Third Party Risk Management

Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by organizations outside your own company.

Due Diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. It is an ongoing activity, including review, monitoring, and management communication over the entire vendor life cycle.

Risk Capability Maturity Model

Why Manage Third Party Risk?
  • Reduce likelihood of data breach costs
  • Reduce likelihood of costly operational failures
  • Reduce likelihood of vendor bankruptcy
  • Regulatory mandates may require it
  • Prudent due diligence – ethical obligation

The TPRM Process
Initial Risk Review
  • Documentation review
  • On-site review
  • Business process documentation
  • Remediation plan

Ongoing Monitoring & Recurring Risk Reviews
  • Both for changed risks and for changes at vendor

Risk Measurement
  • Measures the risk of both the activity itself and of the vendor in particular

Risk Management
  • Standard mechanisms for dealing with risk: accept, decline, transfer, modify

Risk Monitoring
  • New/evolving risks and Vendor changes

Response Management
  • Incident response, both on your part and the vendor’s