risk is the company willing to take on?
 How will this relate to or affect the organization’s goals and
objectives?
 Are these opportunities aligned with business goals and
objectives?

With that in mind, conversations about risks can progress by

asking, “What could go wrong?” or “What if?” Within the business
environment, identifying risks starts with key stakeholders and
management, who first define the organization’s objectives. Then,
with a risk management program in place, those objectives can
be scrutinized for the risks associated with achieving them.
Although many organizations focus their risk analysis around
financial risks and risks that can affect a business’s bottom line,
there are many types of risks that can affect an organization’s
operations, reputation, or other areas.
Remember that risks are hypotheticals — they haven’t occurred
or been “realized” yet. When we talk about the impact of risks,
we’re always discussing the potential impact. Once a risk has
been realized, it usually turns into an incident, problem, or issue
that the company must address through their contingency plans
and policies. Therefore, many risk management activities focus on
risk avoidance, risk mitigation, or risk prevention.
What Different Types of Risks Are There?
There’s a vast landscape of potential risks that face modern
organizations. Targeted risk management practices like ORM and
SCRM have risen to address emerging areas of risk, with those
disciplines focused on mitigating risks associated with operations
and the supply chain. Specific risk management
strategies designed to address new risks and existing risks have
emerged from these facets of risk management, providing
organizations and risk professionals with action plans and
contingency plans tailored to unique problems and issues.
Common types of risks include: strategic, compliance, financial,
operational, reputational, security, and quality risks.
Strategic Risk
Strategic risks are those risks that could have a potential impact
on a company’s strategic objectives, business plan, and/or
strategy. Adjustments to business objectives and strategy have a
trickle-down effect to almost every function in the organization.
Some events that could cause strategic risks to be realized are:
major technological changes in the company, like switching to a
new tech stack; large layoffs or reductions-in-force (RIFs);
changes in leadership; competitive pressure; and legal changes.
Compliance Risk
Compliance risks materialize from regulatory and compliance
requirements that businesses are subject to, like Sarbanes-Oxley
for publicly-traded US companies, or GDPR for companies that
handle personal information from the EU. The consequence or
impact of noncompliance is generally a fine from the governing
body of that regulation. These types of risks are realized when the
organization does not maintain compliance with regulatory
requirements, whether those requirements are environmental,
financial, security-specific, or related to labor and civil laws.
Financial Risk
Financial risks are fairly self-explanatory — they have the
possibility of affecting an organization’s profits. These types of
risks often receive significant attention due to the potential
impact on a company’s bottom line. Financial risks can be
realized in many circumstances, like performing a financial
transaction, compiling financial statements, developing new
partnerships, or making new deals.
Operational Risk
Risks to operations, or operational risks, have the potential to
disrupt daily operations involved with running a business.
Needless to say, this can be a problematic scenario for
organizations with employees unable to do their jobs, and with
product delivery possibly delayed. Operational risks can
materialize from internal or external sources — employee
conduct, retention, technology failures, natural disasters, supply
chain breakdowns — and many more.
Reputational Risk
Reputational risks are an interesting category. These risks look at
a company’s standing in the public and in the media and identify
what could impact its reputation. The advent of social media
changed the reputation game quite a bit, giving consumers direct
access to brands and businesses. Consumers and investors too
are becoming more conscious about the companies they do
business with and their impact on the environment, society, and
civil rights. Reputational risks are realized when a company
receives bad press or experiences a successful cyber attack or
security breach; or any situation that causes the public to lose
trust in an organization.
Security Risk
Security risks have to do with possible threats to your
organization’s physical premises, as well as information systems
security. Security breaches, data leaks, and other successful
types of cyber attacks threaten the majority of businesses
operating today. Security risks have become an area of risk that
companies can’t ignore, and must safeguard against.
Quality Risk
Quality risks are specifically associated with the products or
services that a company provides. Producing low-quality goods or
services can cause an organization to lose customers, ultimately
affecting revenue. These risks are realized when product quality
drops for any reason — whether that’s technology changes,
outages, employee errors, or supply chain disruptions.
Steps in the Risk Management Process
The six risk management process steps that we’ve outlined below
will give you and your organization a starting point to implement
or improve your risk management practices. In order, the risk
management steps are:
 1. Risk identification
2. Risk analysis or assessment
3. Controls implementation
4. Resource and budget allocation
5. Risk mitigation
6. Risk monitoring, reviewing, and reporting

If this is your organization’s first time setting up a risk

management program, consider having a formal risk assessment
completed by an experienced third party, with the goal of
producing a risk register and prioritized recommendations on
what activities to focus on first. Annual (or more frequent) risk
assessments are usually required when pursuing compliance and
security certifications, making them a valuable investment.
Step 1: Risk Identification
The first step in the risk management process is risk
identification. This step takes into account the organization’s
overarching goals and objectives, ideally through conversations
with management and leadership. Identifying risks to company
goals involves asking, “What could go wrong?” with the plans and
activities aimed at meeting those goals. As an organization moves
from macro-level risks to more specific function and process-
related risks, risk teams should collaborate with critical
stakeholders and process owners, gaining their insight into the
risks that they foresee.
As risks are identified, they should be captured in formal
documentation — most organizations do this through a risk
register, which is a database of risks, risk owners, mitigation
plans, and risk scores.

Step 2: Risk Analysis or Assessment

Analyzing risks, or assessing risks, involves looking at the
likelihood that a risk will be realized, and the potential impact that
risk would have on the organization if that risk were realized. By
quantifying these on a three- or five-point scale, risk prioritization
becomes simpler. Multiplying the risk’s likelihood score with the
risk’s impact score generates the risk’s overall risk score. This
value can then be compared to other risks for prioritization
purposes.
Likelihood
The likelihood that a risk will be realized asks the risk assessor to
consider how probable it would be for a risk to actually occur.
Lower scores indicate less chances that the risk will materialize.
Higher scores indicate more chances that the risk will occur.
Likelihood, on a 5×5 risk matrix, is broken out into:

1. Highly Unlikely
2. Unlikely
3. Possible
4. Likely
5. Highly Likely

Impact
The potential impact of a risk, should it be realized, asks the risk
assessor to consider how the business would be affected if that
risk occurred. Lower scores signal less impact to the organization,
while higher scores indicate more significant impacts to the
company.
Impact, on a 5×5 risk matrix, is broken out into:

1. Negligible Impact
2. Low Impact
3. Moderate Impact
4. High Impact
5. Catastrophic Impact

Risk assessment matrices help visualize the relationship between

likelihood and impact, serving as a valuable tool in risk
professionals’ arsenals.
Organizations can choose whether to employ a 5×5 risk matrix,
as shown above, or a 3×3 risk matrix, which breaks likelihood,
impact, and aggregate risk scores into low, moderate, and high
categories.
Step 3: Controls Assessment and Implementation
Once risks have been identified and analyzed, controls that
address or partially address those risks should be mapped. Any
risks that don’t have associated controls, or that have controls
that are inadequate to mitigate the risk, should have controls
designed and implemented to do so.
Step 4: Resource and Budget Allocation
This step, the resource and budget allocation step, doesn’t get
included in a lot of content about risk management. However,
many businesses find themselves in a position where they have
limited resources and funds to dedicate to risk management and
remediation. Developing and implementing new controls and
control processes is timely and costly; there’s usually a learning
curve for employees to get used to changes in their workflow.
Using the risk register and corresponding risk scores,
management can more easily allocate resources and budget to
priority areas, with cost-effectiveness in mind. Each year,
leadership should re-evaluate their resource allocation as part of
annual risk lifecycle practices.
Step 5: Risk Mitigation
The risk mitigation step of risk management involves both coming
up with the action plan for handling open risks, and then
executing on that action plan. Mitigating risks successfully takes
buy-in from various stakeholders. Due to the various types of risks
that exist, each action plan may look vastly different between
risks.
For example, vulnerabilities present in information systems pose
a risk to data security and could result in a data breach. The
action plan for mitigating this risk might involve automatically
installing security patches for IT systems as soon as they are
released and approved by the IT infrastructure manager. Another
identified risk could be the possibility of cyber attacks resulting in
data exfiltration or a security breach. The organization might
decide that establishing security controls is not enough to
mitigate that threat, and thus contract with an insurance
company to cover off on cyber incidents. Two related security
risks; two very different mitigation strategies.
One more note on risk mitigation — there are four generally
accepted “treatment” strategies for risks. These four treatments
are:

 Risk Acceptance: Risk thresholds are within acceptable

tolerance, and the organization chooses to accept this risk.
 Risk Transfer: The organization chooses to transfer the risk
or part of the risk to a third party provider or insurance
company.
 Risk Avoidance: The organization chooses not to move
forward with that risk and avoids incurring it.
  Risk Mitigation: The organization establishes an action
plan for reducing or limiting risk to acceptable levels.

If an organization is not opting to mitigate a risk, and instead

chooses to accept, transfer, or avoid the risk, these details should
still be captured in the risk register, as they may need to be
revisited in future risk management cycles.
Step 6: Risk Monitoring, Reviewing, and Reporting
The last step in the risk management lifecycle is monitoring risks,
reviewing the organization’s risk posture, and reporting on risk
management activities. Risks should be monitored on a regular
basis to detect any changes to risk scoring, mitigation plans, or
owners. Regular risk assessments can help organizations continue
to monitor their risk posture. Having a risk committee or similar
committee meet on a regular basis, such as quarterly, integrates
risk management activities into scheduled operations, and
ensures that risks undergo continuous monitoring. These
committee meetings also provide a mechanism for reporting risk
management matters to senior management and the board, as
well as affected stakeholders.
As an organization reviews and monitors its risks and mitigation
efforts, it should apply any lessons learned and use past
experiences to improve future risk management plans.
Examples of Risk Management Strategies
Depending on your company’s industry, the types of risks it faces,
and its objectives, you may need to employ many different risk
management strategies to adequately handle the possibilities
that your organization encounters.
Some examples of risk management strategies include leveraging
existing frameworks and best practices, minimum viable product
(MVP) development, contingency planning, root cause analysis
and lessons learned, built-in buffers, risk-reward analysis,
and third-party risk assessments.
Leverage Existing Frameworks and Best Practices
Risk management professionals need not go it alone. There are
several standards organizations and committees that have
developed risk management frameworks, guidance, and
approaches that business teams can leverage and adapt for their
own company.
Some of the more popular risk management frameworks out
there include:

 ISO 31000 Family: The International Standards

Organization’s guidance on risk management.
  NIST Risk Management Framework (RMF) : The National
Institute of Standards and Technology has released risk
management guidance compatible with their Cybersecurity
Framework (CSF).
 COSO Enterprise Risk Management (ERM) : The Committee of
Sponsoring Organizations’ enterprise risk management
guidance.

Minimum Viable Product (MVP) Development

This approach to product development involves developing core
features and delivering those to the customer, then assessing
response and adjusting development accordingly. Taking an MVP
path reduces the likelihood of financial and project risks, like
excessive spend or project delays by simplifying the product and
decreasing development time.
Contingency Planning
Developing contingency plans for significant incidents and
disaster events are a great way for businesses to prepare for
worst-case scenarios. These plans should account for response
and recovery. Contingency plans specific to physical sites or
systems help mitigate the risk of employee injury and outages.
Root Cause Analysis and Lessons Learned
Sometimes, experience is the best teacher. When an incident
occurs or a risk is realized, risk management processes should
include some kind of root cause analysis that provides insights
into what can be done better next time. These lessons learned,
integrated with risk management practices, can streamline and
optimize response to similar risks or incidents.
Built-In Buffers
Applicable to discrete projects, building in buffers in the form of
time, resources, and funds can be another viable strategy to
mitigate risks. As you may know, projects can get derailed very
easily, going out of scope, over budget, or past the timeline.
Whether a project team can successfully navigate project risks
spells the success or failure of the project. By building in some
buffers, project teams can set expectations appropriately and
account for the possibility that project risks may come to fruition.
Risk-Reward Analysis
In a risk-reward analysis, companies and project teams weigh the
possibility of something going wrong with the potential benefits of
an opportunity or initiative. This analysis can be done by looking
at historical data, doing research about the opportunity, and
drawing on lessons learned. Sometimes the risk of an initiative
outweighs the reward; sometimes the potential reward outweighs
the risk. At other times, it’s unclear whether the risk is worth the
potential reward or not. Still, a simple risk-reward analysis can
keep organizations from bad investments and bad deals.
Third-Party Risk Assessments
Another strategy teams can employ as part of their risk
management plan is to conduct periodic third-party
risk assessments. In this method, a company would contract with
a third party experienced in conducting risk assessments, and
have them perform one (or more) for the organization. Third-party
risk assessments can be immensely helpful for the new risk
management team or for a mature risk management team that
wants a new perspective on their program.
Generally, third-party risk assessments result in a report of risks,
findings, and recommendations. In some cases, a third-party
provider may also be able to help draft or provide input into your
risk register. As external resources, third-party risk assessors can
bring their experience and opinions to your organization, leading
to insights and discoveries that may not have been found without
an independent set of eyes.
Components of an Effective Risk Management Plan
An effective risk management plan has buy-in from leadership
and key stakeholders; applies the risk management steps; has
good documentation; and is actionable. Buy-in from management
often determines whether a risk management function is
successful or not, since risk management requires resources to
conduct risk assessments, risk identification, risk mitigation, and
so on. Without leadership buy-in, risk management teams may
end up just going through the motions without the ability to make
an impact. Risk management plans should be integrated into
organizational strategy, and without stakeholder buy-in, that
typically does not happen.
Applying the risk management methodology is another key
component of an effective plan. That means following the six
steps outlined above should be incorporated into a company’s risk
management lifecycle. Identifying and analyzing risks,
establishing controls, allocating resources, conducting mitigation,
and monitoring and reporting on findings form the foundations of
good risk management.
Good documentation is another cornerstone of effective risk
management. Without a risk register recording all of a company’s
identified risks and accompanying scores and mitigation
strategies, there would be little for a risk team to act on.
Maintaining and updating the risk register should be a priority for
the risk team — risk management software can help here,
providing users with a dashboard and collaboration mechanism.
Last but not least, an effective risk management plan needs to be
actionable. Any activities that need to be completed for mitigating
risks or establishing controls, should be feasible for the
organization and allocated resources. An organization can come
up with the best possible, best practice risk management plan,
but find it completely unactionable because they don’t have the
capabilities, technology, funds, and/or personnel to do so. It’s all
well and good to recommend that cybersecurity risks be
mitigated by setting up a 24/7 continuous monitoring Security
Operations Center (SOC), but if your company only has one IT
person on staff, that may not be a feasible action plan.
Executing on an effective risk management plan necessitates
having the right people, processes, and technology in place.
Sometimes the challenges involved with running a good risk
management program are mundane — such as disconnects in
communication, poor version control, and multiple risk registers
floating around. Risk management software can provide your
organization with a unified view of the company’s risks, a
repository for storing and updating key documentation like a risk
register, and a space to collaborate virtually with colleagues to
check on risk mitigation efforts or coordinate on risk assessments.
Get started building your ideal risk management plan today!
What is GRC used for?
GRC tools are software applications that businesses can use to manage policies,
assess risk, control user access, and streamline compliance.

What is GRC?
Governance, Risk, and Compliance (GRC) is a structured way to align IT with business goals
while managing risks and meeting all industry and government regulations. It includes tools and
processes to unify an organization's governance and risk management with its technological
innovation and adoption. Companies use GRC to achieve organizational goals reliably, remove
uncertainty, and meet compliance requirements.

What does GRC stand for?

GRC stands for governance, risk (management), and compliance. Most businesses are familiar
with these terms but have practiced them separately in the past. GRC combines governance, risk
management, and compliance in one coordinated model. This helps your company reduce
wastage, increase efficiency, reduce noncompliance risk, and share information more
effectively.

Governance
Governance is the set of policies, rules, or frameworks that a company uses to achieve its
business goals. It defines the responsibilities of key stakeholders, such as the board of directors
and senior management. For example, good corporate governance supports your team in
including the company's social responsibility policy in their plans.

Good governance includes the following:

 Ethics and accountability

 Transparent information sharing
 Conflict resolution policies
 Resource management

Risk management
Businesses face different types of risks, including financial, legal, strategic, and security risks.
Proper risk management helps businesses identify these risks and find ways to remediate any
that are found. Companies use an enterprise risk management program to predict potential
problems and minimize losses. For example, you can use risk assessment to find security
loopholes in your computer system and apply a fix.

Compliance
Compliance is the act of following rules, laws, and regulations. It applies to legal and regulatory
requirements set by industrial bodies and also for internal corporate policies. In GRC, compliance
involves implementing procedures to ensure that business activities comply with the respective
regulations. For example, healthcare organizations must comply with laws like HIPAA that
protect patients' privacy.

Why is GRC important?

By implementing GRC programs, businesses can make better decisions in a risk-aware
environment. An effective GRC program helps key stakeholders set policies from a shared
perspective and comply with regulatory requirements. With GRC, the entire company comes
together in its policies, decisions, and actions.

The following are some benefits of implementing a GRC strategy at your organization.

Data-driven decision-making
You can make data-driven decisions within a shorter time frame by monitoring your resources,
setting up rules or frameworks, and using GRC software and tools.

Responsible operations
GRC streamlines operations around a common culture that promotes ethical values and creates
a healthy environment for growth. It guides strong organizational culture development and ethical
decision-making in the organization.

Improved cybersecurity
With an integrated GRC approach, businesses can employ data security measures to protect
customer data and private information. Implementing a GRC strategy is essential for your
organization due to increasing cyber risk that threatens users' data and privacy. It helps
organizations comply with data privacy regulations like the General Data Protection Regulation
(GDPR). With a GRC IT strategy, you build customer trust and protect your business from
penalties.

What drives GRC implementation?

Companies of all sizes face challenges that can endanger revenue, reputation, and customer
and stakeholder interest. Some of these challenges include the following:

 Internet connectivity introducing cyber risks that might compromise data storage security
 Businesses needing to comply with new or updated regulatory requirements
 Companies needing data privacy and protection
 Companies facing more uncertainties in the modern business landscape
 Risk management costs increasing at an unprecedented rate
 Complex third-party business relationships increasing risk
These challenges create demand for a strategy to navigate businesses toward their goals.
Conventional third-party risk management and regulatory compliance methods are not enough.
Hence, GRC was introduced as a unified approach to help stakeholders make accurate
decisions.

How does GRC work?

GRC in any organization works on the following principles:

Key stakeholders
GRC requires cross-functional collaboration across different departments that practices
governance, risk management, and regulatory compliance. Some examples include the
following:

 Senior executives who assess risks when making strategic decisions

 Legal teams who help businesses mitigate legal exposures
 Finance managers who support compliance with regulatory requirements
 HR executives who deal with confidential recruitment information
 IT departments that protect data from cyber threats

GRC framework
A GRC framework is a model for managing governance and compliance risk in a company. It
involves identifying the key policies that can drive the company toward its goals. By adopting a
GRC framework, you can take a proactive approach to mitigating risks, making well-informed
decisions, and ensuring business continuity.
Companies implement GRC by adopting GRC frameworks that contain key policies that align
with the organization's strategic objectives. Key stakeholders base their work on a shared
understanding from the GRC framework as they devise policies, structure workflows, and govern
the company. Companies might use software and tools to coordinate and monitor the success of
the GRC framework.

GRC maturity
GRC maturity is the level of integration of governance, risk assessment, and compliance within
an organization. You achieve a high level of GRC maturity when a well-planned GRC strategy
results in cost efficiency, productivity, and effectiveness in risk mitigation. Meanwhile, a low level
of GRC maturity is unproductive and keeps business units working in silos.

How does GRC work?

GRC in any organization works on the following principles:

Key stakeholders
GRC requires cross-functional collaboration across different departments that practices
governance, risk management, and regulatory compliance. Some examples include the
following:

 Senior executives who assess risks when making strategic decisions

 Legal teams who help businesses mitigate legal exposures
 Finance managers who support compliance with regulatory requirements
 HR executives who deal with confidential recruitment information
 IT departments that protect data from cyber threats

GRC framework
A GRC framework is a model for managing governance and compliance risk in a company. It
involves identifying the key policies that can drive the company toward its goals. By adopting a
GRC framework, you can take a proactive approach to mitigating risks, making well-informed
decisions, and ensuring business continuity.

Companies implement GRC by adopting GRC frameworks that contain key policies that align
with the organization's strategic objectives. Key stakeholders base their work on a shared
understanding from the GRC framework as they devise policies, structure workflows, and govern
the company. Companies might use software and tools to coordinate and monitor the success of
the GRC framework.

GRC maturity
GRC maturity is the level of integration of governance, risk assessment, and compliance within
an organization. You achieve a high level of GRC maturity when a well-planned GRC strategy
results in cost efficiency, productivity, and effectiveness in risk mitigation. Meanwhile, a low level
of GRC maturity is unproductive and keeps business units working in silos.

What is the GRC Capability Model?

The GRC Capability Model contains guidelines that help companies implement GRC and achieve
principled performance. It ensures a common understanding of communication, policies, and
training. You can take a cohesive and structured approach to incorporate GRC operations across
your organization.

Learn
You learn about the context, values, and culture of your company so you can define strategies
and actions that reliably achieve objectives.

Align
Ensure that your strategy, actions, and objectives are in alignment. You do so by considering
opportunities, threats, values, and requirements when making decisions.

Perform
GRC encourages you to take actions that bring results, avoid those that hinder goals, and
monitor your operations to detect sudden changes.

Review
You revisit your strategy and actions to ensure they align with the business goals. For example,
regulatory changes could require a change of approach.

What are common GRC tools?

GRC tools are software applications that businesses can use to manage policies, assess risk,
control user access, and streamline compliance. You might use some of the following GRC tools
to integrate business processes, reduce costs, and improve efficiency.

GRC software
GRC software helps automate GRC frameworks by using computer systems. Businesses use
GRC software to perform these tasks:

 Oversee policies, manage risk, and ensure compliance

 Stay updated about various regulatory changes that affect the business
 Empower multiple business units to work together on a single platform
 Simplify and increase the accuracy of internal auditing
You can also combine GRC frameworks on one platform. For example, you can use AWS Cloud
Operations to govern cloud and on-premises resources.

User management
You can give various stakeholders the right to access company resources with user
management software. This software supports granular authorization, so you can precisely
control who has access to what information. User management ensures that everyone can
securely access the resources they need to get their work done.
Security information and event management
You can use security information and event management (SIEM) software to detect potential
cybersecurity threats. IT teams use SIEM software like AWS CloudTrail to close security gaps
and comply with privacy regulations.

Auditing
You can use auditing tools like AWS Audit Manager to evaluate the results of integrated GRC
activities in your company. By running internal audits, you can compare actual performance with
GRC goals. You can then decide if the GRC framework is effective and make necessary
improvements.

What are the challenges of GRC implementation?

Businesses might face challenges when they integrate GRC components into organizational
activities.

Change management
GRC reports provide insights that guide businesses to make accurate decisions, which helps in a
fast-changing business environment. However, companies need to invest in a change
management program to act quickly based on GRC insights.

Data management
Companies have long been operating by keeping departmental functions separated. Each
department generates and stores its own data. GRC works by combining all the data within an
organization. This results in duplicate data and introduces challenges in managing information.

Lack of a total GRC framework

A complete GRC framework integrates business activities with GRC components. It serves the
changing business environment, particularly when you are dealing with new regulations. Without
a seamless integration, your GRC implementation is likely to be fragmented and ineffective.

Ethical culture development

It takes great effort to get every employee to share an ethically compliant culture. Senior
executives must set the tone of transformation and ensure that information is passed through all
layers of the organization.

Clarity in communication
The success of GRC implementation depends on seamless communication. Information sharing
must be transparent between GRC compliance teams, stakeholders, and employees. This
makes activities like creating policies, planning, and decision-making easier.

How do organizations implement an effective GRC

strategy?
You must bring different parts of your business into a unified framework to implement GRC.
Building an effective GRC requires continuous evaluation and improvement. The following tips
make GRC implementation easier.

Define clear goals

Start by determining what goals you want to accomplish with the GRC model. For example, you
might want to address the risk of noncompliance to data privacy laws.

Assess existing procedures

Evaluate current processes and technologies in your company that you use to handle
governance, risk, and compliance. You can then plan and choose the right GRC frameworks and
tools.

Start from the top

Senior executives play a leading role in the GRC program. They must understand the benefits of
implementing GRC for policies and how it helps them make decisions and build a risk-aware
culture. Top leaders set clear GRC-driven policies and encourage acceptance within the
organization.

Use GRC solutions

You can use GRC solutions to manage and monitor an enterprise GRC program. These GRC
solutions give you a holistic view of the underlying processes, resources, and records. Use the
tools to monitor and meet regulatory compliance requirements. For example, Netflix uses AWS
Config to make sure its AWS resources meet security requirements. Symetra uses AWS Control
Tower to quickly provision new accounts that fully adhere to their corporate policy.

Test the GRC framework

Test the GRC framework on one business unit or process, and then evaluate whether the chosen
framework aligns with your goals. By conducting small-scale testing, you can make helpful
changes to the GRC system before you implement it in the entire organization.

Set clear roles and responsibilities

GRC is a collective team effort. Although senior executives are responsible for setting key
policies, legal, finance, and IT personnel are equally accountable for GRC success. Defining the
roles and responsibilities of each employee promotes accountability. It allows employees to
report and address GRC issues promptly.

How can AWS help with GRC?

AWS Cloud Operations optimizes cloud resources with business agility and governance control.
You can manage dynamic resources on a massive scale and reduce costs.

For example, with AWS Cloud Operations, you can perform the following tasks:

 Govern, grow, and scale AWS workloads in one place

 Ensure your risk management process stands up to an audit
  Automate compliance management to remove human error
Read more about AWS Management and Governance services or get started by creating
an AWS account today.

What is the three part risk statement?

A good risk statement will communicate three elements: The cause = why the risk is
happening. The risk event = the actual risk that, if it happened could have an impact
on the project. The effect (or impact) of the risk = what will happen if the risk
realises.20 Dec 2021

What is TPRM in cyber security?

Third party risk management (TPRM) is the process an organization implements to
manage risks that are a result of business relationships with third parties that are
integrated into their IT environment and infrastructure. These risks can be
operational, cybersecurity, regulatory, financial and reputational.28 Mar 2024

What are third party attacks?

A third-party script attack is when a cyber criminal injects malicious code into a
website or application by compromising code that you use which was created by an
organization other than the website or application owner.
What is 3P security?
3Ps of Security: Protect, Prioritize and Patch - REAL security.11 Oct 2021
What is third-party risk management TPRM policy?
In addition to regulating the maintenance of your organization's third-party vendor
inventory, your TPRM policy should also note how your organization will maintain
supplier risk profiles, track the level of data shared with each vendor, and install
security controls to limit the level of information or sensitive data ...14 Nov 2023
8 Key Elements of a Third-Party Risk Management Policy
Nicholas Sollitto
updated Nov 14, 2023

Download the PDF guide

Free trial
Contents

How to Develop Your Organization’s Third-Party Risk Management Program Policy Best Tools of an
Effective Third-Party Risk Management PlanHow Can UpGuard Help Your Organization with TPRM?

Any organization that relies on third-party vendors for critical business functions
should develop and maintain an effective third-party risk management
(TPRM) policy.

A TPRM policy is the first document an organization should create when establishing
its TPRM program. TPRM policies allow organizations to document internal roles
and responsibilities, develop regulatory practices, and appropriately communicate
guidelines to navigate third-party risks throughout the vendor lifecycle.

Furthermore, a standardized TPRM policy is vital because it provides an

organization with a roadmap to maintain healthy cybersecurity hygiene, even as it
enters third-party relationships with new vendors and expands its supply chain.

One report estimates that 98% of organizations worldwide have integrations with at
least one third-party service provider that has experienced a breach in the last two
years. While this alarming statistic will frighten most organizations, your organization
can find peace of mind by developing a TPRM policy to guide and manage its overall
TPRM program.

Discover how UpGuard empowers organizations to take control of their TPRM

programs>

How to Develop Your Organization’s Third-Party Risk

Management Program Policy
The most effective TPRM policies include standardized practices that regulate every
stage in the vendor lifecycle, from onboarding to offboarding. Designing your
organization’s comprehensive TPRM policy may seem daunting, primarily if you
already work with many third-party vendors.

If you’re having trouble getting started, consult stakeholders throughout your

organization. Communicating with relevant stakeholders is the best way to ensure
your organization’s TPRM policy prioritizes the needs and challenges of all
departments.

You should also consider industry-specific challenges, such as compliance

regulations (NIST, GDPR, CCPA, HIPAA, etc.) and specific risk categories
(cybersecurity risk, operational risk, compliance risk, reputational risk, etc.) that may
affect your organization and its TPRM program.

While all effective TPRM policies are composed of many essential elements, the
best policies will have guidelines in place to standardize how an organization:

 Organizes internal roles and responsibilities

  Establishes risk tolerance and minimum security requirements‍
 Identifies organizational risks and third-party vulnerabilities
 Onboards third-party vendors and manages vendor risks
 Determines vendor criticality‍
 Conducts vendor due diligence‍
 Maintains supply chain visibility and continuous monitoring‍
 Manages vendor contracts and navigates terminations

Read more for additional information on how to implement a TPRM policy >

1. Organizational Structure: Roles and Responsibilities

Organizing internal TPRM roles and responsibilities is one of the most critical
functions of an effective TPRM policy. Most TPRM policies will outline the roles and
responsibilities of the board of directors, senior management, vendor owners,
independent reviewers, legal, and other groups associated with the organization’s
TPRM program.

When drafting your TPRM policy, carefully outline all responsibilities your team is
accountable for while consulting stakeholders from each group.

Outlining all your organization's TPRM duties in one place will allow individuals to
reference the policy in the future when they are unsure of who is responsible for a
specific task. This clarity will speed up internal communications, improve workflows,
and allow your organization to quickly onboard new team members as your internal
TPRM team expands or changes.

Learn about the top Third-Party Risk Management solutions on the market >

2. Establishing Risk Tolerance and Minimum Security Requirements

All effective TPRM policies establish an organization's overall risk tolerance

threshold and document the minimum security requirements a vendor must possess
to be eligible to enter a third-party partnership with the organization.

Setting these guidelines early will allow your organization to easily compare vendors
and make informed decisions based on the value and risk exposure individual
vendors present to the organization.

Overall, there are three levels of risk tolerance:

 Low-risk tolerance: Organizations with a low-risk threshold are entirely opposed to

most third-party risks and often place security and predictability ahead of growth and
vendor opportunities.
 Moderate-risk tolerance: Organizations with a moderate-risk threshold are not
afraid of strategic risks but value strong data protection and information security.
 High or critical-risk tolerance: Organizations with a high-risk tolerance
aggressively seek opportunities and are willing to deal with higher uncertainty
regarding their third-party partnerships.
Your organization’s TPRM policy should outline the level of risk your organization is
comfortable with. When describing your organization’s risk tolerance, your TPRM
policy should also identify the specific metrics, such as a minimum security rating,
risk scores, and industry compliance standards, the organization will use to
determine if it is wise to partner with a particular vendor.

Learn how UpGuard helps organizations evaluate vendors using dynamic security
ratings >

3. Identifying Organizational Risks and Vulnerabilities

Even organizations that maintain a low-risk threshold will experience some level of
risk with every third-party partnership. Therefore, after documenting your
organization’s risk appetite, your TPRM policy should demonstrate how it will identify
the risks individual vendors present to the organization.

When documenting how your organization identifies third-party risks, ask yourself
what tools it uses to screen vendors and evaluate their security posture. Your
organization’s TPRM policy should outline these tools and processes so that future
personnel follow the same protocol when assessing the impact of every new third-
party opportunity.

The best TPRM programs utilize several tools to ensure an organization identifies all
risks and vulnerabilities. The best TPRM tool belts include:

 Security ratings,
 Risk assessments,
 Security questionnaires,
 Penetration testing, and
 Vulnerability scanners

While drafting your organization’s TPRM policy, you should also point out areas of
your organization's TPRM program that could use improvement. It's common for
organizations to face resource-related struggles when trying to implement various
tools into their TPRM program, but this doesn’t mean your organization should
expose itself to unnecessary risks.

UpGuard Vendor Risk allows organizations to evaluate vendor risks and

vulnerabilities quickly by utilizing a powerful arsenal of TPRM tools, including
automation, custom risk assessments, up-to-date security ratings, security
questionnaires, and more.

4. Standardizing Processes for Third-Party Onboarding & Vendor Risk

Management

Once your organization outlines how it will evaluate potential vendors and identify
third-party risks, it should start using its TPRM policy to standardize vendor
onboarding and risk management processes.
Start by listing all the procedures your organization needs to complete before
permitting a vendor access to any internal systems. Outlining these onboarding
procedures will ensure personnel are always aware of critical requirements.

Next, determine where your organization will keep track of all the vendors within its
supply chain and note this in the TPRM policy. You can also document procedures
your organization uses to update each third-party status as they move through the
vendor lifecycle.

Once again, while drafting your organization’s TPRM policy, you should identify
areas for improvement. If your organization currently uses a manual system to keep
watch over its supply chain switching to an automated vendor management tool
could improve your organization’s efficiency and effectiveness.

Utilizing a vendor management tool with an all-in-one dashboard, like UpGuard

Vendor Risk, is the best way to keep track of multiple vendors and efficiently manage
onboarding workflows.

In addition to regulating the maintenance of your organization’s third-party vendor

inventory, your TPRM policy should also note how your organization will maintain
supplier risk profiles, track the level of data shared with each vendor, and install
security controls to limit the level of information or sensitive data its exposes to a
vendor.

Learn how UpGuard Vendor Risk helps organizations with vendor tiering and vendor
risk management>

5. Determining Vendor Criticality

All effective TPRM policies will also outline the procedures and criteria used to
determine vendor criticality and assign standard TPRM risk ratings.

Most organizations will organize vendors into one of two categories:

 Critical: The products or services the vendor provides directly affect daily business
operations, or a sudden loss of the vendor would negatively impact customers or
cause a significant service disruption.
 Non-Critical: The products or services the vendor provides do not directly affect
daily business operations, and a sudden loss of the vendor would not negatively
impact customers or cause a significant service disruption.

Your organization’s TPRM policy should also outline the characteristics of each
standard TPRM risk rating:

 High risk: Most organizations consider partnerships high risk if the nature of the
relationship or the vendor’s profile presents significant risks and requires frequent
oversight. Or, as required by the nature of its business, the vendor has direct access
to sensitive data or customer information.
 Moderate risk: Most organizations consider partnerships moderate risk if the nature
of the partnership or the vendor’s profile presents some risk and periodic oversight is
required. The vendor has limited access to confidential information.
  Low risk: Most organizations consider partnerships low risk if the nature of the
partnership or the vendor’s profile presents little-to-no risk and minimal oversight is
required. The vendor has minimal or no access to personal data.

UpGuard Vendor Risk severity definitions

Finally, your TPRM policy should outline the tools your organization uses to
determine inherent risk and monitor ongoing risk. When drafting this section of the
TPRM policy, ask yourself if your organization utilizes an objective rating tool, vendor
management software, or some other TPRM tool to calculate vendor risk.

6. Conducting Vendor Due Diligence

In addition to establishing vendor criticality and risk ratings, an effective TPRM policy
will also communicate the measure an organization takes to complete risk-
based due diligence procedures.

To make your TPRM policy the most effective, you should communicate when
personnel must complete due diligence activities. Make sure to document what
needs to be completed before onboarding, periodically throughout a vendor
relationship, and before renewing critical contracts.

Your organization’s TPRM policy should also include information on the scope of its
due diligence practices. Most organizations' due diligence processes involve
assessing a vendor’s attack surface, cyber resilience, reputation, compliance with
applicable regulations, and ability to serve the organization’s needs during the
procurement process or throughout the vendor lifecycle.

While drafting your TPRM policy in response to due diligence, you can also ask
yourself these important questions to assess the effectiveness of your organization’s
due diligence plan:

 Does our policy ensure vendors have adequate incident response or disaster
recovery plans in place?
 Does our policy ensure vendors have remediation and mitigation plans in place for
identified risks?
 Does our policy ensure vendor executive boards prioritize the importance of TPRM?

Learn more about UpGuard’s powerful TPRM tools>

7. Supply Chain Visibility and Ongoing Monitoring

A comprehensive TPRM policy will document how the organization’s TPRM program
maintains supply chain visibility and list all the ongoing monitoring activities the
program uses to manage third-party vendors.

When designing your organization’s TPRM policy, note any TPRM tools it uses to
maintain supply chain visibility. Of course, visibility can pose a significant challenge
for rapidly growing organizations, so this is another place to improve your
organization's current TPRM procedures.

Learn how UpGuard’s all-in-one dashboard enhances supply chain visibility>

While creating a list of all the monitoring activities your organization conducts,
consider these examples:

 Monitoring for compliance with industry laws and regulatory requirements,

 Administering penetration testing programs to appraise a party’s risk resilience,
 Conducting periodic risk assessments to appraise a third party’s security posture,
 Reviewing a third party’s security rating and rating history,
 Reviewing performance reports related to the third party’s contractual obligations,
etc.

UpGuard allows organizations to monitor their supply chain 24/7

8. Vendor Contracts and Termination

Unfortunately, not every third-party partnership an organization enters is as
successful as the organization hopes. An organization’s TPRM policy should outline
details surrounding vendor contracts and termination protocols to protect the
organization in the event a partnership becomes harmful.

To protect your organization, you should include explicit terms related to contract
execution, management, and termination in your organization’s TPRM policy.

 Contract execution: It is standard for TPRM policies to dictate that third-party

contracts do not become effective until after personnel complete due diligence. This
timing protects the organization if unforeseen concerns arise during due diligence.
 Contract management: TPRM policies typically outline who will manage renewal
and termination dates. This section of a TPRM policy will also likely outline that each
party knows its obligations under the contract.
 Contract termination: Most TPRM policies will outline the procedures an
organization should follow when it determines it is best to terminate a contract.

In addition to outlining the procedures the organization will follow when terminating a
contract, your TPRM policy should include a separate section outlining your
organization's rights to deem a contract eligible for termination.

Best Tools of an Effective Third-Party Risk Management Plan

Organizations rely on various TPRM tools to manage cyber risks and carry out all
risk management strategies included in their TPRM policy. The most effective TPRM
programs utilize everything from vendor dashboards to remediation workflows to
manage vendor relationships and the risk they present

 Intuitive vendor dashboards: The best vendor dashboards are intuitive, user-
friendly, and allow organizations to monitor their entire supply chain in one central
location. Effective dashboards utilize automation to provide security updates and will
send real-time notifications to organizations when a change in security requires their
attention.
 Comprehensive vendor risk assessments: Risk assessments allow organizations
to evaluate a vendor’s security posture at any time. The best risk assessments are
customizable and flexible to meet the needs of any organization.
 Automated security questionnaires: Organizations can gain deep insight into a
vendor’s security structure by utilizing automated security questionnaires.
 Streamlined remediation workflows: The best remediation workflows utilize
automation to eliminate the pain of chasing organizations.
 Instant security ratings: Organizations can use instant security ratings to monitor
their entire supply chain around the clock. The best TPRM platforms will also allow
organizations to receive real-time notifications when a vendor’s security rating
drastically changes.

How Can UpGuard Help Your Organization with TPRM?

UpGuard Vendor Risk allows organizations to identify, assess, and mitigate risks all
in one intuitive platform. You can optimize your organization's TPRM program and
follow your third-party risk management framework using UpGuard Vendor Risk to
manage your entire supply chain.
Outsourcing to any third-party vendor presents risks to your organization. UpGuard
Vendor Risk can help your organization with risk mitigation, prevent data breaches,
and improve the efficiency of your overall TPRM team.

What are the phases of third-party risk management?

The Third-Party Vendor Risk Management Lifecycle: The Definitive Guide

 Vendor Sourcing and Selection. ...
 Intake and Onboarding. ...
 Scoring Inherent Risk. ...
 Assessing Vendors & Remediating Risks. ...
 Continuous Monitoring. ...
 Managing Ongoing Performance and SLAs. ...
 Termination and Offboarding.
 What is third-party supplier risk?
 Third-party risk is the likelihood that your organization will experience an
adverse event (e.g., data breach, operational disruption, reputational damage)
when you choose to outsource certain services or use software built by third
parties to accomplish certain tasks.13 Feb 2023

 What is the TPRM process?
 Third party risk management (TPRM) (also called vendor risk management or
VRM) is the practice of evaluating and then mitigating the risks introduced by
vendors (suppliers, third parties, or business partners) both before
establishing a business relationship and during the business partnership.

 What are the objectives of TPRM?

 A TPRM program helps organizations assess third-party risk exposure,
establish risk management responsibilities to minimize risks and establish
third-party activity oversight. It helps during the initial identification and informs
monitoring and risk mitigation.

 What is the vendor life cycle?

 The vendor management lifecycle describes each stage you complete while
working with a seller or service provider, from initial sourcing until you end the
contract.
What are the 5 principles of risk management?
5 basic principles of risk management
 #1: Risk identification. ...
 #2: Risk analysis. ...
 #3: Risk control. ...
 #4: Risk financing. ...
 #5: Claims management. ...
 Bringing risk management principles to life.

What are the 4 T's of risk management?

There are always several options for managing risk. A good way to summarise the
different responses is with the 4Ts of risk management: tolerate, terminate, treat and
transfer.4 Aug 2020

What are the 7 elements of risk management?

Here are seven key components that must be considered:

 Business Objectives and Strategy. ...
 Risk Appetite. ...
 Culture, Governance and Taxonomy. ...
 Risk Data and Delivery. ...
 Internal Controls. ...
 Measurement and Evaluation. ...
 Scenario Planning and Stress Testing.

What are the 5 rules of risk management?

The basic methods for risk management—avoidance, retention, sharing, transferring,
and loss prevention and reduction—can apply to all facets of an individual's life and
can pay off in the long run. Here's a look at these five methods and how they can
apply to the management of health risks.

What are the 7 R's of risk management?

The activities associated with risk management are as follows: • recognition of risks;
• ranking of risks; • responding to significant risks; • resourcing controls; • reaction
(and event) planning; • reporting of risk performance; • reviewing the
riskmanagement system.

What are the elements of TPRM?

We'll delve into three essential elements that underpin a successful TPRM
framework: standardization, scalability, and harmonization with business goals.
These key principles are crucial for building a robust TPRM program that safeguards
against potential risks while fostering fruitful third-party relationships.

What are the pillars of GRC?

Governance, risk and compliance (GRC) refers to an organization's strategy for

handling the interdependencies among the following three components: Corporate
governance policies. Enterprise risk management programs. Regulatory and
company compliance.

What are the 3 C's of risk?

A connected risk approach aims to connect risk owners to their risks and promote
organization-wide risk ownership by using integrated risk management (IRM)
technology to enable improved Communication, Context, and Collaboration —
remember these as the three C's of connected risk.30 Nov 2023

What are the 4 parts of risk?

Table of Contents
 Step 1: Risk Identification.
 Step 2: Risk Assessment.
 Step 3: Risk Treatment.
 Step 4: Risk Monitoring and Reporting.
27 Sept 2021

What are the 3 types of risk in audit?

There are three main types of audit risk: Inherent risk, control risk, and detection
risk.12 Oct 2023

What is the goal of TPRM?

A TPRM program helps organizations assess third-party risk exposure, establish risk
management responsibilities to minimize risks and establish third-party activity
oversight. It helps during the initial identification and informs monitoring and risk
mitigation.