Skip to main content

On-demand webinar coming soon...

Blog

How to start a third-party risk management program: Monitor and maintain performance

Measure, track, and report results while staying secure and compliant

Katrina Dalao
Sr. Content Marketing Specialist, CIPM
July 11, 2023

Woman works on a blueprint in her office

You can’t launch a third-party risk management (TPRM) program and expect it to protect your organization forever. New cybersecurity risks emerge every day and your third-party ecosystem and relationships will evolve.

Gartner estimates that 45% of organizations around the globe will have experienced an attack on their digital supply chains by 2025. To safeguard against these attacks, organizations need responsive security measures that keep pace with changes in the threat landscape. 

When it comes to TPRM programs, maintenance is as important as the development itself. By keeping its third-party processes up-to-date, organizations can stay ahead of potential issues and minimize any negative impact if they do occur.  

We asked six InfoSec and third-party risk leaders from OneTrust and Fortune Global 500 companies on ways to best maintain a TPRM program, as well as how they typically report results to leadership. This is the last post in our series on building a TPRM program. 

Download our InfoSec's guide to third-party risk management, which covers all the steps in setting up a TPRM program, from planning to monitoring and reporting.

 

How do you monitor third-party risks?

Most third parties are in the ongoing monitoring stage of the TPRM lifecycle. Even if they pass their initial assessment with flying colors, it’s only a snapshot of the third party’s current state — ongoing monitoring is still necessary to mitigate risk throughout the entire relationship. 

Third-party monitoring is typically facilitated by an automated risk monitoring tool, and should include a step-by-step plan to address any security alerts and determine the necessary actions for every issue. 

“Even after a vendor is onboarded, you need to plan your monitoring process and workflow in case an issue comes up. Say something happens related to environmental, social, and governance (ESG) — who's handling that? It’s not a security issue. If you define roles and responsibilities ahead of time, then you’ll know the next steps,” says Kevin Liu, Sr. Director of Information Security at OneTrust.  

“When I see an alert, I make sure to assess and understand it first because not every single alert is equal. Go through the list of what you’re monitoring for — the security posture, the social governance aspect, the financial health in some cases, and so on.” 

If an alert needs to be addressed, teams should get in touch with the third party to further investigate and limit any potential threats. This can involve turning off the third party’s access and requiring status updates as they work through their corrective action plan. Only when the third party can provide evidence that the issue has been resolved should an organization grant access back into their internal systems.

 

Maintain a TPRM program

The key to maintaining a TPRM program is being responsive to any changes in your third-party environment or risk landscape.

“If you're doing the same business as you were last year and nothing's really changed, you might not need to do any active maintenance,” says Tim Mullen, Chief Information Security Officer at OneTrust. “Of course, if there’s something new in the market — a new vulnerability, new zero day, something that’s piquing our interest — that can prompt a change.”

The following questions can help guide your routine maintenance process: 

  • Did you engage in a new third-party contract? 
  • Are you sharing different types of data? 
  • Are there any potential new risks identified by the organization?
  • Have you started a new line of business? 
  • Did you engage in any mergers and acquisitions or asset sales?  

“Another common thing that happens is you sign on a vendor and then the scope changes. For example, you could have implemented a new functionality and then all of a sudden, a vendor that was low risk now has access to highly sensitive data,” says Jose Costa, Sr. Director of GRC Labs & Research at OneTrust. “Even little changes in vendor relationships should go through another assessment process.”

In most cases, you should revisit your TPRM program once a year. The goal of reassessing TPRM processes is to not only maintain security, but also continue maturing your program. 

“Don’t just assess TPRM — assess everything that touches it. What's your policy related to vendor management? Are there issues the organization identified related to this vendor or even another vendor in the same category? Bring in any relevant information and assess your TPRM program holistically to see how to move forward,” says Liu.  

 

Report TPRM program performance to management

Reporting on the performance of your TPRM program is different for every organization. 

Depending on the maturity of your program and what matters most to management, any number of the following metrics can be included:  

  • Total number of third parties assessed
  • How long it takes to assess third parties
  • Distribution of third parties across low, medium, and critical tiers
  • Overall level of risk exposure introduced by third parties
  • Volume of issues associated with third parties (over a period of time)
  • Average remediation period
  • Any overdue risk mitigation activities

“If you're just starting to implement a TPRM program, you may report how many vendors have gone through the process, how many are compliant, etc. Or you may report the major risks you’ve assessed, how you mitigated them, and how you plan to evaluate them on a regular basis,” says Costa. “It really depends on what management wants to see, but I would keep it high-level and at least make sure 100% of my vendors, irrespective of the size and complexity, go through the process and that the process is working.”

As the program matures, management will want to see the actual impact of your TPRM efforts and how they lead to lower risk. This requires finding ways to meaningfully quantify the change in third-party risk levels and highlighting that in your reports. 

“In information security, there are very rarely precise and actual estimates of real risk. So we have to look for indicators of risk, proxies for risk, or even more lagging indicators of the actual number of incidents,” says Matthew Solomon, VP of Technology and Cyber Risk Management at Humana. “In terms of showing the actual impact of the program, the trick is really to get as close to the quantification of your risk level as you can and how you're driving that down.” 

 

Lower risk levels with TPRM 

Regardless of where you are along your TPRM journey, the end goal is to see lower risk across your organization. This can be achieved by actively monitoring security alerts, addressing any potential issues, and periodically reviewing your program for any significant changes or updates. Finally, show the result of your team’s efforts by quantifying third-party risk levels and highlighting the actual risk impact of your work. 

 

Reduce risk, build trust, and enhance business resilience by unifying third-party management across privacy, security, ethics, and ESG. Book a demo today


You may also like

Webinar

Third-Party Risk

Live demo: Building your third-party risk management program with OneTrust

Register for this live demo to learn more about OneTrust Third-Party Risk Management solutions.

July 24, 2024

Learn more

Webinar

Third-Party Risk

Protecting your reputation: 3 ways a unified third-party management program can help

This webinar will show you how to develop strategies for assessing reputational risks as it relates to third parties and the impact of third-party relationships.

June 12, 2024

Learn more

Webinar

Third-Party Risk

Third-Party risk management and due diligence: What's the difference and why does it matter?

In this webinar, we’ll discuss the unique competencies of third-party risk and due diligence programs and examine when and how to align them.

May 08, 2024

Learn more

Webinar

Third-Party Risk

Live demo EMEA: Building your third-party risk management program with OneTrust

Join our webinar to learn how you can build an well-rounded Third-Party Risk Management Program that works for your organisation

April 23, 2024

Learn more

Webinar

Third-Party Risk

5 Best practices for increasing resilience when working with third parties webinar

Learn how to leverage financial, operations, compliance, ESG, and cyber scores to drive resilience insights and detect possible supply chain disruptions.

April 18, 2024

Learn more

Webinar

Third-Party Risk

TPRM privacy compliance: 10 best practices when working with third parties

How can you build a privacy-focused TPRM program? In this webinar, we discuss best practices for privacy compliance when working with third parties, from onboarding to offboarding.

March 13, 2024

Learn more

Video

Third-Party Risk

6 must-know trends in third-party management

Watch this video for the five top trends shaping the third-party management industry this year.

February 15, 2024

Learn more

Checklist

AI Governance

Questions to add to existing vendor assessments for AI

Managing third-party risk is a critical part of AI governance, but you don’t have to start from scratch. Use these questions to adapt your existing vendor assessments to be used for AI.

January 31, 2024

Learn more

Infographic

Third-Party Risk

4 top-of-mind challenges for CISOs in 2024

What key challenges do CISOs face going into the new year? Download this infographic to hear what experts from industries across the board have to say.

January 30, 2024

Learn more

Webinar

Third-Party Risk

A look back at 2023 & third-party management trends for the new year

Join this webinar as we discuss key trends for third-party management and lessons learned over the last year.

January 24, 2024

Learn more

Webinar

Third-Party Risk

Live demo EMEA: Master third-party risk management with OneTrust

Attend this demo to see how our TPRM solution can help you identify and mitigate risk as well as automate manual and repetitive tasks to ultimately reduce the time you spend managing your vendors

January 23, 2024

Learn more

Webinar

Third-Party Risk

Utilizing inherent risk for more efficient third-party management

Insight into your third parties’ inherent risks can change the way you run your TPM program.

November 30, 2023

Learn more

Webinar

Third-Party Risk

Elevating third-party safety: The art of TPRM and TPDD integration

Join our webinar to learn the primary goals of successful Third-Party Risk and Third-Party Due Diligence programs.

November 21, 2023

Learn more

Webinar

Ethics Program Management

Ethics Exchange: Risk assessments

Join our risk assessments experts as we discuss best practices, program templates, and how provide an assessment that provides the best value for your organization.

October 25, 2023

Learn more

Webinar

Third-Party Risk

5 Ways to save time when assessing third parties for privacy and security risks webinar

Join our webinar and learn how to save time and streamline third-party risk assessment throughout the TPRM lifecycle.

October 25, 2023

Learn more

eBook

Third-Party Risk

Data privacy compliance and Third-Party Management: A unified approach

Understand the importance of data privacy in third-party risk management, and 10 best practices for achieving privacy compliance when working with third parties.

October 12, 2023

Learn more

Webinar

Third-Party Risk

Live Demo EMEA: How OneTrust can help advance your third-party risk management program

Join us for a live demo of OneTrust's third-party risk management solution and see how it can help automate and streamline your TPRM program.

September 19, 2023

Learn more

Webinar

Third-Party Risk

Where contracting fits in the third-party risk lifecycle: 5 opportunities for optimization

Join this webinar to learn how to manage the third-party risk lifecycle across teams while optimizing your processes with automation.

September 07, 2023

Learn more

Webinar

Third-Party Risk

Staying vigilant: 7 practical tips for ongoing third-party risk monitoring

In this webinar, we'll share seven practical tips for effective third-party risk monitoring, helping you to identify new risks and take timely action to protect your business.

August 01, 2023

Learn more

Infographic

Third-Party Risk

What are your third parties not telling you?

Learn how to actively screen and monitor your third parties in the OneTrust Third-Party Risk Exchange.

July 24, 2023

Learn more

Webinar

Third-Party Due Diligence

Driving excellence in third-party risk management: An in-depth look at different due diligence approaches

Join our in-depth webinar and learn how to define third-party due dilligence levels and when to apply them during your vendor management lifecycle.

July 20, 2023

Learn more

Webinar

Third-Party Risk

Automating third-party management workflows: 5 ways to drive alignment across teams

Join us as we explore how automating third-party management workflows streamlines processes, drives alignment across teams, and reduces reduntant work.

July 19, 2023

Learn more

Webinar

Third-Party Due Diligence

A shortcut to third party due diligence fundamentals

In this webinar, we examine the scope of third-party due dilligence, best practices, and industry trends driving greater scrutiny on third parties.

July 13, 2023

Learn more

Webinar

Third-Party Risk

Are your third parties a privacy compliance liability? 5 tips to reduce your exposure

Join our webinar and learn how to create an effective, privacy-focused third-party risk management (TPRM) program that streamlines recordkeeping and reduces your risk exposure.

July 05, 2023

Learn more

Video

Third-Party Risk

Third-party management demo

See how OneTrust's third-party management solution can help scale your third-party lifecycle and evaluate vendors with real-time risk intelligence.

June 27, 2023

Learn more

Video

GRC & Security Assurance

Third-party risk exchange demo

The OneTrust Vendor Risk Management provides businesses access to pre-completed vendor risk assessments while supporting industry standards.

June 22, 2023

Learn more

Webinar

Third-Party Risk

Third-party data breach incident response: Essential workflows for effective recovery

Join OneTrust and HackNotice as we discuss effective ways to protect your organization from third-party data breaches and build strong incident response workflows. 

June 13, 2023

Learn more

Webinar

Third-Party Risk

Bridging the gap: How procurement and InfoSec can work together to reduce third-party risks

Join our upcoming webinar as we explore the pivotal ways procurement and InfoSec teams can collaborate to reduce third-party risks.

June 08, 2023

Learn more

eBook

Third-Party Risk

InfoSec's guide to third-party risk management: Key considerations and best practices

Download our eBook to learn practical advice on how to approach third-party risk management like an InfoSec expert.

June 05, 2023

Learn more

Webinar

Third-Party Risk

Unpacking the third-party risk regulatory landscape in the Nordic region and beyond

In this live webinar, our expert panel discuss emerging third-party risk regulatory trends in the Nordic region and show how OneTrust can help your business stay complaint.

May 30, 2023

Learn more

Webinar

Third-Party Risk

Save time, save money: A practical guide to automating third-party risk management

In this webinar, you will learn how to reduce the use of spreadsheets for third-party risk management and cut costs when building your TPRM program.

May 03, 2023

Learn more

Webinar

Third-Party Risk

Third-Party management secrets: Aligning risk management and due diligence

Watch this webinar to learn how to align your TPRM and TPDD programs to achieve workflow efficiencies and the distinction between the two discipline areas.

April 20, 2023

Learn more

In-Person Event

Third-Party Risk

Risk on the Road: Navigating data management, compliance automation and third-party risk

Join this OneTrust live event series, which will address critical topics such as navigating data management, compliance automation and third-party risk.

April 11, 2023

Learn more

Infographic

Third-Party Risk

Third-party risk: A growing spiderweb

The number of businesses and third-party suppliers has increased, widening the risk landscape. This infographic shows how businesses are managing that risk.

April 03, 2023

Learn more

Webinar

Privacy Management

The US privacy landscape for third-party risk: a program prototype time

Learn how to balance the intricacies of CPRA, VCDPA, CPA, CTDPA, and UCPA when managing third parties and understanding privacy-related risks.

March 28, 2023

Learn more

Webinar

Third-Party Risk

Efficient third-party risk management: 10 Best practices for streamlining workflows

Attend this webinar to learn about Third-Party Risk Management (TPRM) workflow definition and maintenance best practices you can apply to your business.NEED

February 13, 2023

Learn more

Webinar

Third-Party Risk

Third-Party Management roundtable: 3 strategies for aligning Security, Privacy, Ethics, and ESG teams

In this webinar, you will learn how to utilize TPRM to help to optimize workflows, leverage data, and increase accountability across sourcing and procurement.

February 01, 2023

Learn more

Webinar

Third-Party Risk

Third-party risk management demo

Our third-party risk software helps you build a vendor inventory, conduct vendor assessments, mitigate risks, monitor vendors over time, and more.

January 04, 2023

Learn more

Report

Third-Party Risk

Gartner® Market Guide: IT Vendor Risk Management Solutions

Download this Market Guide from Gartner® to gain insights into this evolving market, including access to leading IT Vendor Risk Management solution profiles.

January 03, 2023

Learn more

Video

Third-Party Risk

OneTrust third-party risk management for privacy professionals

Watch the demo video to learn how OneTrust Third-Party Risk Management can help your TPRM program meet your privacy team's expectations.

December 07, 2022

Learn more

Webinar

Third-Party Risk

How do you manage your third-party cyber risks? 5 best practices to improve your cyber resilience webinar

In this session, we’ll outline how to identify, reduce, and monitor cyber risk as it relates to your third parties including methods for tracking cyber risks over time.

December 06, 2022

Learn more

Webinar

Third-Party Risk

Canada and ISO 27001:2022: How automation streamlines compliance

Join OneTrust for a demo on how our privacy management platform helps Canadian businesses streamline ISO 27001:2022 compliance.

November 30, 2022

Learn more

Webinar

GRC & Security Assurance

Analyzing ISO 27001:2022 reinforcing privacy and security compliance with automation webinar

Learn how InfoSec teams can automate scoping mandatory requirements and streamline generating evidence to prove compliance across ISO.

November 17, 2022

Learn more

Webinar

Third-Party Risk

Do You Know Your third-party cyber risks? How to take a data-driven approach to reduce risk

In this webinar session, we’ll outline how to take a data-driven approach to understand, reduce, and monitor cyber risks as it relates to your third parties.

November 15, 2022

Learn more

Webinar

Third-Party Risk

TPRM program blueprint: Your 5 step guide to third-party risk management success

This webinar focuses on the fundamental considerations when managing third parties and enables your organization to build a solid and scalable foundation.

October 31, 2022

Learn more

Webinar

Third-Party Risk

How OneTrust can help scale your Third-Party Risk program

In this webinar, we provide a live product demonstration to show you how your organization can optimize and scale a third-party risk program.

October 18, 2022

Learn more

Webinar

Third-Party Risk

5 Ways to save time when assessing third parties for privacy and security risks webinar

Watch this webinar as OneTrust discusses how privacy and security teams can save time throughout the third-party risk assessment lifecycle.

October 11, 2022

Learn more

Webinar

Third-Party Risk

7 core metrics every third-party risk program must track (and how to track them)

We’ll discuss the 7 core metrics successful third-party risk programs track and how to track them, such as critical metrics to track as your program matures.

September 28, 2022

Learn more

Webinar

Third-Party Risk

Do you know your riskiest third parties?  7 warning signs you shouldn’t ignore 

Learn the top 7 red flags for risky third parties, mitigation tactics for reducing third-party risk, and key ways to streamline risk identification, and more.

September 22, 2022

Learn more

Webinar

Third-Party Risk

3 Strategies for simplifying privacy compliance when working with third parties

In this webinar, we'll discuss third-party risk management's role in privacy compliance and cost-effective techniques for maintaining records for compliance.

September 18, 2022

Learn more

eBook

Technology Risk & Compliance

The art of the enterprise IT risk assessment

Ensure your enterprise IT risk assessment is a success with a top-down approach that gets executive buy-in from the start

September 16, 2022

Learn more

Webinar

GRC & Security Assurance

Supply Chain Due Diligence Best Practices: A Practical Implementation Guide to LkSG Webinar

Watch our LkSG webinar to understand the scope of LkSG, how your company will need to adjust, and the repercussions of noncompliance.

September 07, 2022

Learn more

Webinar

Third-Party Risk

Security & privacy C-Level panel: Best practices for building your TPRM program

In this webinar, we discuss best practices for how privacy and security teams can work better to eliminate redundant work, save time, and be more efficient.

August 30, 2022

Learn more

Webinar

Third-Party Risk

10 best practices for streamlining your third-party risk management workflows

Watch this webinar to hear how to leverage third-party risk management workflow creation and maintenance best practices.

August 30, 2022

Learn more

Webinar

Third-Party Risk

Cybersecurity panel: How well do you know the threats posed by your third parties?

In this panel discussion, we address critical points such as defining the metrics to track in relation to third parties and their cybersecurity risks.  

August 28, 2022

Learn more

Webinar

Third-Party Risk

Third-Party risk and the U.S. privacy landscape: the top 5 things you need to know

In this webinar, we’ll review services providers under the ADPPA and outline how you can ready your third-party risk program to align with privacy regulations.

July 31, 2022

Learn more

Checklist

Third-Party Risk

LkSG readiness checklist: Is your company prepared for the German supply chain due diligence act?

Download our LkSG readiness checklist to understand your readiness for risk management systems and responsibilities, and due diligence obligations.

July 26, 2022

Learn more

Infographic

GRC & Security Assurance

The state of IT & third-party risk infographic

In this infographic, you'll discover third-party risk and learn how to operationalize a "3A approach", including addressing evolving risk factors and timelines.

July 19, 2022

Learn more

Webinar

Third-Party Risk

Better by tomorrow: 7 third-party risk assessment best practices you can implement today

In this webinar, we’ll explore these questions and layout 7 must-know best practices to conduct more meaningful third-party risk assessments.

July 15, 2022

Learn more

eBook

Third-Party Risk

Building your third-party risk management program

Understand what it takes to build a successful third-party risk management program through OneTrust's third-party risk management guide.

July 08, 2022

Learn more

Webinar

Trust Intelligence

Become a trusted brand: 7 ways to promote your security, privacy, ethics and ESG programs

We discuss key points, such as choosing which certifications count the most to your business and how to save time when answering questionnaires.

June 20, 2022

Learn more

Webinar

Third-Party Risk

How to comply: German supply chain Due Diligence act and Forthcoming EU rules

Join our panel of experts as we discuss the German Supply Chain Due Dilligence Act and the best practices for compliance.

June 15, 2022

Learn more

Webinar

Third-Party Risk

Third-Party risk best practices: How to align privacy & security teams for greater productivity

This webinar will discuss best practices for how privacy and security teams can work together to eliminate redundant work, save time, and be more efficient.

June 06, 2022

Learn more

Webinar

GRC & Security Assurance

Elevating your third party risk program with an integrated infosec platform

Join this webinar to learn how you can integrate your Third-Party Risk Management program within a broader IT Security platform

May 26, 2022

Learn more

Webinar

Third-Party Risk

Preparing your TPRM program: A 30-day implementation guide

In this webinar, we will provide you with the steps that you need to define a solid third-party risk management program

May 25, 2022

Learn more

Webinar

Third-Party Risk

Accelerating automation: How the pandemic forced third-party management to scale

Watch this webinar and see how the COVID-19 pandemic forced companies to accelerate automation and scale their third-party management.

April 26, 2022

Learn more

Webinar

Third-Party Risk

Secrets to Success: The winning game plan for security questionnaire response

Discover effective strategies for preparing security questionaire responses with our free webinar.

April 04, 2022

Learn more

Webinar

Third-Party Risk

Ready, set, launch your TPRM program: A 30-day implementation roadmap

Watch this webinar and learn how to launch an effective third-party risk managment program and practical methods to track success.

March 30, 2022

Learn more

eBook

Third-Party Risk

The shift to third-party management

Download our guide on third-party management and learn what you need to know to shift your buisness to TPM.

March 29, 2022

Learn more

White Paper

Third-Party Risk

Third-party risk: A turbulent outlook

Download this joint research report conducted by CyberRisk Alliance and Vendorpedia to understand today's third-party risk landscape.

March 02, 2022

Learn more

eBook

Third-Party Risk

The business value of third-party risk management software

In this eBook, learn the business value of TPRM software and why all leading organizations rely on it when working with third-party vendors.

February 03, 2022

Learn more

Webinar

Third-Party Risk

5 Ways to step-up your business resilience with better third-party management

Join this webinar to learn best practices on how your organization can step-up business resilience with better third-party risk management.

February 02, 2022

Learn more

Webinar

Third-Party Risk

Optimizing third-party risk: enhance automation with an integrated IT risk platform

Watch our free webinar to discover how to optimize your third-party risk program and reduce manual data management with automation.

February 02, 2022

Learn more

Webinar

Privacy Management

2022 Third-party trust predictions and preparations

Prepare for 2022 Trends in Third-Party Risk Management and future-proof your Third-Party Trust program.

January 04, 2022

Learn more

Webinar

Third-Party Risk

Are your third parties a privacy compliance liability? 5 Tips to reduce your exposure

This webinar will discuss how to create a Third-Party Risk Management (TPRM) program that prioritizes privacy compliance and simplifies record-keeping.

December 31, 2021

Learn more

eBook

GRC & Security Assurance

Vendor risk management for privacy professionals

Download the OneTrust Vendor Risk Management Handbook for an in-depth understanding of updated regulations, requirements and more.

November 17, 2021

Learn more

Webinar

Third-Party Risk

Are you a trusted vendor? 10 things every customer wants to know

Access this free webinar to learn how to be a trusted vendor.

July 22, 2021

Learn more

eBook

Third-Party Risk

Mastering the third-party risk management lifecycle

Download our third-party risk management eBook and get a complete roadmap to your TPRM lifecycle.

July 13, 2021

Learn more

Video

Third-Party Risk

Questionnaire Response Automation demo

Watch the demo of our Questionnaire Response Automation tool and learn how it helps vendors automatically answer any questionnaire.

April 08, 2021

Learn more

eBook

Third-Party Risk

The value of the Exchange Community for customers and vendors

Learn how an exchange community of customers and vendors improves security and builds trust.

Learn more

Webinar

Third-Party Risk

Third-party management academy

Join this webinar series, which will focus on the four foundational pillars of Third-Party Risk Management: Automation, Compliance, Reporting, and Collaboration.

Learn more