Third-Party Risk Management (TPRM): A Complete Guide

What Is Third Party Risk and Why Is It a Concern?

Third-party risk is the potential for a primary organization to suffer a data breach, or be negatively impacted or compromised via connections to external organizations and entities. Common third parties include suppliers, vendors, partners, service providers, and contractors with access to privileged information like customer data and internal company systems or processes.

Many organizations implement robust cybersecurity measures for their internal networks and IT infrastructure, but without extending their efforts to cover external parties. However, third-party relationships significantly increase cybersecurity risk because they can provide an easier entry point into systems and networks.

This is part of an extensive series of guides about access management.

What Is Third-Party Risk Management (TPRM) and What Are Its Objectives?

Third-party risk management (TPRM) involves identifying, assessing, and controlling risks that occur due to interactions with third parties, including procurement and off-boarding. TPRM employs policies and systems to ensure third parties:

• Comply with regulations
• Avoid unethical practices
• Protect confidential information
• Strengthen supply chain security,
• Maintain a healthy and safe working environment
• Handle disruptions effectively
• Achieve high performance and quality levels

What Is a Third-Party Risk Assessment?

Various suppliers can become third parties once introduced into the supply chain, including software and general service providers. Each third party can introduce different security, privacy, business continuity, business reputation, and regulatory compliance risks.

A third-party risk assessment involves analyzing the risks introduced by third-party relationships along the organization’s supply chain. It is a critical part of every third-party risk management program, providing the information needed to create a program suitable to the organization’s specific risks, standards, and compliance requirements.

Organizations can conduct in-house assessments or through an independent contractor. The main goal is to determine third-party relationships and their impact on the organization. Typically, the assessment divides these responsibilities into groups based on risk levels so the organization can streamline supplier risk management efforts to a higher efficiency level.

Applying proper risk management is critical for modern, interconnected organizations because these relationships create entry points for attackers. However, not every third party requires the same level of risk management and attention. Risk levels and impact vary between third-parties, and organizations need to classify vendors by access and risk levels.

Third parties that do not have access to confidential information or computer networks pose lesser risk than parties that offer more interconnected services. An office supplies vendor, for example, does not pose the same level of risk as a Software as a Service (SaaS) provider processing customer payments.

Learn more in our detailed guide to third-party risk assessment

Examples of Third-Party Security Risks

Here are several third-party security risks:

• Cybersecurity risk—a compromised third party can lead to a cyberattack that may result in data exposure or loss. Organizations can mitigate this risk by performing due diligence before onboarding new vendors and by continuously monitoring the vendor lifecycle.
• Operational risk—a third party can disrupt business operations. Organizations can manage this risk through service level agreements (SLAs), and by setting up a backup vendor to ensure business continuity.
• Compliance risk—a third party can impact the organization's compliance with regulations, agreements, or legislation, such as the EU's General Data Protection Regulation (GDPR). Managing compliance risk is critical for financial services, government organizations, and healthcare facilities.
• Reputational risk—a third party can introduce risks that negatively impact public opinion. Third-party data breaches may occur due to poor security controls. It may lead to inappropriate interactions, poor recommendations, and dissatisfied customers.
• Financial risk—a third party can negatively impact the organization's financial success. For example, poor supply chain management may reduce sales or result in no sales at all.
• Strategic risk—a third party risk may cause organizations to fail to meet business objectives.

The above risks often overlap. For example, an organization experiencing a breach that results in compromised customer data, poses operational, reputational, financial, and compliance risks.

Related content: Read our guide to supply chain risk

What Does a Third-Party Risk Management Program Entail?

A TPRM program should feed into an organization’s overall risk management strategy. The third party risk management process should include these steps:

• Vendor evaluation—involves identifying the risks posed by a third-party vendor before onboarding. It is also important to determine the required level of due diligence to manage these risks. For example, organizations can refer to vendor security ratings to see if a given third party has an adequate security posture.
• Vendor engagement—if the vendor’s external security meets the minimum level required, the vendor should also be able to provide additional information regarding internal security measures, which isn’t usually accessible to outsiders.
• Risk remediation—organizations should not onboard a vendor that presents an unacceptable risk, although it may be possible to address these security issues. If the vendor agrees to address the remaining security issues, it may be useful to leverage a remediation tool.
• Decision—based on the vendor’s security posture and ability to remediate issues, the organization decides to approve or reject the vendor. This decision should consider the organization’s risk tolerance and compliance requirements and the vendor’s criticality.
• Continuous monitoring—after onboarding, organizations should continue to monitor the third-party vendor’s security. Maintaining security is especially important once a third party can access sensitive systems and data.

TPRM Best Practices

Here are some best practices to help ensure an effective third party risk management strategy.

Discover more best practices in our detailed guide to supply chain security best practices (coming soon)

1. Define Organizational Goals

The first step in implementing TPRM is identifying risks that align with the organization’s enterprise risk management program and risk identification strategies. A clear view of the organization’s third-party landscape requires creating a robust inventory that differentiates between third parties and determines the actions needed to remain protected.

Mature organizations establish a risk mapping covering geopolitical, financial, reputational, compliance, privacy, strategic, operational, digital, resiliency, business continuity, and cyber risks. This inventory helps identify specific risks to use when evaluating third-party relationships and determine the level of risk that the organization can take.

Organizations should also use their risk management framework to guide third-party relationship owners on effectively managing these relationships and associated risks. Incorporating TPRM into a risk management framework can significantly improve the impact of policies.

2. Get Stakeholder Buy In

Like any security initiative, TPRM can be effective only if all parties adhere to it. Stakeholder buy-in is critical to ensure all parties cooperate in making the initiative work. Organizations should involve all relevant stakeholders, including risk and compliance, procurement, security, and commercial parties, as early in the process as possible, involving them in designing and implementing the organization’s third-party risk management.

3. Build Partnerships with Business Units to Identify, Track and Assess Vendors

Third-party monitoring strategies help assess the organization’s security posture concerning third-party risks. Organizations should assess and analyze these strategies annually or more regularly to ensure they remain effective. Monitoring strategies help organizations identify and track high-risk parties, determine the volume and risk profile of the entire third-party portfolio, and analyze major operational loss events.

Monitoring provides visibility into the possibility of third-party delivery failure. Organizations can use these insights to qualitatively and quantitatively assess how third parties manage their risks and build confidence in the third party’s ability to satisfy the organization’s policies and expectations. A TPRM program helps organizations assess third-party risk exposure, establish risk management responsibilities to minimize risks and establish third-party activity oversight. It helps during the initial identification and informs monitoring and risk mitigation.

4. Risk Tiering

Each vendor presents a different level of risk and importance to the organization. Organizations should thus establish which third parties are of higher or lower priority, based on their criticality.

Organizations typically classify third parties according to three tiers:

• Tier 1—high criticality and high risk.
• Tier 2—medium criticality and risk.
• Tier 3—low criticality and risk.

Most organizations address issues with Tier 1 vendors before dealing with lower-priority risks. These vendors require a higher level of due diligence, with organizations collecting more evidence and expending more resources to ensure security. Tier 1 vendors typically require an in-depth assessment and validation.

The third party’s inherent risk often determines its priority tier during the initial evaluation. Organizations can score inherent risk based on business context and industry standards. Prioritization should take into account the following aspects:

• Will the vendor have access to sensitive business information?
• Will the vendor have access to confidential personal data?
• Does the vendor serve a critical business function?

Vendor impact may also be an important factor. For example, organizations should consider the impact on their operations if the third party fails to deliver a service. The level of disruption determines the risk level of the third party. The impact assessment should address the following risks:

• What happens if someone discloses information available to the third party without authorization?
• What happens if someone destroys or modifies information​ without authorization?
• What happens if someone blocks access to the information​?

Some organizations choose a different tier system to categorize vendors. For example, priority tiers might refer to the values of contracts, with Tier 1 including the higher-budget vendors with higher-value contracts presenting a higher risk level.

5. Work with Procurement

The procurement process involves providing information on security checks and onboarding. Organizations should incorporate procurement into their TPRM program to reduce third-party risk while evaluating supplies. It requires evaluating areas of high-risk exposure of the suppliers the organization chooses to partner with, including direct and indirect risks.

Identifying this baseline risk in advance provides a concrete measurement to assess the risk these partners introduce. For example, geopolitical risks, such as trade agreements between China and the US, can impact the organization even though the organization’s third-party suppliers cannot affect this agreement.

The procurement team should also identify all potential risk scenarios, determine the most likely disabling circumstances, and locate events likely to cause the most costly interruptions to the organization’s supply chain (even those unlikely to occur). Common external threats include geopolitical risks, financial market risks, and natural disasters.

After obtaining a comprehensive view of the highest-risk areas, organizations can start implementing a third-party risk management strategy. It should cover all aspects, including planning, strategic sourcing, due diligence, vendor and supplier selection, contract negotiations, and monitoring.

6. Execute the Program with Continuous Monitoring

A TPRM program is a daily, continuous strategic initiative. After defining a vendor risk assessment process and engaging with third-party vendors, organizations should implement continuous monitoring to constantly assess the risks vendors pose to the organization and proactively identify changes in their security posture.

Continuous monitoring enables organizations to evaluate and detect security and compliance issues in real time and gain a constant view of the third-party risk landscape. Here are the key benefits of continuously monitoring third-party risks:

• A proactive approach—continuous monitoring provides real-time insights into vendors. It enables organizations to observe movement against risk thresholds that require assessment according to changes to security posture rather than calendar dates.
• Save time and resources—manual assessments are often slow and costly. For example, questionnaires with thousands of questions approaching many organizations with hundreds or thousands of vendors typically take a long time and require investing in many resources. Continuous monitoring helps reduce this investment.
• Objective context—organizations can leverage objective context to prevent human error and inaccuracies. For example, it can check if vendors patch and scan for malware regularly and check that their SSL certification is up to date. Objective, externally observable information helps verify vendors’ security and flag areas for follow-up.

See Additional Guides on Key Access Management Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of access management.

Network Topology Mapping

Authored by Faddom

• Network Topology Mapping: Types and Tools

• Micro Segmentation & Network Microsegmentation Beginners Guide

• The basics of networking on VMware

RBAC

Authored by Frontegg

• What Is Role-Based Access Control (RBAC)? A Complete Guide

• Role Based Access Control Best Practices You Must Know

• RBAC in Azure: A Practical Guide

SSO

Authored by Frontegg

• How Does Single Sign-On (SSO) Work?

• AWS SSO: Concepts, Features, and a Quick Tutorial

• Okta SSO: Features, Pricing, and Integrations