top of page

Learn about 'Third-Party Risk Management Lifecycle - TPRM'?

The third-party risk management lifecycle is a series of steps that outlines a typical relationship with a third party. TPRM is sometimes referred to as “third-party relationship management.” This term better articulates the ongoing nature of vendor engagements.


Typically, the TPRM lifecycle, is broken down into several stages.

These stages include: 

  1. Vendor identification

  2. Evaluation & selection

  3. Risk assessment

  4. Risk mitigation

  5. Contracting and procurement

  6. Reporting and Record-keeping

  7. Ongoing monitoring

  8. Vendor off-boarding  

Phase 1: Third-Party Identification

There are many ways to identify the third parties your organization is currently working with, as well as ways to identify new third parties your organization wants to use. 


To identify vendors already in use and build a vendor inventory, organizations take multiple approaches, which include: 

  • Using existing information. Organizations often consolidate vendor information from spreadsheets and other sources when rolling out third-party risk software. 

  • Integrating with existing technologies. Technologies that are in use often contain detailed vendor information, such as CMDBs, SSO providers, contracts, procurement, and other systems. Organizations will often plug into these sources to centralize their inventory in a single software solution. 

  • Conducting assessments or interviews. A short assessment to business owners across the company, such as marketing, HR, finance, sales, research and development, and other departments can help you uncover the tools in use at your organization. 


To identify new third parties, organizations will often leverage a self-service portal as part of their third-party risk management program. With a self-service portal, business owners can build their inventory. Share the portal with your business by linking to it from your intranet or SharePoint.


Self-service portals also help gather preliminary information about the third party, such as: 

  • Personal information involved 

  • Hosting information 

  • Privacy Shield and 

  • other certification 

  • Business context 

  • Scope of engagement 

  • Vendor Name 

  • Expected procurement date 

  • Business purpose 

  • Primary vendor contact (email, phone, address) 

  • Data type involved 

  • Prior security reviews or 

  • certifications, if applicable 


Using this information, you can classify third parties based on the inherent risk that they pose to your organization. 



Phase 2: Evaluation and Selection

During the evaluation and selection phase, organizations consider RFPs and choose the vendor they want to use. This decision is made using a number of factors that are unique to the business and its specific needs. 



Phase 3: Risk Assessment

Vendor risk assessments take time and are resource-intensive, which is why many organizations are using a third-party risk exchange to access pre-completed assessments. Other common methods include using spreadsheets or assessment automation software. Either way, the primary goal of understanding the risks associated with the vendor is the same. 


Common standards used for assessing vendors include: 

  • ISO 27001 & ISO 27701

  • SIG Lite & SIG Core

  • NIST SP 800-53

  • CSA CAIQ


As well as industry-specific standards, such as: 

  • HITRUST

  • HECVAT  

Phase 4: Risk Mitigation

After conducting an assessment, risks can be calculated, and mitigation can begin. Common risk mitigation workflows include the following stages: 

  • At this stage, risks are flagged and given a risk level or score. 

  • During the evaluation phase, organizations will determine if the risk is acceptable within their defined risk appetite. 

  • When treatment occurs, a risk owner must validate that the required controls are in place to reduce the risk to the desired residual risk level. 

  • At this phase, organizations monitor risks for any events that may increase the risk level, such as a data breach 



Phase 5: Contracting and Procurement

Sometimes done in parallel with risk mitigation, the contracting and procurement stage is critical from a third-party risk perspective. Contracts often contain details that fall outside the realm of TPRM. Still, there are key provisions, clauses, and terms that TPRM teams should look out for when reviewing vendor contracts. 


Some of these include: 

  • Defined Scope of Services or Products 

  • Price and Payment Terms 

  • Term and Termination Clauses 

  • Intellectual Property Ownership Clause 

  • Deliverables or Services Clause 

  • Representation and Warranties 

  • Confidentiality Clause 

  • Disclaimers or Indemnification 

  • Limitation of Liability 

  • Insurance 

  • Relationship Clause 

  • Data Processing Agreement 

  • 4th Party or Subprocessor Change Clauses 

  • Compliance Clause 

  • Data Protection Agreement 

  • Service Level Agreements (SLAs), Product Performance, Response Time 


Home in on these key terms to report on requirements in a structured format. Simply determine if key clauses are adequate, inadequate, or missing. 


Phase 6: Reporting and Recordkeeping

Building a strong TPRM program requires organizations to maintain compliance. This step is often overlooked. Maintaining detailed records in spreadsheets is nearly impossible at scale, which is why many organizations implement TPRM software. With auditable recordkeeping in place, it becomes much easier to report on critical aspects of your program to identify areas for improvement. 


In practice, a sample reporting dashboard may include: 

  • Total supplier count 

  • Suppliers sorted by risk level 

  • Status on all supplier risk assessments 

  • Number of suppliers with expiring or expired contracts 

  • Risks grouped by level (high, medium, low) 

  • Risks by stage within the risk mitigation workflow 

  • Risks to your parent organization and risks to your subsidiaries 

  • Risk history over time   

Phase 7: Ongoing Monitoring

An assessment is a “moment-in-time” look into a vendor’s risks; however, engagements with third parties do not end there – or even after risk mitigation. Ongoing vendor monitoring throughout the life of a third-party relationship is critical, as is adapting when new issues arise. 


For example, new regulations, negative news stories, high-profile data breaches, and evolving usage of a vendor, may all impact the risks associated with your third parties.


Some key risk-changing events to monitor include: 

  • Mergers, acquisitions, or divestitures 

  • Internal process changes 

  • Negative news or unethical behavior 

  • Natural disasters and other business continuity triggering events 

  • Product releases 

  • Contract changes 

  • Industry or regulatory developments 

  • Financial viability or cash flow 

  • Employee reduction   

Phase 8: Vendor Offboarding

A thorough offboarding procedure is critical, both for security purposes and recordkeeping requirements. Many organizations have developed an offboarding checklist for vendors, which can consist of both an assessment sent internally and externally to confirm that all appropriate measures were taken. Critical too is the ability to maintain detailed evidence trail of these activities to demonstrate compliance in the event of regulatory inquiry or audit. 




1 view0 comments

Comments


bottom of page