What is third-party risk management?
TPRM stands for Third-Party Risk Management. It refers to the process of identifying, analysing, and managing risks associated with third-party relationships. This includes assessing the potential risks that third parties might bring to your organisation in terms of security, compliance, sustainability, continuity, and reputation.
What does TPRM entail?
Managing risks from third parties goes through various stages in the lifecycle of a third party. Here is the role TPRM plays at each stage:
#1. Initiation
At this stage, TPRM is about creating an initial risk profile for the potential third-party. This profile helps you to understand how critical they might be to your organisation.
#2. Third-party selection
Here, TPRM is about gathering external data about the third party and have them complete a self-assessment. This helps you understand their operations and the risks they might bring.
#3. Contracting
When you are ready to formalise the relationship, TPRM ensures that the right clauses are included in the contract. This includes agreements on risks that need fixing including the deadlines.
#4. Monitoring
This is an ongoing stage where you need to keep an eye on the third party. You may use a mix of monitoring for adverse news and other data feeds, dependent on the risks that are in play.
#5. Renewal
Depending on how important the third party is, you might reassess them periodically, like sending out another self-assessment after one or two years, or when renewing the contract.
#6. Termination
If the relationship ends, TPRM ensures that checklists are followed to make sure all the agreements in the contract are met. This is to ensure a smooth and compliant conclusion.
ROI Calculator
Our platform cuts down the time you spend on tasks like following up with people, planning tasks, sending out assessments, and checking results. This is a big improvement over using traditional spreadsheets or rigid Governance, Risk and Control (GRC) systems. To see how much time our software can save you, try out the calculator we offer. It's an easy way to see the big change our platform can bring to your work.It is a simple way to see the big difference our platform can make for you.
Your situation
Provide the number of third parties and the number of assessments per third-party you want to send annually.
Results
Annual hours saved compared to a spreadsheet approach or when using rigid GRC-systems.
How to start in 7 steps
Here's how to initiate your third-party risk management program in seven steps:
#1. Establish capability
First, the governance need to be put in place. Who will be in charge of third-party risk management? This leader sets out a plan for what we want to achieve with third-party risk management, decides what kind of risks we will look at, and assigns people who will be responsible for further establishing the capability. These people think about how we will do this work (like doing it locally in each office or centrally from one place), make operational procedures, and choose a tool to help us do this job well and efficiently.
#2. Define requirements
Second, we need to decide what internal and external requirements we need to include. There are two types: the rules organisations make for themselves, like policies and standards, and the rules that come from outside, like regulations or industry standards. These requirements need to be managed.
#3. Create an inventory of third-parties
Third, we need to make a list of all third parties we work with and the contracts we have with them. Some organisations might already have this list from their buying or procurement teams. Others might need to make it from scratch. It is important to know who in our organisation is in charge of each third-party and contract, as they typically hold the most knowledge about the goods or services provided by the third-party.
#4. Prioritise third-parties
Fourth, we need to decide which of these third parties are most important to your organisation. We give each one a risk score which we call a risk profile. This helps us decide which third parties we need to assess first and most thoroughly.
#5. Perform due diligence assessments
Fifth, we need to assess these third parties. We can do this in different ways, like asking them to fill in a questionnaire, doing audits, or using information from other sources. We can use standard questionnaires or make our own based on well-known guidelines like ISO or NIST. We need to determine when we do these checks, e.g. before we sign contracts, when we renew contracts, after something big happens, regularly, or all the time, depending on how risky they are and if they are in scope of the internal and external requirements.
#6. Remediate risks
Sixth, we need to make sure all these assessments are done, look at what they tell us, and report this to the right people in our organisation. If we find risks that are too high, we need to take steps to mitigate them to and bring them back to appropriate levels. This process needs to be documented and we need to inform relevant stakeholders about their role and responsibilities in remediating third-party risks.
#7. Continuously monitor
Finally, managing risks is not a one-time exercise. We need to keep an eye on our third-party landscape all the time, making sure they stay compliant and monitor for evolving risks. Especially for high risk third-parties, we want to be timely notified about issues that could impact our own organisation. This allows us to timely take action and reduce the impact. Therefore, we need to define how we ensure continiuous monitoring of our third-party landscape.