Introduction to third-party risk management (TPRM) and cyber risks

In today’s connected economy, we work with an increasing number of third parties. And every time we onboard another third party, we open ourselves up to new possibilities and risks.

Dealing with the many types of risks related to third parties is the very reason why there is such a thing as third-party risk management or TPRM.

Like all areas of risk management, TPRM is increasingly converging with other domains such as compliance (ESG, personal data privacy, etc.) and security (including cybersecurity).

By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements (Gartner)

Moreover, the importance and nature of TPRM are evolving for myriad reasons, ranging from ongoing digitization and digital transformation to geopolitical challenges and various evolutions that accelerated rapidly during the COVID-19 pandemic.

So, let’s take a look at what TPRM means, how third-party risk management is changing, and what you can do to better manage the risks associated with the third parties you work with (and are most critical for your business when they materialize).

What is TPRM? Third-party risk management in context

Every single organization works with third parties. Without them, there wouldn’t be any business, but we need to watch out – and understand and manage – how we introduce different potential types of risk coming with them.

Third-party risk management, or TPRM, refers to the identification, prioritization, remediation, monitoring, and reporting of risks arising from the collaboration of businesses with third parties and management of that collaboration from the start (sourcing and onboarding) to the finish (offboarding). Put more simply: it’s the management of the relationship with the third party from a risk perspective.

TPRM also refers to a class of technological solutions aiming to facilitate, automate, speed up, and enhance various tasks concerning managing the risks that third parties can introduce during the relationship, such as assessing or monitoring risks, as we’ll cover later.

Vendor risk management and third-party risk management in Gartner view on integrated risk management objectives and risk domains - both terms are de facto used interchangeably - source and courtesy Gartner
Vendor risk management and third-party risk management in Gartner’s view on integrated risk management objectives and risk domains – both terms are de facto used interchangeably – source and courtesy Gartner

What types of third parties does TPRM concern?

What exactly do we mean by third parties and risks in this TPRM context? Third parties are all the external people or groups of people we collaborate with to enable our business.

This broad definition might surprise you. In practice, we notice that in most cases, the third parties people refer to when using the term TPRM are vendors, suppliers, and contractors. That’s indeed less broad, and it’s also quite normal because the category of applications referred to as third-party risk management often comes from the domain of (the relationship with) IT (software) vendors and service providers.

However, in general, and certainly in this digital age of ecosystems and increased connectedness, we mean all third parties. The difference is in the types and degrees of risk, more than the types of activities and involved fields.

Suppliers and companies we rely on for sourcing/procurement are and remain, of course, essential third parties. This is especially the case with those that are critical for the business and how it performs, whereby TPRM is vital to optimizing overall performance in an intelligent organizational strategy. 

Cyberattacks related to third parties are increasing. However, only 23% of security and risk leaders monitor third parties in real time for cybersecurity exposure (Gartner)

Certainly in the digital/cyber risk domain, we broadened how we look at third parties. The reasons to do so include the mentioned ongoing digitalization and ‘rebirth’ of the extended enterprise and the fact that (cyber)security and digital risks have become so ubiquitous. We don’t just have ever more connected technologies and data but also various ecosystems of linked parties. The broadening of our increasingly holistic view also shows in how we look at the attack surface, the role of new types of partners, and an increasing focus beyond third parties (fourth parties and so forth).

On a side note: you’ll often see that terms such as third-party risk management (so, TPRM), vendor risk management (VRM), and supply chain risk management (SCRM) get used interchangeably for quite a few years now by many people. Although there is a convergence between all these areas (just as there is an evolution toward integrated risk management), there are also differences.

Third-party cybersecurity risk: a key determinant in future business engagements

Third-party risk management has become increasingly prominent in analyst predictions for a few years now, underscoring the critical role third-party cybersecurity risks will play in partnership and business decisions, being among the top security issues, in both an IT and OT cybersecurity context.

According to the top eight cybersecurity predictions that research firm Gartner unveiled at the end of June 2022, for instance, by 2025, 60 percent of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.

Reminding that cyberattacks related to third parties are rising, the company notes that only 23 percent of security and risk leaders monitor third parties in real-time for cybersecurity exposure.

That is poised to change dramatically, among others, due to regulators and market demand whereby per Gartner, cybersecurity risk will increasingly become this determining factor in decisions regarding third-party business collaborations, “ranging from simple monitoring of a critical technology supplier to complex due diligence for mergers and acquisitions.”

TPRM and the financial industry

Despite the rapidly increasing attention for third-party risk management (mainly in relationship with cyber risks), it is not new as a discipline. But it’s not that old either.

TPRM first emerged in highly regulated industries where companies had to manage the risks of their third parties. A typical example is the financial sector.

For instance, since 2013, all U.S. banks have to manage the risks of their third parties. In OCC Bulletin 2013-29, the OCC (Office of the Controller of the Currency, an independent bureau of the U.S. Department of the Treasury) mandated banks to “ensure comprehensive risk management and oversight of third-party relationships involving critical activities.” The bulletin rescinded OCC Bulletin 2001-47 (from 2001) and OCC Advisory Letter 2000-9 (from 2000) on third-party relationships risk management principles and third-party risk. Per the bulletin, banks had to properly document and report on their TPRM process and specific arrangements throughout their life cycle.

In the EU, DORA (the Digital Operational Resilience Act) consolidates and streamlines the ICT-related third-party risk management duties of the EU’s financial industries and the various providers of digital and ICT services to these sectors.