What is Third-Party Risk Management?

Third-party risk management (TPRM) is a form of risk management that focuses on

identifying and reducing the risks relating to the use of third parties (vendors, suppliers,
partners, contractors, or service providers) in the business process.
TPRM helps organizations understand the third parties they use, how they use them, and
what safeguards their third parties have in place. The scope and requirements of a TPRM
program are dependent on the organization and may vary widely depending on industry,
regulatory guidance, and other factors. Still, many TPRM best practices are universal and
applicable to every business or organization.
The term third-party risk management (TPRM) is sometimes used interchangeably with
other terms, such as vendor risk management (VRM), vendor management, supplier risk
management, or supply chain risk management. However, TPRM encompasses all types of
third parties and all types of related risks.

Why is Third-Party Risk Management Important?

Outsourcing is a necessary component of running a modern business. It not only saves the
cost, but it’s a simple way to take advantage of the expertise that an organization might
not have in-house. The downside is that if a proper TPRM program is not in place, relying
on third parties can leave your business vulnerable. Upticks in breaches across industries
and a greater reliance on outsourcing have brought the TPRM discipline into the forefront
like never before. Few examples are:
• Businesses rely on service providers such as Amazon Web Services (AWS) to host a
website or cloud application. If AWS goes offline, then the website or application
also goes offline.
• If an organization is relying on a third party to ship goods and the shipping
company’s drivers go on strike, that can delay expected delivery times and lead to
customer cancellations and distrust, which will negatively impact the organization’s
business and reputation.
Effective TPRM Program helps in:
• Reducing costs
• Addressing future risks in less time with fewer resources
• Provide context for your organization and your vendors
• Ensure the reputation, Quality of your products and services are not damaged
• Improved confidentiality, integrity, and availability of your services
• Allow you to focus on your core business functions
• Drive operational and financial efficiencies

Prepared by: RAM YADAV

TPRM Best Practices
There can be endless best practices that can help you build a better TPRM program, These
three most critical best practices are applicable to nearly every company.

1. Prioritize Your Vendor Inventory

Every business has some critical operations & not all the vendors are equally important,
hence it is critical to determine which third parties matter most. To improve the efficiency
of the TPRM program, segmenting vendors into criticality tiers helps. Most organizations
bifurcate their vendors into three categories:

• Tier 1: High risk, high criticality

• Tier 2: Medium risk, medium criticality
• Tier 3: Low risk, low criticality

Vendors can be categorized on the following criteria:

A. Risk
B. Impact
C. Contract Value

A. valuation of the vendor based on the Risk

Risk evaluation is based on the calculation of the inherent risk of the third party. Inherent
risk scores are calculated on the basis of industry benchmarks or basic business context,
risk can be determined by evaluating.

● Sharing proprietary or confidential business information with the vendor

● Sharing Sensitive personal data with the vendor
● Sharing personal data across the jurisdiction of the state’s territory
● Serving critical business functions

B. Evaluation of the vendor based on the Impact

The impact evaluation of the vendor is also a determining factor in vendor categorization.
This can be done by evaluating the impact on the business If a third party can’t deliver
their service or there is a significant disruption in the services of the vendor. The impact on
the business can be evaluated by analyzing the following:

● The impact of unauthorized disclosure of information

● The impact of unauthorized modification or destruction of information
● The impact of disruption of access to the vendor/information

Prepared by: RAM YADAV

C. Evaluation of the vendor based on the Contract Value
Another way to tier vendors is by grouping them based on the contract value. Big-budget
vendors may automatically be segmented as tier-1 vendors due to the high risk based
solely on the value of the contract.

organizations mostly focus their time and resources on tier 1 vendors first, as they require
more stringent due diligence and evidence collection. More often tier-1 vendors are
subjected to the most in-depth assessments, which also include on-site assessment
validation.

2. Leverage Automation Wherever Possible

Efficiency is achieved when operations are consistent. There are a number of areas in the
TPRM lifecycle where automation is ideal. These areas include, but are not limited to:

A. Automate onboarding of new vendors. Automatically add vendors to your

inventory using an intake form or via integration with contract management.

B. Automate Calculating inherent risk and categorization vendors. During

onboarding, collect basic business context to determine a vendor’s inherent risk,
and then automatically prioritize vendors posing the highest risk.

C. Assigning risk owners and mitigation tasks. When a vendor risk is flagged, route
the risk to the concerned individual and include a checklist of mitigation action
items.

D. Trigger vendor performance review. Set up automatic triggers to conduct a review

of the vendor each year, and if the vendor fails the review, trigger off-boarding
actions.

E. Trigger vendor reassessment. Send a reassessment based on contract expiration

dates and save the previous year’s assessment report so the vendor doesn’t have to
start from scratch.

F. Sending notifications alerts. When a new risk is flagged or a new vendor is

onboarded, send an email or alert to the relevant stakeholder through an
integration with an existing system.

G. Scheduling reports. Set up automated reports that run on a daily, weekly, or

monthly basis and automatically share them with the stakeholders.

Automation of the above tasks saves valuable time, money, and resources.

Prepared by: RAM YADAV

 3. Think Beyond Cybersecurity Risks
When considering a TPRM program, many organizations think only about cybersecurity
risks. But TPRM has much more. There are other types of risks that need to be prioritized.
These risks include:

● Financial risks
● Reputational risks
● Operational risks
● Performance risks
● Strategic risks
● Privacy risks
● Compliance risks
● Business continuity risks
● Geographical risks
● Geopolitical risks
● Environmental risks

Understanding all the relevant risks not just cybersecurity is imperative to building a
world-class TPRM program.

Third-Party Risk Management Lifecycle

The third-party risk management lifecycle is a series of steps that outlines a relationship
with a third party. The TPRM lifecycle is broken down into several stages. These stages
include:

1. Vendor identification
2. Evaluation & selection
3. Risk assessment
4. Risk mitigation
5. Contracting and procurement
6. Reporting and Record-keeping
7. Ongoing monitoring
8. Vendor off-boarding

Prepared by: RAM YADAV

TPRM lifecycle flow:

Phase 1: Vendor Identification

To identify vendors working for the organization, make a vendor inventory.
To identify vendors already in use and build a vendor inventory, organizations can take
one of the following approaches

1. Consolidating vendor information from spreadsheets and other sources when

rolling out third-party risk software.
2. Integrating vendor information in the existing technologies i.e. TPRM Software that
is used often contains detailed vendor information. Such software can be used to
centralize the inventory in a single solution.
3. Conducting assessments, A short assessment to business owners across the
company, such as marketing, HR, finance, sales, research and development, and
other departments can help uncover the services used by the organization.

To identify new third parties organizations often leverage a self-service portal as part of
their third-party risk management program.
With a self-service portal, business owners can build their inventory. Self-service portals
help gather preliminary information about the third party i.e.

● Vendor Name
● Business purpose
● Primary vendor contact (email, phone, address)
● Business context
● Scope of engagement
● Data type involved
● Prior security reviews

Prepared by: RAM YADAV

 ● certifications, if applicable
● Expected procurement date

Using this information, We can classify third parties based on the inherent risk that they
pose to the organization.

Phase 2: Evaluation and Selection

During the evaluation and selection phase, organizations consider RFPs and choose the
vendor they want to use. This decision is based on a number of factors that are unique to
the business and its specific needs.

Phase 3: Risk Assessment

Vendor risk assessments take time and are resource-intensive, which is why many
organizations are using a third-party risk exchange (which provides security, risk,
compliance, and ESG insights) to access pre-completed assessments. Other common
methods include using spreadsheets or assessment automation software. Common
standards used for assessing vendors include:

● ISO 27001 & ISO 27701

● SIG Lite & SIG Core
● NIST SP 800-53
● CSA CAIQ
Industry-specific standards, such as:
● HITRUST
● HECVAT
● PCI-DSS
● HIPAA

Phase 4: Risk Mitigation

After conducting a risk assessment, risks can be calculated, and mitigation measures can
be planned. Common risk mitigation workflows include the following stages:

• Stage 1: Risks Identification: Risks are flagged and given a risk level or score.
• Stage 2: Evaluation: During the evaluation phase, organizations will determine if
the risk is acceptable within their defined risk appetite or risk treatment is required.
• Stage 3: Risk treatment: When treatment occurs, a risk owner must validate that
the required controls are in place to reduce the risk to the desired residual risk
level.

Prepared by: RAM YADAV

Phase 5: Contracting and Procurement
Sometimes this activity is done in parallel with risk mitigation. The contracting and
procurement stage is critical from a third-party risk perspective. Contracts often contain
details that fall outside the jurisdiction of TPRM. Still, there are many key provisions,
clauses, and terms that TPRM teams should look into when reviewing vendor contracts &
determine if the key clauses are adequate, inadequate, or missing key clauses these
include but not limited to:

● Defined Scope of Services or Products

● Cost and Payment Terms
● Term and Termination Clauses
● Intellectual Property Ownership Clause
● Deliverables/Services Clause
● Confidentiality Clause
● Warranties
● Disclaimers
● Limitation of Liability
● Insurance
● Relationship Clause
● Data Processing Agreement
● 4th Party or Subcontracting change Clauses
● Compliance Clause
● Data Protection Agreement
● Service Level Agreements (SLAs) - Product Performance, Response Time

Phase 6: Reporting and Recordkeeping

Building a strong TPRM program requires organizations to maintain compliance. This step
is often overlooked. Maintaining detailed records in spreadsheets is nearly impossible at
large scale, hence many organizations use TPRM software. This software helps in
maintaining auditable record keeping & makes it easier to report on critical aspects.

Sample reporting dashboard of automated solutions may include:

● Total supplier count
● Suppliers sorted by risk level
● Status of all supplier risk assessments
● Number of suppliers with expiring or expired contracts
● Risks grouped by level (high, medium, low)
● Risks to your parent organization & its subsidiaries

Prepared by: RAM YADAV

Phase 7: Ongoing Monitoring
Engagements with third parties do not end with the risk assessment or even after risk
mitigation. Continuous vendor monitoring throughout the lifecycle of a third-party
relationship is critical. As new risks can arise anytime at any lifecycle of the vendor.
For example, new regulations, high-profile data breaches, and evolving usage of a vendor
may impact the risks associated with third parties. Some key risk-changing events to
monitor include:
● Mergers, acquisitions
● Internal process changes
● Negative news or unethical behavior
● Natural disasters and other business continuity-triggering events
● Product releases
● Contract changes
● regulatory developments
● Employee reduction

Phase 8: Vendor Offboarding

A thorough offboarding procedure is critical, both for security purposes and recordkeeping
requirements. A centralized offboarding process can help teams automate vendor
offboarding, ensure its completeness, and effectively mitigate risk.

Few best practices for the vendor offboarding process are mentioned below:

1. Keep Lines of Communications Open

Teams can mitigate risk by keeping the lines of communication open with the vendor
throughout the offboarding process. This includes informing vendors of the offboarding
timeline, answering any questions, and providing clear instructions regarding what is
expected during the process.

2. Perform a Final Review of the Contract

Review the contract’s termination provisions to ensure you have the right to terminate the
relationship, and if so, the proper timelines for doing so. be sure notices have been issued
and the vendor’s rights have been honored. A final review with legal and procurement can
help in ensuring that the vendor provided all the obligated goods and services.

3. Settle Any Outstanding Invoices

After thoroughly reviewing the contract terms and identifying remaining obligations for
both parties, ensure that you have received final deliverables and scheduled final
payments. Be sure to include any credits or returns when calculating payments, as these
may be difficult to recover after you terminate the relationship.

Prepared by: RAM YADAV

4. Revoke Access to IT Infrastructure, Data, and Physical Buildings
Vendors may have access to your systems/Data/Premises during their rendered services,
when offboarding a vendor, ensure terminating their access to your intellectual property
and other sensitive data. This includes
• You have a list of all vendor accounts and delete their login credentials.
• Providing vendors a complete list of all company-owned assets they must return.
• Changing all logins, including shared credentials.
• Revoke access to all applications, including VPNs and cloud apps for file sharing and
messaging.
• Revoke vendor access may have on APIs, as these could be a useful attack vector if
a hacker later compromises the vendor.
• Deactivate any key cards and badges & ensure that the vendor returns all physical
keys.

5. Review Data Privacy and Information Security Compliance

Vendors often have access to sensitive data that may be subject to regulatory
requirements such as GDPR, PCI DSS, and others. During offboarding, ensure that you align
your vendor termination procedures
with your legal obligations. Additionally, review with the vendor remaining obligations
such as confidentiality, nondisclosure, and non-compete agreements.
If the vendor has copies of your sensitive data, it could be exposed in a later breach.
Morgan Stanley failed to properly oversee decommissioning of servers by a third party. A
subsequent breach of the third party exposed personal information and resulted in a $60
million fine from the Office of the Comptroller of the Currency (OCC).

6. Update Your Vendor Management Database

To reduce legal risk, clearly document the reasons for terminating the relationship and
maintain a complete accounting of the termination procedures. Make sure you have
records of all communications, contracts, and other documentation between the
organization and the vendor so you can quickly resolve any questions or issues moving
forward.

7. Continuously Monitor Vendors for Potential Future Risks

Even though the contract has been terminated and all tasks have been successfully
completed, risks to your systems and data, as well as compliance or reputational risks, can
still emerge long after the relationship ends. Continuously monitoring multiple risk vectors
will help in extended visibility for potential future risks.

------------End of the Document------------

Prepared by: RAM YADAV