Vendor Centric Blog

What is Third-Party Risk Management?

Organizations rely heavily on their third parties for improved profitability, faster time to market, competitive advantage, and decreased costs. However, third-party relationships come with multiple risks that include:


  1. Strategic Risk - Risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with stated strategic goals.

  2. Reputation Risk - Risk arising from negative public opinion. Third party relationships that result in dissatisfied customers, interactions not consistent with policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information and violations of laws and regulations.

  3. Operational Risk - Risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.

  4. Transaction Risk - Risk arising from problems with service or product delivery.

  5. Compliance Risk - Risk arising from violations of laws, rules, or regulations, or from intentional or inadvertent non-compliance with internal policies or procedures or with company business standards. This risk exists when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies or ethical standards.

  6. Information Security Risk – Risk arising from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take.


Third-Party Risk Management (TPRM) is the process of identifying, assessing and controlling these and other risks presented throughout the lifecycle of your relationships with third-parties. This oftentimes starts during procurement and extends all the way through the end of the offboarding process.


Given the breadth and potential severity of risks that are inherently present with with third parties, TPRM has quickly evolved from a ‘check-the-box’ process to a substantive function, complete with policies, procedures and systems, in companies that are serious about managing third-party risk. These companies are now taking more comprehensive steps to ensure that their third parties not only comply with regulations, but also protect confidential IT information, avoid unethical practices, keep up a safe and healthy working environment, strengthen supply chain security, handle disruptions effectively, and sustain high quality and performance levels.  



An effective third-party risk management function provides for, at a minimum: 


  1. Central visibility into all third-party relationships and contracts

  2. A formal, pre-contract risk assessment and due diligence process

  3. Use of standardized, risk-mitigating contractual terms and provisions

  4. Risk-based monitoring and oversight

  5. Formal offboarding at the end of the relationship


An effective third-party risk management function also includes the identification and evaluation of fourth parties; that is, the downstream vendors, suppliers and contractors used by your own third parties. Risk flows down all the way to the last supplier in the chain, so it’s key you know who they are and how they are managed.


Remember, the responsibility of managing third-party risk falls on you. To protect your business from issues associated with profitability, reputation, regulation and even litigation, it’s important to establish processes that will allow you to oversee these issues. Regulators have stepped up their standards regarding how companies protect themselves against third party issues, so this area is becoming a more important part of your risk management plan.


Check out some Cyber Security tips that our friends at Aligned Technology Solutions recently shared!

Please reload

Subscribe to the

Vendor Centric 


Subscribe to the

Vendor Centric 




Rethinking Vendors

Our flagship publication shares our philosophy on power and untapped value of vendor relationships.

The Nonprofit CFO's Guide to Virtual Credit Cards


A step-by-step guide to automating a/p payment processing and creating new streams of revenue.

Subscribe to

Our Podcast

Related Blog Posts

Please reload

Quick Links

Contact Us

9841 Washingtonian Boulevard Suite 200 Gaithersburg, Maryland 20878


(240) 813-1170

Follow Us

  • Vendor Centric Facebook
  • Vendor Centric Twitter
  • Vendor Centric LinkedIn

Subscribe to our newsletter

Subscribe to our

Rethinking Vendors Podcast

Vendor Centric Podcast

Copyright © 2018 Vendor Centric. All rights reserved.