IT Security Outsourced IT

Third-Party Risk Management

What is TPRM?

Third-party risks are the potential risks that arise from organizations relying on outside parties to perform services or activities on their behalf. Third-party risk management (TPRM) is the process through which an organization manages the risks associated with having outside parties performing services or activities on their behalf. The use of third-party vendors has increased exponentially in the last five years, with many organizations outsourcing core functions in order to increase efficiency and lower costs.1 Third-party vendors may include internet providers, attorneys, software providers, payroll providers, supply chain partners, business partners, and more. Types of third-party risks include:

Operational risk. Many organizations rely on third-party applications and services in order to conduct business. If a third-party experiences a disruption due to a natural disaster or cyberattack, their lapses in services may lead to operational interruptions, data loss or compromise, and/or privacy violations that may result in significant disruption to your operations.

Reputational risk. Third party incidents may negatively impact your reputation, as you are associated with them and their business. If a third party is found to have provided faulty components or experienced a data breach, this could lead to damage to your reputation and a loss of trust from your customers and stakeholders.

Strategic risk. Your organization may fail to meet its strategic objectives if a third party that you partner with is not aligned with your organization on strategic business decisions and objectives.

Financial risk. Third parties introduce financial risk as their performance could impact costs, revenue, sales, quality, and service.

Compliance risk. Organizations with regulatory or legal compliance obligations may also need their third-party vendors and partners to meet those requirements. Examples of regulatory compliance obligations may include cybersecurity standards, data management regulations, labor laws, and environmental laws. If a third party fails to comply, your organizations may still be found liable.

Key questions to ask before onboarding third parties2:

  • Are they providing a critical product or service?
  • What type of data do they access? What type of access has been granted?
  • Do they work with 4th parties that could pose delivery challenges?
  • What is their security history?
  • What security practices do they have in place?
  • Do they have business continuity plans in place?
  • Are they in compliance with the regulations your organization has identified?
  • What is their financial situation?
  • Are they located in an unstable part of the world?
  • Do they have a reputable website? 
  • Do they have a legitimate privacy policy? 
  • Do they have reviews or testimonials? 
  • What do other people say about them?

In order to protect your organization from third party risk through TPRM:

  • Identify your organization’s risk appetite and risk tolerance
  • Determine an assessment scope and classify third parties based on risk level
  • Create a standardized TPRM processes for consistent auditing and onboarding
  • Review and update assessments and assessment scope for continual improvement
  • Consider applications and services that may assist in the development and administration of TPRM activities

1 Deloitte, 2022, “Third-party risk is becoming a first priority challenge”

2 ServiceNow, 2022, “What is third party risk management (TPRM)?”