Check Out BlueVoyant's ROC-Solid Advantage in the Latest eBook

Learn More

Guide: Third Party Risk Management

Third-Party Risk Management (TPRM): A Complete Guide


What Is Third-Party Risk Management (TPRM)?

Third-party risk management (TPRM) involves identifying, assessing, and controlling risks that occur due to interactions with third parties, including procurement and offboarding. TPRM employs policies and systems to ensure third parties:

  • Comply with regulations
  • Avoid unethical practices
  • Protect confidential information
  • Strengthen supply chain security,
  • Maintain a healthy and safe working environment
  • Handle disruptions effectively
  • Achieve high performance and quality levels

Why Is Third-party Risk Management Important?

Third-party risk management is critical for making sure the companies you are associated with uphold relevant laws, regulations, and industry standards. Traditionally third-party management addresses risk arising from financial health, IT security or data protection. Yet compliance and reputational risk are also important. Consumers can be unforgiving when unfair practices at a third party come to light – and your company is likely to suffer the consequences.

As third-party relationships continue to expand, governments have introduced more regulations. To help you deal with the complexity, your third-party risk management process should include aspects of advanced supply chain risk management. You’ll need to have a third-party risk framework to assess the criticality of risk objects, along with a set of collaborative plans for handling third-party risk events. 

Related content: Read our guide to third-party security

What is a Third-Party Risk Assessment?

Various suppliers can become a third party once introduced into the supply chain, including software and general service providers. Each third party can introduce different security, privacy, business continuity, business reputation, and regulatory compliance risks. 

A third-party risk assessment involves analyzing the risks introduced by third-party relationships along the organization’s supply chain. It is a critical part of every third-party risk management program, providing the information needed to create a program suitable to the organization’s specific risks, standards, and compliance requirements.

Organizations can conduct in-house assessments or through an independent contractor. The main goal is to determine third-party relationships and their impact on the organization. Typically, the assessment divides these responsibilities into groups based on risk levels so the organization can streamline supplier risk management efforts to a higher efficiency level. 

Applying proper risk management is critical for modern, interconnected organizations because these relationships create entry points for attackers. However, not every third party requires a thorough risk management investigation. Risk levels and impact vary between third-parties, and organizations need to classify constructors by access and risk levels. 

Third parties that do not have access to confidential information or computer networks pose little risk than parties that offer regular services. The office supplies vendor, for example, does not pose the same level of risk as the Software as a Service (SaaS) contractor processing customer payments. 

Learn more in our detailed guide to third-party risk assessment

Common Third-Party Security Risks

Here are several third-party security risks:

  • Cybersecurity risk—a third party can lead to a cyberattack that may result in data exposure or loss. Organizations can mitigate this risk by performing due diligence before onboarding new vendors and by continuously monitoring the vendor lifecycle.
  • Operational risk—a third party can disrupt business operations. Organizations can manage this risk through service level agreements (SLAs), and by setting up a backup vendor to ensure business continuity. 
  • Compliance risk—a third party can impact the organization’s compliance with regulations, agreements, or legislation, such as the EU’s General Data Protection Regulation (GDPR). Managing compliance risk is critical for financial services, government organizations, and healthcare facilities.  
  • Reputational risk—a third party can introduce risks that negatively impact public opinion. Third-party data breaches may occur due to poor security controls. It may lead to inappropriate interactions, poor recommendations, and dissatisfied customers.
  • Financial risk—a third party can negatively impact the organization’s financial success. For example, poor supply chain management may reduce sales or result in no sales at all.
  • Strategic risk—a third party risk may cause organizations to fail to meet business objectives.

The above risks often overlap. For example, an organization experiencing a breach that results in compromised customer data, pose operational, reputational, financial, and compliance risks.

Related content: Read our guide to supply chain risk (coming soon)

What Does a Third-party Risk Management Framework Include?

A TPRM framework should feed into an organization’s overall risk management strategy. The third party risk management process should include these steps:

  • Vendor evaluation—involves identifying the risks posed by a third-party vendor before onboarding. It is also important to determine the required level of due diligence to manage these risks. For example, organizations can refer to vendor security ratings to see if a given third party has an adequate security posture.
  • Vendor engagement—if the vendor’s external security meets the minimum level required, the vendor should also be able to provide additional information regarding internal security measures, which isn’t usually accessible to outsiders. 
  • Risk remediation—organizations should not onboard a vendor that presents an unacceptable risk, although it may be possible to address these security issues. If the vendor agrees to address the remaining security issues, it may be useful to leverage a remediation tool. 
  • Decision—based on the vendor’s security posture and ability to remediate issues, the organization decides to approve or reject the vendor. This decision should consider the organization’s risk tolerance and compliance requirements and the vendor’s criticality. 
  • Continuous monitoring—after onboarding, organizations should continue to monitor the third-party vendor’s security. Maintaining security is especially important once a third party can access sensitive systems and data.

6 TPRM Best Practices

Here are some best practices to help ensure an effective third party risk management strategy.

Discover more best practices in our detailed guide to supply chain security best practices (coming soon)

1. Prioritize Vendors

Each vendor presents a different level of risk and importance to the organization. Organizations should thus establish which third parties are of higher or lower priority, based on their criticality. 

Organizations typically classify third parties according to three tiers:

  • Tier 1—high criticality and high risk.
  • Tier 2—medium criticality and risk.
  • Tier 3—low criticality and risk.

Most organizations address issues with Tier 1 vendors before dealing with lower-priority risks. These vendors require a higher level of due diligence, with organizations collecting more evidence and expending more resources to ensure security. Tier 1 vendors typically require an in-depth assessment and validation.

The third party’s inherent risk often determines its priority tier during the initial evaluation. Organizations can score inherent risk based on business context and industry standards. Prioritization should take into account the following aspects:

  • Will the vendor have access to sensitive business information?
  • Will the vendor have access to confidential personal data?
  • Does the vendor serve a critical business function?

Vendor impact may also be an important factor. For example, organizations should consider the impact on their operations if the third party fails to deliver a service. The level of disruption determines the risk level of the third party. The impact assessment should address the following risks:

  • What happens if someone discloses information without authorization?
  • What happens if someone destroys or modifies information​ without authorization?
  • What happens if someone blocks access to the information​?

Some organizations choose a different tier system to categorize vendors. For example, priority tiers might refer to the values of contracts, with Tier 1 including the higher-budget vendors with higher-value contracts presenting a higher risk level. 

2. Implement Supply Chain Risk Management 

Organizations implement supply chain risk management (SCRM) to identify, assess, and mitigate risks related to their supply chain. A global SCRM strategy helps ensure efficient operations, lower costs, and improved customer service.

Supply chain management covers the flow of goods used by an organization, including all the processes involved in converting raw materials into finished products or services. It includes planning and managing activities relating to sourcing, procuring, and managing the logistics of products supplied by third parties.

3. Automate Everything You Can

Consistent, repeatable operations are easy to automate to increase efficiency. Several aspects of third-party risk management are well-suited to automation. For example: 

  • Vendor onboarding—organizations can automatically add vendors to their inventories by integrating with a contract management system or completing intake forms.
  • Inherent risk calculation and vendor prioritization—information collected during the intake process, such as business context, can inform automated risk assessments, allowing organizations to prioritize third-party vendors based on risk.
  • Risk owner and mitigation task assignment—automatic systems can flag vendors and provide recommendations for mitigation tasks. They can also assign these tasks to the relevant individual.
  • Vendor performance assessments—automatic triggers can ensure regular vendor reviews, while vendors that fail a review can trigger the offboarding process.
  • Alerts and notifications—flagged risks and newly onboarded vendors can trigger email notifications or other alerts to all relevant stakeholders. 
  • Report scheduling and running—it is possible to set up monthly, weekly, or daily automated reports, which can be automatically shared with the relevant individuals.

Each organization uses a unique TPRM program, but all organizations have repeatable processes suitable for automation. The automation strategy can start small, focusing on key tasks and building up over time to save time and money.

4. Consider Contractual Responsibilities

Although each final contract should be unique, many organizations use general templates as the basis for their contracts with third parties. The contract should clarify any responsibilities and standards, and both parties should make sure they understand before signing a contract. A third-party contract should cover the procedures for negotiating, approving, and recording contractual changes.

5. Assess Security Controls

Large companies like Adobe and Microsoft have vendor assessment programs that can serve as the basis for an organization’s vendor assessment framework. Companies typically assess the security controls of any third party that handles their data. Examples of useful controls include:  

  • Security certification attestations—organizations may review reports such as SOC 2 Type II ISO 27001 to verify adherence to security standards and policies.
  • Authentication policies—cover passwords, access controls, and multi-factor authentication (MFA) support.
  • Logs and audits—include system, application, network log details, and retention policies.
  • Data center security—includes physical security measures to protect the locations that host company data.
  • Vulnerability management—covers external and internal vulnerability assessments, penetration tests, patch policies, and remediation timelines.
  • End-point protection policies—address the security of end-point devices.
  • Encryption—determines data encryption at rest and in transit.

6. Refer to Industry Standards

Organizations can benefit from established industry standards when assessing vendors. Examples of industry risk management frameworks that can inform a TPRM strategy include SOC 2, ISO 27001, NIST Risk Management Framework 2.0, NIST 800-171, Consensus Assessment Initiative Questionnaire, VSA Questionnaire, and CIS Critical Security Controls.

These frameworks provide thousands of questions that organizations can adapt for their vendor assessment questionnaires.