Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by organizations outside your own company.
Due Diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. It is an ongoing activity, including review, monitoring, and management communication over the entire vendor life cycle.
Why Manage Third Party Risk?
- Reduce likelihood of data breach costs
- Reduce likelihood of costly operational failures
- Reduce likelihood of vendor bankruptcy
- Regulatory mandates may require it
- Prudent due diligence – ethical obligation
The TPRM ProcessInitial Risk Review
- Documentation review
- On-site review
- Business process documentation
- Remediation plan
Ongoing Monitoring & Recurring Risk Reviews
- Both for changed risks and for changes at vendor
- Measures the risk of both the activity itself and of the vendor in particular
- Standard mechanisms for dealing with risk: accept, decline, transfer, modify
- New/evolving risks and Vendor changes
- Incident response, both on your part and the vendor’s