Third-Party Risk Management (TPRM)
Third-party risk management (TPRM) is the process of identifying, assessing, mitigating, monitoring and reporting on risk associated with outsourcing services or third-party vendor partnerships. Third-party risk management covers events such as data breaches, regulatory non-compliance, and operational disruptions. Third-party risk management can also include reputational damages caused when a partnered vendor receives negative press.
Third-party risk management is performed by performing thorough audits when onboarding new vendors regarding their security and financial health, establishing specific provisions for incident response, performing due diligence checks in regular intervals, and using security safeguards such as encryption and access control to minimise losses if an incident does occur.
Related article: Third-party risk management for banks.
Vendor risk management, supplier risk
-
-
TPRM, VRM
Examples
Often third-party vendors can showcase security certifications to streamline the third-party risk management process. For example, Atfinity has the ISO27001 certification. This means that a trusted third party has already deemed our security measures and controls to be satisfactory. A financial institution can therefore be rest assured that Atfinity doesn’t pose a high risk. And since these certifications need to be reacquired in regular intervals, they also showcase longevity and consistency.
However, a financial institution can also decide to perform their own third-party risk assessment by looking into aspects such as how data is handled, whether encryption is used across the board, how the software is protected from cyber attacks, and similar checks.
FAQ
What is fourth-party risk management?
Fourth-party risk management refers to the process of identifying and analysing risk associated with vendors or partners a business’ third-party partner utilises for given processes. For example, a bank works with fintech company X to offer mobile banking. Fintech company X is seen as a third-party risk. But fintech X also outsources their software security processes to fintech Y. Fintech Y in this context is seen as a fourth-party risk to the bank.
What tools are used in TPRM?
Depending on the industry and business in question, they might use specialized TPRM software, different monitoring platforms, and compliance checklists. Some businesses may additionally ask for specific certifications that guarantee that security controls are in place.
How often should third-party vendors be reviewed?
How often vendors are reviewed depends on the business in question, the industry, which process the vendor is handling, and their perceived risk profile. Therefore, critical vendors that handle sensitive data and/or are essential for the operation of the business may be reviewed quarterly. Less essential vendors may be reviewed annually.
