Third-Party Risk Management PDF

THIRD-PARTY RISK MANAGEMENT:
BEST PRACTICES FOR AN EFFECTIVE

AND EFFICIENT PROGRAM
ED THOMAS, SENIOR VICE PRESIDENT, PROCESSUNITY
WEBINAR INFORMATION & QUICK TIPS
• The Presentation Deck can be downloaded from the MATERIALS window.
• Windows can be hidden or expanded to fit your preference.
• Submit questions in the Q&A window.
• Use the HELP icon at the bottom for FAQ’s and system requirements.
• Please click on the ISACA Customer Experience Center image to be

redirected to ISACA’s customer support page.
CPE CREDIT & CERTIFICATE
Live Event: On-Demand Recording:

• You must view the live webinar for the • Recording must be watched from the
required amount of time beginning to the very end – the system
will track your progress.
• Certificate will appear in the CPE Credit &
Certificate window • Credit Submission tab to access
survey.
• Certificate MUST be downloaded before
existing the platform. • Submit Survey and Submit Credit to
be redirected to your ISACA Account.
• Certificate WILL NOT be available after the
webinar concludes. • Certificate uploaded to your ISACA CPE
Records
TODAY’S SPEAKER
Ed Thomas
Senior Vice President
ProcessUnity
Today’s Agenda
• TPRM: Getting Grounded
• Program Building Blocks:
Onboarding & Ongoing Monitoring
• Inherent Risk Best Practices
• Residual Risk & Review Cadences
• Getting Outside Help: External
Content & Managed Services
• Assessing Your Program’s Maturity
& Identifying Steps to Improve
5 © ProcessUnity, Inc. All Rights Reserved.

POLL QUESTION #1:
How big is your TPRM team today?
 1 Person
 2-3 People
 4-5 People
 6-10 People
 10+ People
 I don’t know

TPRM: Getting
Grounded
Third-Party Risk Management
Policy & Procedure Management software allows companies to more
efficiently manage operations by creating a systemic approach for making decisions
and the methods to deploy them in day-to-day operations
Compliance Management systems ensure that

organizations are following a given set of rules and regulations and
are well equipped to handle any regulatory changes
Policy & Procedure

Policies & Procedures Management
Compliance
Controls Financial IT Operational Management
Brand & Reputation Business Continuity
Information Security Sales & Ethics
Legal & Litigation Personnel Risk

Financial Security & Privacy Management
Risk Management solutions are
Risks Health & Safety Product Quality technologies that enable a
comprehensive, program that
manages all aspects of risk in an
Your Organization organization’s process

Third-Party Risk Management
Policy & Procedure Management software allows companies to more
efficiently manage operations by creating a systemic approach for making decisions
and the methods to deploy them in day-to-day operations
Compliance Management systems ensure that

organizations are following a given set of rules and regulations and
are well equipped to handle any regulatory changes
Policy & Procedure

Policies & Procedures Management
Compliance Third Party Risk

Management Management solutions are
Controls Financial IT Operational applications that identify and
Policies & Procedures
remediate risks posed by third-party
Brand & Reputation Business Continuity Third-Party Risk service providers
Management Controls Financial IT Operational
Information Security Sales & Ethics
Brand & Reputation Business Continuity
Legal & Litigation Personnel Risk Information Security Sales & Ethics
Financial Security & Privacy Management Legal & Litigation Personnel

Risk Management solutions are
Financial Security & Privacy
Risks Health & Safety Product Quality technologies that enable a
Risks Health & Safety Product Quality comprehensive, program that
manages all aspects of risk in an
Your Organization Third Party Organization organization’s process

“
People don’t do what you
expect but what you
inspect.
- Louis V. Gerstner Jr.
10
”
© ProcessUnity, Inc. All Rights Reserved.
The Third-Party Risk Lifecycle
Due Ongoing On-Site Control Performance Contract SLA Issue

Onboarding Diligence Monitoring Assessment Reviews Reviews Monitoring Management
Establish an Enforce Streamline Systematically Manage with Create a unified Document, Formally track
enterprise-wide objectivity within processes conduct consistency process monitor vendor issues
process your vendor while reducing and document and record
process errors

How Can You Assess More Vendors, More Thoroughly… in Less Time…
Onboarding Due Diligence Ongoing Monitoring
1 2 3
Establish an Enforce objectivity within Streamline processes
enterprise-wide process your vendor process while reducing errors

…So Your Team Can Spend More Time Reducing Risk and Generating ROI.
Due Ongoing On-Site Control Performance Contract SLA Issue

Onboarding Diligence Monitoring Assessment Reviews Reviews Monitoring Management
Establish an Enforce Streamline Systematically Manage with Create a unified Document, Formally track
enterprise-wide objectivity within processes conduct consistency process monitor vendor issues
process your vendor while reducing and document and record
process errors

A Few of the Challenges Organizations Face Today
• Who are our critical outsourced third-parties?
Identifying / Grouping Critical • What services are they providing?
Vendor by Risk Tier • Where are they located?
• How do we risk-tier our vendor database?
Establishing a • How do we ensure adoption and compliance across the

organization?
Framework / Process • How can we improve vendor responsiveness / reduce fatigue?
for Internal & External Review • How do we improve executive support / communication?
Storing Supporting • How and when do we reassess third parties?

Documentation • How do we organize the data from our vendor population?
Determining Which Fourth • Which vendors are using fourth parties to deliver services?
(Fifth?) Parties to Assess • How far down the chain do we have to go to feel secure?

It’s Not Going to Get Easier
• More third-parties (and fourth-parties)
• More / new / different threats
• Evolving regulations (EBA, GDPR, CCPA, FCA, PCI, HIPAA, DPA)
• Vendors are buckling under the load

Program Building
Blocks
Building Blocks: Base Processes & Flows
Pre-Contract Post-Contract
Onboarding Workflow
INHERENT RISK DUE DILIGENCE

ASSESSMENT ASSESSMENT
Onboarding Workflow Ongoing Monitoring Workflow
INHERENT RISK DUE DILIGENCE DUE DILIGENCE SERVICE

ASSESSMENT ASSESSMENT ASSESSMENT REVIEW
Onboarding Workflow Ongoing Monitoring Workflow
INHERENT RISK DUE DILIGENCE DUE DILIGENCE SERVICE

ASSESSMENT ASSESSMENT ASSESSMENT REVIEW
ISSUE MANAGEMENT & REMEDIATION
Onboarding Workflow
Line of
Business
Third-Party
Manager
Third-Party
Contact
Onboarding Workflow
Line of
Business 1. Request
Third-Party
Service
Third-Party
Manager
Third-Party
Contact
Onboarding Workflow
Line of
Business 1. Request
Third-Party
Service
Follow Up
Third-Party Advance
Request?
Manager 2. Review
Third-Party
Service
Request
Third-Party
Contact
Onboarding Workflow
Line of
Business 1. Request
Third-Party
Service
Follow Up
Yes Follow Up
Third-Party Advance
Inherent
Risk
Request?
Manager 2. Review
Third-Party
Level 3. Send
Assessment
5. Analyze
Assessment
Service
Request
Third-Party
Contact 4. Assessment
Response
Onboarding Workflow
Line of
Business 1. Request
Third-Party
Service
Follow Up
Yes Follow Up
Third-Party Advance
Inherent
Risk
Request?
Manager 2. Review
Third-Party
Level 3. Send
Assessment
5. Analyze
Assessment
6. Create
Related
7. Close
Assessment
Service Issues
Request
Third-Party
Response
Onboarding Workflow
Line of
Business 1. Request
Third-Party
Service
Follow Up
Yes Follow Up Yes
Third-Party Advance
Inherent Request
Risk
Manager 2. Review Request?
Level 3. Send 5. Analyze 6. Create 7. Close 8. Agreement Approved
Third-Party Assessment Assessment Related Assessment in Review
Service Issues
Request
Third-Party
Response
Onboarding Workflow
Line of
Business 1. Request
Third-Party
Service
Follow Up
Low Critical / High /
Yes Medium Follow Up Yes
Third-Party Advance
Inherent Request
Risk
Service Issues
Request
Third-Party
Response
Onboarding Workflow
Line of Request
Business 1. Request Denied
Third-Party
Service
Follow Up
Critical / High / No
No Low No
Third-Party Advance
Inherent Request
Risk
Service Issues
Request
Third-Party
Response
Ongoing Monitoring: Periodic Due Diligence
Line of
Business
Follow Up
Third-Party
Manager 1. Send
Assessment
3. Analyze
Assessment
4. Create
Related
5. Close
Assessment
Issues
Third-Party
Response
Ongoing Monitoring: Service Reviews
Line of
2. Complete
Business Service
Review
Third-Party
Manager 1. Send
Service
Review
Third-Party
Contact
Issue Management & Remediation
Line of
Business
Third-Party
Manager 1. Communicate
to Third-Party
3. Update
Issue
Contact
Third-Party
Contact 2. Respond
to Issue
Inherent Risk
Onboarding Workflow
Line of Request
Third-Party
Service
Follow Up
No Low No
Third-Party Advance
Inherent Request
Risk
Service Issues
Request
Third-Party
Response
Onboarding Workflow
Line of Request
Third-Party
Service
Follow Up
No Low No
Third-Party Advance
Inherent Request
Risk
Service Issues
Request
Third-Party
Response
Risk Domains Help Define Inherent Risk Questions
Identity Fourth-Party
Information Security Reputation
Geographic Compliance
Financial Business Continuity Conflict of Interest

Define Your Inherent Risk Questions
• What is the expected annual contract • Is any part of the third-party service being
amount? (Financial / Business Continuity) provided subject to any regulatory /
• Is the third-party service performed compliance requirements? (Compliance)
domestically? (Geographic) • Does this third-party store, process or
• Is the service essential to the operations of transmit Personally Identifiable Information
the company? (Business Continuity) (PII) or Protected Health Information (PHI)
as part of this service? (Information Security)
• How difficult would it be to replace this
service with an alternative? (Business • Is the service delivered as a cloud-based
Continuity) solution? (Information Security)
• What is the expected annual volume of • Does this third party have access to our IT
records that will be accessed, processed, network or technical infrastructure?
(Information Security)
stored or transmitted by this third party?
(Information Security) • Does the third party outsource any part of
the service? (Geographic / Information
Security)
Define Your Risk Tiers
LOW MEDIUM HIGH
LOW MEDIUM HIGH CRITICAL
D C B A
1 2 3 4 5 6 7 8 9 10
Define Your Risk Tiers
LOW MEDIUM HIGH
D C B A
1 2 3 4 5 6 7 8 9 10
Building a Scoring System
• What is the expected annual contract • Is any part of the third-party service being
amount? (Financial / Business Continuity) provided subject to any regulatory /
• Is the third-party service performed compliance requirements? (Compliance)
domestically? (Geographic) • Does this third-party store, process or
• Is the service essential to the operations of transmit Personally Identifiable Information
the company? (Business Continuity) (PII) or Protected Health Information (PHI)
as part of this service? (Information Security)
• How difficult would it be to replace this
service with an alternative? (Business • Is the service delivered as a cloud-based
Continuity) solution? (Information Security)
• What is the expected annual volume of • Does this third party have access to our IT
records that will be accessed, processed, network or technical infrastructure?
(Information Security)
stored or transmitted by this third party?
(Information Security) • Does the third party outsource any part of
the service? (Geographic / Information
Security)
Is the service essential to the

operations of the company? YES = CRITICAL
How difficult would it be to replace this
service with an alternative?
Is any part of the third-party service being
provided subject to any regulatory /
compliance requirements?
Does this third-party store, process or
= CRITICAL
transmit PII or PHI as part of this service?
Is the service delivered as a cloud-based
solution?
Does this third party have access to our IT
network or technical infrastructure?
Does the third party outsource any part of
+ the service?
service with an alternative?
compliance requirements? Is the service essential to the
= operations ofCRITICAL
the company?
transmit PII or PHI as part of this service?
solution?
network or technical infrastructure?
+ the service?
service with an alternative? 2 Points
compliance requirements? 2 Points Is the service essential to the
= operations ofCRITICAL
the company?
transmit PII or PHI as part of this service? 2 Points 12 Points
solution? 2 Points
network or technical infrastructure? 2 Points
+ the service? 2 Points
0-5 6-7 8 - 11 12 +
12 Service is essential
to company operations
2 Service is subject to
regulatory requirements
6 Annual contract
amount > $500,000 2 Third party has access
to PII or PHI
2 A part of the service is

performed internationally 2 Service is delivered
as a cloud-based solution
2 Difficult to replace
service with alternative 2 Third party has access to
our technical infrastructure
Intake Questions
& Point Values
2 High annual
record volume 2 Third party outsources
a portion of the service
Checking the Math
MAJOR RECORDS LANDSCAPING
BANK SHREDDER CONTRACTOR
Essential to operations YES (12 Points) NO NO
Contract > $500,000 NO NO
Performed internationally NO NO
Difficult to replace YES (2 Points) NO
High record volume YES (2 Points) NO
Subject to regulatory requirements YES (2 Points) NO
Access to PII or PHI YES (2 Points) NO
Cloud-based solution NO NO
Access to technical infrastructure NO NO
Outsources a portion of the service NO YES (2 Points)
TOTAL SCORE 12 8 2
RISK TIER CRITICAL HIGH LOW
Use Inherent Risk to Scope Due Diligence
0-5 6-7 8 - 11 12 +
Use Inherent Risk to Scope Due Diligence
0-5 6-7 8 - 11 12 +
Light Due Medium Due Intensive Due

No Further
Diligence Diligence Diligence
Due Diligence
Required Required Required
Required
(SIG Lite) (SIG Lite) (SIG Core)
POLL QUESTION #2:
What vendor tiers are you assessing
today?
 Critical + High Risk Only
 Critical + High + Medium Risk
 All Vendors
 We Don’t Tier Our Vendors
 Don’t Know

Quick Sidebar:
Questionnaires
The Evolution of the Assessment Questionnaire
One, (usually long)

questionnaire used
to assess all
vendors
ONE SIZE
“FITS” ALL
One, (usually long) Multiple

questionnaire used questionnaires of
to assess all varying lengths used
vendors to vet vendors in
different risk tiers
ONE SIZE MULTIPLE

“FITS” ALL VERSIONS
One, (usually long) Multiple A single, smart

questionnaire used questionnaires of assessment that
to assess all varying lengths used includes questions
vendors to vet vendors in based on inherent
different risk tiers risk and adjusts mid-
assessment based
on vendors’ answers
ONE SIZE MULTIPLE SELF-

“FITS” ALL VERSIONS SCOPING
One, (usually long) Multiple A single, smart Smart assessment

questionnaire used questionnaires of assessment that that pre-scores
to assess all varying lengths used includes questions answers (good vs
vendors to vet vendors in based on inherent bad) and
different risk tiers risk and adjusts mid- automatically
assessment based generates issues
on vendors’ answers and follow-ups to
reduce review time
ONE SIZE MULTIPLE SELF- SELF-

“FITS” ALL VERSIONS SCOPING SCORING
Inherent Risk Scoring
0-5 6-7 8 - 11 12 +
12 Service is essential
to company operations
2 Service is subject to
regulatory requirements
6 Annual contract
amount > $500,000 2 Third party has access
to PII or PHI
2 A part of the service is

performed internationally 2 Service is delivered
as a cloud-based solution
2 Difficult to replace
service with alternative 2 Third party has access to
our technical infrastructure
Intake Questions
& Point Values
2 High annual
record volume 2 Third party outsources
a portion of the service
Determining a
Cadence for Periodic
Due Diligence
Ongoing Monitoring: Periodic Due Diligence
Line of
Business
Follow Up
Third-Party
Manager 1. Send
Assessment
3. Analyze
Assessment
4. Create
Related
5. Close
Assessment
Issues
Third-Party
Response
Residual Risk Determines Scope & Frequency
Inherent Previous Assessment
Risk Review Rating
Inherent Previous Assessment
Risk Review Rating
No Prior Review
Unsatisfactory
CRITICAL
Needs Improvement
Satisfactory
Inherent Previous Assessment Residual Assessment Assessment
Risk Review Rating Risk Scope Frequency
No Prior Review Critical SIG Core ASAP
Unsatisfactory Critical SIG Core Annual
CRITICAL
Needs Improvement Critical SIG Core Annual
Satisfactory High SIG Lite Annual
Inherent Previous Assessment Residual Assessment Assessment
Risk Review Rating Risk Scope Frequency
No Prior Review Critical SIG Core ASAP
Unsatisfactory Critical SIG Core Annual
CRITICAL
Needs Improvement Critical SIG Core Annual
Satisfactory High SIG Lite Annual
No Prior Review High SIG Lite ASAP
Unsatisfactory High SIG Lite Biennial
HIGH
Needs Improvement High SIG Lite Biennial
Satisfactory Medium SIG Lite Biennial
No Prior Review Medium SIG Lite ASAP
Unsatisfactory Medium SIG Lite Biennial
MEDIUM
Needs Improvement Medium SIG Lite Biennial
Satisfactory Low SIG Lite Triennial
N/A Low N/A N/A
N/A Low N/A N/A
LOW
N/A Low N/A N/A
N/A Low N/A N/A
Get Help: External
Content & Managed
Services
Incorporate External Ratings & Content
Public Data Evaluation Private Data Validation + Testing
Enriched Content Options
• Understand the difference between public and Financial Cyber Identity Utility
private data validation
• Set a rationale for leveraging by inherent risk tier
• Off-load the time intense operations
• Embed external content into your process
Your TPRM Program
“The Business” TPRM Group Scope Perform Assessment Residual Risk

Request for Risk Review Risk Domains Gather Data & Remediation
Depth of Review Evaluate & Interpret the Data
Document Findings

Extend Your Team
Public Data Evaluation Private Data Validation + Testing
Enriched Content Options
• Understand the difference between public and Financial Cyber Identity Utility
private data validation
• Set a rationale for leveraging by inherent risk tier
• Off-load the time intense operations
• Embed external content into your process
Your TPRM Program
“The Business” TPRM Group Scope Perform Assessment Residual Risk

Request for Risk Review Risk Domains Gather Data & Remediation
Depth of Review Evaluate & Interpret the Data
Document Findings
Managed Service Option

Managed service provider runs your program beginning to end.
Managed Service Partner
• You adopt or dictate the risk methodology

• You confirm/accept the risk
• You monitor and leverage the process

Getting Help is Great, But Always Remember…
You Own the Risk!

Assessing Your
Program’s Maturity

Third-Party Risk Maturity Model
MATURITY
TIME
 Informal, ad hoc approach

 Manual processes
(spreadsheets, email)
MATURITY
 No involvement from LOB
INFORMAL
TIME
 Single resource / small

team
 Manual questionnaire
reviews and due diligence
 Informal, ad hoc approach distribution
 Manual processes  Little to no LOB
(spreadsheets, email) involvement or executive
MATURITY
 No involvement from LOB support
INFORMAL REACTIVE
TIME
 Dedicated team with a

formally defined program
 Inherent risk calculations
 Single resource / small  Risk-based assessments
team scoping
 Manual questionnaire  Assessment scoring
reviews and due diligence  Calculated residual risk
 Informal, ad hoc approach distribution
 Manual processes  Issues management
 Little to no LOB
(spreadsheets, email) involvement or executive  Program automation via
MATURITY
 No involvement from LOB support TPRM technology
INFORMAL REACTIVE PROACTIVE
TIME
 Dedicated team & available
external resources
 High-level of LOB
involvement and active
 Dedicated team with a executive promotion
 Fully automated processes
 Trend analysis
scoping  Comprehensive reporting
team
 Assessment scoring  Contracts managed with
SLA capabilities
 Informal, ad hoc approach distribution  Integration with external
 Manual processes  Issues management data sources / providers
(spreadsheets, email) involvement or executive  Program automation via  Continuous program
MATURITY
 No involvement from LOB support TPRM technology improvement
INFORMAL REACTIVE PROACTIVE OPTIMIZED
TIME
POLL QUESTION #3:
How would you rate the maturity level of
your current TPRM program?

Incrementally Improve Your Program
 Dedicated team & available
CONTINUOUS PROGRAM IMPROVEMENT
external resources
 High-level of LOB
involvement and active
 Dedicated team with a executive promotion
 Fully automated processes
 Trend analysis
scoping  Comprehensive reporting
team
 Assessment scoring  Contracts managed with
SLA capabilities
 Informal, ad hoc approach distribution  Integration with external
 Manual processes  Issues management data sources / providers
(spreadsheets, email) involvement or executive  Program automation via  Continuous program
MATURITY
 No involvement from LOB support TPRM technology improvement
TIME
Take steps to advance your program (and your career)

INFORMAL
 Formalize your program
 Document, document,
document
 Socialize program’s charter
with executives
 Advantage: Blank slate

INFORMAL REACTIVE
 Formalize your program  Nix the one-size-fits all
questionnaire
document  Implement a repository for
TPRM data
with executives  Calculate inherent and
residual risk
 Look to automation
 Advantage: Leverage
your recent experience to
determine what’s
working…and what’s not
working

INFORMAL REACTIVE PROACTIVE

 Formalize your program  Nix the one-size-fits all  Increase LOB involvement
questionnaire and executive promotion
document  Implement a repository for  Extend beyond onboarding
TPRM data and due diligence
with executives  Calculate inherent and  Improve contract
residual risk management and SLA
 Look to automation tracking
 Advantage: Leverage  Incorporate external data

your recent experience to into onboarding and
determine what’s continuous monitoring
working…and what’s not  Advantage: Consistency
working builds confidence with
regulators


 Formalize your program  Nix the one-size-fits all  Increase LOB involvement  Focus on cost reduction
questionnaire and executive promotion and vendor service quality
document  Implement a repository for  Extend beyond onboarding  Advantage: Improved
TPRM data and due diligence negotiation power based
with executives  Calculate inherent and on accurate, actionable
 Improve contract
residual risk data on vendors’ ability
 Advantage: Blank slate management and SLA
to meet KPIs, SLAs and
 Look to automation tracking
other performance
 Advantage: Leverage  Incorporate external data metrics
your recent experience to into onboarding and
determine what’s continuous monitoring
working…and what’s not  Advantage: Consistency
working builds confidence with
regulators

For More Information
Automate Your Third-Party
Risk Management Program:
www.processunity.com/automate
Gartner Report Evaluates

Top Vendor Risk Tools:
www.processunity.com/gartner
Contact ProcessUnity:
www.processunity.com/contact
Contact Ed Thomas:
ed.thomas@processunity.com

THANK YOU FOR
ATTENDING THIS
ISACA WEBINAR

Third-Party Risk Management PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Third-Party Risk Management PDF

Uploaded by

Copyright:

Available Formats

THIRD-PARTY RISK MANAGEMENT:

BEST PRACTICES FOR AN EFFECTIVE

• The Presentation Deck can be downloaded from the MATERIALS window.

• Windows can be hidden or expanded to fit your preference.

• Submit questions in the Q&A window.

• Please click on the ISACA Customer Experience Center image to be

Live Event: On-Demand Recording:

5 © ProcessUnity, Inc. All Rights Reserved.

6 © ProcessUnity, Inc. All Rights Reserved.

Compliance Management systems ensure that

Policy & Procedure

Brand & Reputation Business Continuity

Information Security Sales & Ethics

Legal & Litigation Personnel Risk

8 © ProcessUnity, Inc. All Rights Reserved.

Compliance Management systems ensure that

Policy & Procedure

Compliance Third Party Risk

Financial Security & Privacy Management Legal & Litigation Personnel

9 © ProcessUnity, Inc. All Rights Reserved.

Due Ongoing On-Site Control Performance Contract SLA Issue

11 © ProcessUnity, Inc. All Rights Reserved.

Onboarding Due Diligence Ongoing Monitoring

12 © ProcessUnity, Inc. All Rights Reserved.

Due Ongoing On-Site Control Performance Contract SLA Issue

13 © ProcessUnity, Inc. All Rights Reserved.

Establishing a • How do we ensure adoption and compliance across the

Storing Supporting • How and when do we reassess third parties?

14 © ProcessUnity, Inc. All Rights Reserved.

15 © ProcessUnity, Inc. All Rights Reserved.

INHERENT RISK DUE DILIGENCE

Onboarding Workflow Ongoing Monitoring Workflow

INHERENT RISK DUE DILIGENCE DUE DILIGENCE SERVICE

Onboarding Workflow Ongoing Monitoring Workflow

INHERENT RISK DUE DILIGENCE DUE DILIGENCE SERVICE

ISSUE MANAGEMENT & REMEDIATION

Yes Follow Up Yes

Information Security Reputation

Financial Business Continuity Conflict of Interest

36 © ProcessUnity, Inc. All Rights Reserved.

LOW MEDIUM HIGH

LOW MEDIUM HIGH CRITICAL

LOW MEDIUM HIGH

LOW MEDIUM HIGH CRITICAL

Is the service essential to the

2 A part of the service is

Light Due Medium Due Intensive Due

49 © ProcessUnity, Inc. All Rights Reserved.

One, (usually long)

One, (usually long) Multiple

ONE SIZE MULTIPLE

One, (usually long) Multiple A single, smart

ONE SIZE MULTIPLE SELF-

One, (usually long) Multiple A single, smart Smart assessment

ONE SIZE MULTIPLE SELF- SELF-

2 A part of the service is

Your TPRM Program

“The Business” TPRM Group Scope Perform Assessment Residual Risk

65 © ProcessUnity, Inc. All Rights Reserved.

Your TPRM Program

“The Business” TPRM Group Scope Perform Assessment Residual Risk

Managed Service Option

• You adopt or dictate the risk methodology