Third-party risk management

What is third-party risk management?

TPRM stands for Third-Party Risk Management. It refers to the process of identifying, analysing, and managing risks associated with third-party relationships. This includes assessing the potential risks that third parties might bring to your organisation in terms of security, compliance, sustainability, continuity, and reputation.

Trusted by top brands

Jumbo
KBC Bank
Brookfield
ING Bank
Gamma
Deloitte

What does TPRM entail?

Managing risks from third parties goes through various stages in the lifecycle of a third party. Here is the role TPRM plays at each stage:

#1. Initiation

At this stage, TPRM is about creating an initial risk profile for the potential third-party. This profile helps you to understand how critical they might be to your organisation.

#2. Third-party selection

Here, TPRM is about gathering external data about the third party and have them complete a self-assessment. This helps you understand their operations and the risks they might bring.

#3. Contracting

When you are ready to formalise the relationship, TPRM ensures that the right clauses are included in the contract. This includes agreements on risks that need fixing including the deadlines.

#4. Monitoring

This is an ongoing stage where you need to keep an eye on the third party. You may use a mix of monitoring for adverse news and other data feeds, dependent on the risks that are in play.

#5. Renewal

Depending on how important the third party is, you might reassess them periodically, like sending out another self-assessment after one or two years, or when renewing the contract.

#6. Termination

If the relationship ends, TPRM ensures that checklists are followed to make sure all the agreements in the contract are met. This is to ensure a smooth and compliant conclusion.

Automate and reduce cost

ROI Calculator

Our platform cuts down the time you spend on tasks like following up with people, planning tasks, sending out assessments, and checking results. This is a big improvement over using traditional spreadsheets or rigid Governance, Risk and Control (GRC) systems. To see how much time our software can save you, try out the calculator we offer. It's an easy way to see the big change our platform can bring to your work.It is a simple way to see the big difference our platform can make for you.

Your situation

Provide the number of third parties and the number of assessments per third-party you want to send annually.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Results

Annual hours saved compared to a spreadsheet approach or when using rigid GRC-systems.

Platform suitable for all risk domains
AI powered analysis of assessments & evidence
Intuitive, easy-to-follow workflows, multi-langual
Continuous supply chain monitoring
10-day implementation

How to start in 7 steps

Here's how to initiate your third-party risk management program in seven steps:

#1. Establish capability

First, the governance need to be put in place. Who will be in charge of third-party risk management? This leader sets out a plan for what we want to achieve with third-party risk management, decides what kind of risks we will look at, and assigns people who will be responsible for further establishing the capability. These people think about how we will do this work (like doing it locally in each office or centrally from one place), make operational procedures, and choose a tool to help us do this job well and efficiently.

#2. Define requirements

Second, we need to decide what internal and external requirements we need to include. There are two types: the rules organisations make for themselves, like policies and standards, and the rules that come from outside, like regulations or industry standards. These requirements need to be managed.

#3. Create an inventory of third-parties

Third, we need to make a list of all third parties we work with and the contracts we have with them. Some organisations might already have this list from their buying or procurement teams. Others might need to make it from scratch. It is important to know who in our organisation is in charge of each third-party and contract, as they typically hold the most knowledge about the goods or services provided by the third-party.

#4. Prioritise third-parties

Fourth, we need to decide which of these third parties are most important to your organisation. We give each one a risk score which we call a risk profile. This helps us decide which third parties we need to assess first and most thoroughly.

#5. Perform due diligence assessments

Fifth, we need to assess these third parties. We can do this in different ways, like asking them to fill in a questionnaire, doing audits, or using information from other sources. We can use standard questionnaires or make our own based on well-known guidelines like ISO or NIST. We need to determine when we do these checks, e.g. before we sign contracts, when we renew contracts, after something big happens, regularly, or all the time, depending on how risky they are and if they are in scope of the internal and external requirements.

#6. Remediate risks

Sixth, we need to make sure all these assessments are done, look at what they tell us, and report this to the right people in our organisation. If we find risks that are too high, we need to take steps to mitigate them to and bring them back to appropriate levels. This process needs to be documented and we need to inform relevant stakeholders about their role and responsibilities in remediating third-party risks.

#7. Continuously monitor

Finally, managing risks is not a one-time exercise. We need to keep an eye on our third-party landscape all the time, making sure they stay compliant and monitor for evolving risks. Especially for high risk third-parties, we want to be timely notified about issues that could impact our own organisation. This allows us to timely take action and reduce the impact. Therefore, we need to define how we ensure continiuous monitoring of our third-party landscape.