The shift to third-party management (TPM): What is TPM and why does it matter?

January 25, 2022

Blue and violet gradient background

As the security landscape has evolved, organizations have opened themselves to more risk vectors than ever before — and that number will only continue to climb. Traditionally, the corporate vendor ecosystem — the community of third parties a company shares information with — is analyzed under the lens of third-party risk management (TPRM). More recently, the third-party risk community has seen a major shift to emphasizing the criticality of Ethics and ESG (environmental, social, and governance), pushing risk and security professionals to reconsider the way these implementations are managed.

As a result, a fundamental shift from Third-Party Risk Management to Third-Party Management (TPM) has begun.

What is third-party trust management?

Trust-First Third-Party Management (TPM) is the next evolution of third-party risk and a facet of overall enterprise trust strategy. It goes beyond cybersecurity and focuses on building trusted and lasting third-party relationships across the core critical risk domains: security, privacy, ethics & compliance, and ESG. Specifically, Third-Party Management (TPM) is a discipline of enterprise trust that focuses on the impact a third party has on an organization across each pillar.

Download the eBook to learn more about the shift to Third-Party Management and what it means for your business.

Defining the pillars of third-party trust


Infographic showing elements of trust and how they work together to grow a business


As consumer wants, shareholder needs and due diligence expectations for businesses have evolved, modern third-party risk considerations need to consider ethics and ESG as key risk domains in addition to security and privacy. Here’s a deeper look at each category under the TPM umbrella:

  • Security: Security encompasses two key focus areas, Governance, Risk, Compliance (GRC) and Vendor Risk Management (VRM). In TPM, security considerations focus on the identification, analysis, and mitigation of cybersecurity risks as it relates to third parties.
  • Environmental, Social, and Governance (ESG): ESG and Ethics programs are emerging as key components of a cross-organizational strategy. In TPM, ESG considerations focus on analyzing the reputational risk of working with a third party or supplier as it relates to Environmental, Social, and Governance concerns.
  • Ethics: Ethics, like ESG, is emerging as a key component of business strategy. In TPM, ethics considerations focus on conducting compliance checks and screening third parties as well as continuously monitoring them for concerns relating to adverse media as well as issues around corruption, politically exposed persons (PEP), sanctions lists, and beneficial ownership.
  • Privacy: Privacy encompasses a wide array of subject matter, with a key focus on Consent & Preference Management and Data Governance. In TPM, privacy considerations focus on the protection of personal data and demonstration of compliance as pertains to personal information with an organization’s third parties.At its core, Third-Party Management is about bringing these pillars together to gain a holistic understanding of all risk and opportunities relating to a third party.

Download the eBook to learn more about the shift to Third-Party Management and what it means for your business.

What are the different third-party trust management tools? 

While TPM focuses on breaking down siloes and aligning workflows across teams, it’s important to consider that third-party security and privacy analysis may require a different set of functionalities than those focused on analyzing the ethics or ESG risk relating to a third party. Third-Party management programs require solutions that fit the individual needs of involved stakeholders, while still enabling seamless data sharing and collaboration. TPM considers the following tools as key facets of broader trust management software:


Infographic showing elements of Third-Part Risk Management


  • Third-Party Risk Management Software: Third-party risk management software empowers reassessment and risk monitoring by focusing on reducing security and privacy risks, solving challenges such as automating vendor security and privacy assessments, managing and monitoring your vendor inventory, and streamlining risk mitigation. TPRM software enables a business to conduct risk assessments, implement AI questionnaire autocompletion, streamline risk mitigation workflows and automate recordkeeping to meet the needs of security and privacy professionals across the enterprise.
  • Third-Party Due Diligence Software: Third-party due diligence software empowers due diligence monitoring by focusing on ethics & compliance risks, helping to automate onboarding, conduct compliance checks and screening, analyze risks, provide treatment plans, and maintain ongoing oversight by monitoring key concerns, such as adverse media. TPDD software enables a business to stand up onboarding automation solutions, compliance checks, vendor screening, risk analysis, treatment plans and contextual alerts to meet the needs of ethics professionals across the enterprise.
  • Supplier Sustainability and Responsibility: Supplier sustainability and responsibility software empowers supplier ESG monitoring by focusing on flagging ESG risks, helping organizations to understand and monitor the sustainability and responsibility initiatives of their suppliers in order to inform internal ESG program metrics as well as generate public-facing ESG reports. Visibility into supplier sustainability and responsibility enables a business to stand up ESG assessment technology, understand and track industry standards, conduct reputation risk analysis and implement targets and scorecards to meet the needs of ESG professionals across the enterprise.

Currently, third-party risk management tools are siloed and static, operating independently of one another and through manual processes. TPM focuses on the value of a singular workflow across the enterprise and encourages the implementation of a comprehensive approach, encouraging businesses to move away from spreadsheet-based work. Third-Party management also calls for the centralization and customization of workflows so each team is able to access the specific information needed to execute role-specific tasks efficiently.

Who does third-party trust management matter to? 

Your third parties reflect your organization’s value. As a result, third-party management has wide-ranging implications.

  • Consumers: Consumers are increasingly skeptical of the brands that they engage with. Especially when it comes to commoditized goods, being a trusted brand gives you a competitive advantage with consumers by increasing their confidence in your treatment of their data, their privacy, their communities, and the environment.
  • Employees: Employees have more choice of how, where, and what they work on. This empowers talent to be increasingly selective about the brands that they represent. Individuals have an increased focus on their personal brand, and that aligns with not only where they shop, but also the companies that they work for, meaning that they’ll seek out brands who understand the impact of both their internal actions and the impact that a brand’s third parties and partners have on their community.
  • Investors & Partners: As trust increases and brand reputation stays a key factor in market valuation, partners and investors are holding brands they work with to higher standards and levels of accountability than ever before. Investment trends show that this will now exceed expectations in the realm of privacy and security and reflect those of trust.

Best practices for TPTM 

When actioning TPM across the enterprise, there are 5 important steps to consider:

  1. Define what trust means to your business: What’s acceptable to your business? Define your business needs and what trust expectations you have. Do you need a formal committee or process that reviews third parties across numerous risk domains? Do you understand what risk looks like throughout the entire third-party lifecycle? Do your vendor contracts take into consideration trust metrics you care about, such as sustainability or ethics? Most importantly, is the organization in alignment with the answers to these questions?
  2. Define your risk appetite across domains: What are your company’s trust priorities, and what matters most to your ideal buyer? What is your weighted scale across the domains of security, privacy, ESG and ethics? How do you implement and measure that effectively?
  3. Tier your third parties: any organizations tier third parties into three categories — low risk, moderate risk, and high risk — using a number of different factors, such as:
    • Are you sharing proprietary or confidential business information with the vendor?
    • Are you sharing personal data with the third party?
    • Are you sharing sensitive personal data with the third party?
    • Are you sharing personal data across borders? e. Is the vendor serving critical business functions?
    • What is the potential effect to your organization in the event of unauthorized disclosure of information?
    • What is the potential effect to your organization in the event of unauthorized modification or destruction of information?
    • What is the potential effect to your organization in the event of disruption of access to or use of the third party?
    • What potential ESG impacts are involved with working with the third party?
    • What potential ethical or reputational impacts are involved with working with the third party?
  4. Establish processes and automate workflows: Workflows should be customizable, can vary by the third party, and are made possible by technology. Moving away from manual, static processes is the best way to streamline your TPM process across all domains and stakeholders considered.
  5. Vary your assessment depth: Ensuring that there is variation in your assessment depth is key to implementing a comprehensive TPM strategy. One-size-fits-all assessments are resource-intensive and often leave out key information when applied across domains. Automating your workflows will enable your organization to reduce repetition and customize assessments per risk domain, ensuring the correct depth is achieved based on how the vendor responds.

Download the eBook to learn more about the shift to Third-Party Management and what it means for your business.

Examples of TPTM workflow automation


Graphic showing process of third-party risk management


How can OneTrust help with TPTM? 

Third-Party Trust Management is the next step for Third-Party Risk Management. It goes beyond cybersecurity and focuses on building trusted and lasting third-party relationships across the core critical risk domains: security, privacy, ethics & compliance, and ESG. OneTrust offers technologies that enable organizations to build word-class Third-Party Trust programs by bringing together multiple stakeholders across disciplines to streamline workflows, reduce time spent on manual and redundant processes, and build trust with third parties. To do so, the OneTrust platform leverages expertise in privacy and data governance, GRC and security assurance, ethics and compliance, and ESG.  

You may also like


Third-Party Risk

Staying vigilant: 7 practical tips for ongoing third-party risk monitoring

In this webinar, we'll share seven practical tips for effective third-party risk monitoring, helping you to identify new risks and take timely action to protect your business.

August 02, 2023

Learn more


Third-Party Risk

Automating third-party management workflows: 5 ways to drive alignment across teams

Join us as we explore how automating third-party management workflows streamlines processes, drives alignment across teams, and reduces reduntant work.

July 19, 2023

Learn more


Third-Party Risk

Are your third parties a privacy compliance liability? 5 tips to reduce your exposure

Join our webinar and learn how to create an effective, privacy-focused third-party risk management (TPRM) program that streamlines recordkeeping and reduces your risk exposure.

July 05, 2023

Learn more