In speaking with customers and prospects, we realize that some organizations find third-party risk management a messy area. Usually, it’s because there is no dedicated team, so the risk accountability is shared among multiple areas or business owners. From there arises the issue of not having a centralized and/or standardized way of assessing third-parties. So how to build a central program to be deployed across the organization, with TPRM and governance as a priority?
First, ensure there is executive management support and buy-in. Providing a strong business case to demonstrate the need for governance structure and standardize processes, defining roles and responsibilities, overall due diligence, monitoring and reporting. In addition, lack of any TPRM process could potentially cause reputational risk.
This would lead to a governance structure that will probably include:
- A Business Unit Owner
- Legal and/or Contract Management
- Procurement
- InfoSec
- TPRM Analysts, who will review the documentation, ask the questions or oversee the assessment, follow up with third-parties, get clarifications on findings, write final reports and provide overall recommendation from the third-party assessment.
- TPRM Manager, who will join the Business Owner in analyzing, reviewing the final report and determining whether they should move forward with the new third-party or not.
Read More: How to Get Legal, Procurement and Business Owners Onboard with Security
The benefits of building a governance structure around TPRM
Once a governance structure is established and understands its role in the organization, the TPRM program overall workflow can be defined. Organizations can quickly improve efficiency by starting with an intake form. An automated intake form or automatic scorings based on custom criteria will make the difference in terms of how much intervention is needed throughout the process.

Having a TPRM technology provider will enable streamlining the process. There still will be a need for manual intervention to review assessments, but it will be significantly reduced. This allows more time for analysis, investigation and follow ups.
As companies have a better understanding of their vendor population, frameworks and methodologies can be developed, in order to standardize the assessment, workflow, and terminology around how the organization perceives (and manages) risk.
How do companies come up with their parameters around risk?
Not all vendors are created equal, but a framework should be developed in order to normalize the risk. This would include assessing the level of risk based on the impact category that it would have on your organization, such as:
- What type of data does the third-party have access to?
- Is type of access important to us?
- Is reputational risk important to us?
It’s important to understand that the actual function of the TPRM program is not only performing full risk assessment, but also ensuring that the third-party is complying with legal and regulatory requirements such as GDPR and CCPA, and I think we’ll have more of these as states start to implement their own. The TPRM program is not a one and done, but must also include continuous monitoring.
To learn more about how ThirdPartyTrust can help you manage third-party risk, request your free trial now: