Working with third parties is nothing new for most organizations. By the time leadership decides to start a formal Third-Party Risk Management (TPRM) program, there’s often multiple third-party relationships already in motion. This makes it challenging to create a TPRM program that addresses all vendors, suppliers, and third parties — each posing its own unique risks to the organization.
To help navigate the winding road of third-party risk management, we spoke with six InfoSec and third-party risk leaders from OneTrust and Fortune Global 500 companie about their approach to building a TPRM program and the lessons they learned along the way.
Whether you’re working with one or 1,000 third parties, establishing a TPRM program follows these general steps:
In this post, we cover the first step of building your TPRM program: Scoping your program and getting leadership buy-in.
Download our InfoSec's guide to third-party risk management, which covers all the steps in setting up a TPRM program, from planning to monitoring and reporting.
While every TPRM manager wants a program that actively mitigates all third-party risks, the reality is that not all relationships need to be evaluated at the same level. It takes significant resources to perform security checks, risk reviews, and other due diligence tasks — which aren’t always available, especially at the start of a TPRM program.
Defining your program scope helps establish clear boundaries, deliverables, and timelines, and keeps the focus on efforts that deliver the highest value.
“There are a lot of considerations, but early on, you're trying to knock out the low-hanging fruit and figure out your risk exposure based on the partners you have,” says Tim Mullen, Chief Information Security Officer, OneTrust. "We’re going to have a lot more rigor when it comes to reviewing a security or financial services vendor versus a vendor that provides us with something like paper towels or toilet paper.”
Use these questions to help set the scope for your TPRM program: