Third-party risk management

A proven process to understand and address your key vendor risks

A comprehensive approach to reducing third-party and vendor risk

Third-party risk management (TPRM), also called vendor risk management, is the practice of evaluating and mitigating risks introduced by vendors (suppliers, third parties, or other business professionals) before establishing and throughout a business relationship.

In today’s complex market, companies often turn to specialized contractors and third-party service providers to focus on core activities. However, many organizations have learned this practice comes with a certain measure of risk. Whether a professional service provider makes an honest mistake or a technology service provider encounters a cyberattack seizing operations, companies must address the introduction of various levels of risk.

Common third-party risks

Organizations encounter many different types of third-party risks, and while each of the following are not applicable to every third-party relationship, the risks increase as more complex significant systems become involved. Common risks include:

Strategy risk

The risk that adverse business decisions are made or the failure to implement appropriate business decisions in a manner that is consistent with strategic goals

Reputation risk

The risk arising from negative public opinion such as third-party relationships that result in dissatisfied customers, security breaches resulting in the disclosure of customer information, or violations of laws and regulations.

Operational risk

The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events made more difficult to manage given third-party processes and systems that increase overall operational complexity.

Transaction risk

The risk arising from a third-party's failure to perform as expected due to reasons such as inadequate capacity, human error, technology failure or fraud; weak controls over third-party IT may result in threats to security and the integrity of data or could result in unauthorized transactions. 

Compliance risk

The risk arising from violations of laws, rules or regulations, or from noncompliance with internal policies or procedures.

The types of risk introduced by third parties simply cannot be fully assessed without a complete understanding of the resulting arrangement, We can help you assess these risks and complete a comprehensive strategy to better manage these risks and third-party processes.

A well-designed TPRM program allows you to manage risks efficiently and effectively. By incorporating an appropriate level of governance and oversight, aligning to a repeatable risk-based framework, and enabling technology and automation, your organization can gain operational efficiencies while simultaneously reducing residual risks.

What does a TPRM program look like?

RSM US LLP’s TPRM process focuses on key components that assist organizations in designing and executing an efficient and effective program, including:

  • Governance and oversight
  • Risk assessment methodologies aligned with leading frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the Office of the Comptroller of the Currency (OCC) guidance
  • Use of tools and technology to enable automation and increase efficiencies 
  • Policies and procedures to establish the cadence of the risk mitigation activities across the sourcing life cycle:
    • Planning
    • Due diligence
    • Contracting
    • Ongoing monitoring
    • Termination

RSM takes a holistic approach to assessing risk and developing a customized approach tailored to your unique third-party strategy and business goals. Our comprehensive methodology for managing third-party risk helps you address major sources of risk, including cyber, strategic, compliance, operational, transactional, environment social governance, and reputational.

Program assessment and internal audit

Overview of program build and design

Technology enablement and transformation

  • Program training and rollout
  • Vendor audits and due diligence
  • Vendor inventory validation
  • Software selection and request for proposal (RFP) development
  • TPRM business intelligence reporting / C-suite value metrics

Comprehensive approach to TPRM-as-a-service

  • Vendor monitoring
  • Full program outsourcing and managed services

Additional insights and solutions to achieve your organization’s goals

Curated content to keep you informed

Contact our risk assessment professionals

Get a customized blueprint to help identify and manage the risks within your organization.

Subscribe to Risk Bulletin

Our cybersecurity, risk and fraud professionals provide regular insights and regulatory compliance updates to help your organization manage risk.