Third-party relationships with business partners, suppliers, vendors, and software providers may drive operational efficiency and innovation, but they also introduce significant security, compliance, and resilience risk. As a result, business leaders are struggling to keep up with an expanding supply chain risk universe into which they have minimal insight. 

At a time when nearly 70% of functional stakeholders lack visibility into third-party risks, organizations need a reset on their third-party risk management (TPRM) programs. 

Drivers of Increased Third-Party Risk  

An overreliance on third parties can lead to concentration risks, where disruptions in a single vendor can have widespread consequences. This makes these points of failure attractive to threat actors who are targeting third-party relationships to exploit vulnerabilities and access sensitive data.  

Regulatory requirements are also expanding, necessitating robust TPRM programs to ensure compliance with laws such as GDPR, CPRA, and upcoming regulations like NIS2 and the EU AI Act. While complying with existing rules is difficult enough, adapting to continuous regulatory sprawl presents new challenges for companies with particularly complex third-party ecosystems. 

Key Program Components Across the TPRM Lifecycle 

A comprehensive TPRM program includes several critical components at various stages of the TPRM lifecycle. 

  • Identification: Understanding the purpose and risk profile of potential third parties. 
  • Diligence: Conducting risk-based, actionable due diligence. 
  • Monitoring: Continuously managing third-party risks as their profiles change. 
  • Offboarding: Ensuring proper termination of third-party relationships when no longer needed. 

These components are supported by enterprise-level policies, automated vendor tiering, continuous monitoring diagnostics, integration with other tools, training plans, and role/responsibility matrices.  

TPRM Governance Structure 

Effective TPRM requires a strong governance model with clearly defined roles and responsibilities across three layers:  

  • Risk managers and relationship managers: Responsible for day-to-day management and oversight of third-party relationships. 
  • Board of Directors and TPRM committee: Providing oversight, guidance, and ensuring alignment with the organization’s risk appetite and regulatory requirements. 
  • Internal audit: Offering independent assurance on the effectiveness of the TPRM framework. 

third party risk management program framework and oversight

Common Challenges  

Organizations face several challenges in implementing effective TPRM programs, including:  

  • Third-party inconsistencies: Duplicated efforts and irrational vendor costs. 
  • Missing legal and technical protections: Inadequate contractual clauses. 
  • Unknown and unmanaged risk exposures: Limitations in identifying and managing risks. 
  • Unclear roles and responsibilities: Inadequate change management and training. 
  • Operational inefficiencies: Lack of standardized protocols leading to shadow procurement processes. 

These challenges present opportunities for transformation, however. Organizations able to harness cross-functional synergies and clearly execute on their TPRM roadmap stand a better chance of proactively mitigating risk of implementation failure. 

Measuring Program Success 

To measure the success of a TPRM program, organizations should track key metrics such as:  

  • Cybersecurity: Percentage of major cyber incidents caused by vendors. 
  • Resiliency: Number of vendors in financial distress. 
  • Regulatory compliance: Number of vendors in violation of local laws. 
  • Concentration risk: Percentage of critical vendors performing unique functions. 
  • Data privacy: Percentage of vendors with access to critical assets. 

Q&A: Insights from Industry Experts  

Explore frequently asked TPRM questions and answers below, sourced from common pain points and real client conversations our Integrated Risk Management team has recently had:

What activities in a TPRM program can deliver cost savings through contracts and provide additional value to the business?

In the vendor identification process, require the business to evaluate and receive quotes from 2-3 competitors of those vendors to ensure you’re getting the best value possible. In the due diligence process, it’s a best practice to review financial risk and expected ROI associated with a certain vendor prior to onboarding.

Within the TPRM process, when is the best time to utilize continuous monitoring? Is it meant to be used in conjunction with an annual questionnaire or should it be utilized between questionnaires? How frequently should you check up on the results?

Annual questionnaires or reassessments of vendors are certainly examples of continuous monitoring. We recommend reassessing critical vendors more frequently (e.g., annually). Some mature programs also leverage tools (e.g., SecurityScorecard, UpGuard) to collect and analyze publicly available information about existing vendors in real time.

Should there be a separation between third parties for supply chain and third parties for operations (ex: HVAC, BMS, monitoring, maintenance)?

In our experience, there usually aren’t separate TPRM programs or vendor inventories, but it’s good practice to classify third parties as different “types” and subsequently define different risk management expectations based on type, classification of data, risk level, etc.

How do you identify and maintain an inventory of all the third parties in a large organization?

A few techniques we’ve seen work well include working with legal to monitor contract renewals, reviewing your procurement system (e.g., Coupa) and AP/expense reports, and conducting department-wide surveys. Usually, a combination of these works well.

Can you give examples of continuous monitoring diagnostics?

Examples of continuous monitoring metrics include time to assess new vendors, risk remediation rate, percentage of critical vendors with completed risk assessments, and number of overdue risk mitigation actions.

Which department should have ownership (or primary ownership) of TPRM?

It’s definitely a shared responsibility across legal, procurement, business owners, information security, etc. If you have a TPRM program owner or lead that coordinates responsibilities and sets your program framework, we usually see them reporting to the Chief Risk Officer or Chief Compliance Officer – whoever is responsible for overseeing the overall risk management function at the organization.

I’m planning an internal audit of our third-party relationships. What’s an audit step I should ensure is included?

During scoping, think about risks and controls across the TPRM lifecycle: identification, due diligence, monitoring, and termination. One especially productive audit step is during due diligence. Select a sample of high-risk vendors and test whether the required risk analysis and approvals have occurred. 

What is best practice for obtaining and reviewing SOC 1/2 reports for the subservice providers of our company’s service providers? 

Generally, it’s best practice to request reports for subservice providers from your vendor during due diligence processes. They should have these reports available. After receiving, pay special attention to the Complementary User Entity Controls (CUECs) that may require some action or application from your organization. This process should be reserved for the most critical service providers, or those with access to very sensitive data.

How do you prevent a third-party risk questionnaire from becoming an endless list of questions from all stakeholders?

Focus on highest risk vendors and highest risk areas for your organization. Use parameters for additional questions only if some questions are answered yes or require additional information. Request SOC reports where able in lieu of full security questionnaires.

How can we accelerate the verification process of automated questionnaire results? Or how can the verification process also be automated?

Results need verification in most cases. Accelerate this process by focusing on highest risk vendors and highest risk areas first. Some tools now also offer ways to save time by intelligent analysis of responses and highlighting any changes to review from previous questionnaire responses for reassessments.

What if there is no procurement team? What would be a good control in place to make sure we still have enough due diligence process in place over TPRM?

If there isn’t someone specifically responsible, having a control where legal reviews and approves new contracts and ensures some form of due diligence is a good practice.

When offboarding, how does an entity ensure all its data is fully retrieved from the vendor? Are there any special due diligence measures you suggest?

Depending on what’s outlined in your contract with a vendor, you can request a certificate of destruction upon termination of the relationship. Contractual clauses around deletion and retention are your best bet, but there are other techniques that may be available as well.

As organizations continue to expand their reliance on third parties, the importance of a robust TPRM program cannot be overstated. By understanding the drivers of third-party risk, establishing strong governance structures, and enhancing program success, leaders can deliver new value from the risk function. 

Ready to build or optimize your TPRM program? Contact CrossCountry Consulting to get started. 

Connect with an expert

Stephanie Mendolia

Integrated Risk Management

See Bio

Contributing authors

Elizabeth O’Connell