Third-party risk management

A proven process to understand and address your key vendor risks

A comprehensive approach to reducing third-party and vendor risk

Third-party risk management (TPRM), also called vendor risk management, is the practice of evaluating and mitigating risks introduced by vendors (suppliers, third parties, or other business professionals) before establishing and throughout a business relationship.

In today’s complex market, companies often turn to specialized contractors and third-party service providers to focus on core activities. However, many organizations have learned this practice comes with a certain measure of risk. Whether a professional service provider makes an honest mistake or a technology service provider encounters a cyberattack seizing operations, companies must address the introduction of various levels of risk.

A well-designed TPRM program allows you to manage risks efficiently and effectively. By incorporating an appropriate level of governance and oversight, aligning to a repeatable risk-based framework, and enabling technology and automation, your organization can gain operational efficiencies while simultaneously reducing residual risks.

What does a TPRM program look like?

RSM US LLP’s TPRM process focuses on key components that assist organizations in designing and executing an efficient and effective program, including:

  • Governance and oversight
  • Risk assessment methodologies aligned with leading frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the Office of the Comptroller of the Currency (OCC) guidance
  • Use of tools and technology to enable automation and increase efficiencies 
  • Policies and procedures to establish the cadence of the risk mitigation activities across the sourcing life cycle:
    • Planning
    • Due diligence
    • Contracting
    • Ongoing monitoring
    • Termination

RSM takes a holistic approach to assessing risk and developing a customized approach tailored to your unique third-party strategy and business goals. Our comprehensive methodology for managing third-party risk helps you address major sources of risk, including cyber, strategic, compliance, operational, transactional, environment social governance, and reputational.

Third-party risk services include:

Program assessment and internal audit

  • TPRM maturity assessment
  • Third-party risk internal audit co-sourcing

Program build and design

  • TPRM policy and procedure development
  • Third-party risk assessments (on-site and remote)
  • Third-party cyber resiliency
  • Contract assessment

Technology enablement and transformation

  • Program training and rollout
  • Vendor audits and due diligence
  • Vendor inventory validation
  • Software selection and request for proposal (RFP) development
  • TPRM business intelligence reporting / C-suite value metrics


  • Vendor monitoring
  • Full program outsourcing and managed services

Additional insights and solutions to achieve your organization’s goals

Curated content to keep you informed

Contact our risk, fraud and cybersecurity professionals

Complete this form and an RSM representative will be in touch shortly.

Subscribe to Risk Bulletin

Our cybersecurity, risk and fraud professionals provide regular insights and regulatory compliance updates to help your organization manage risk.