Third-Party Risk Management 101: Guiding Principles

Richard Marcus
Richard Marcus
Third-Party Risk Management 101: Guiding Principles

Do your third-party risk management policies and processes provide adequate protection against third-party risk? In 2022, many organizations are re-emphasizing the importance of effective third-party risk management (TPRM) due to third-party security breaches that have recently dominated the headlines. As evidenced by recent examples — think SolarWinds, Kaseya, Accellion, Microsoft, and Volkswagen — the data and information security, regulatory, compliance, financial, and brand/reputational risks are increasingly clear.

Despite this, most organizations are still struggling to get TPRM right. A 2021 survey of 1,170 respondents in 30 countries by Deloitte found that more than half (51%) faced one or more third-party risk incidents while responding to COVID-19. A 2021 AuditBoard survey of 800+ risk and compliance professionals across North America found nearly 37% of respondents rated their TPRM maturity as either nonexistent or simply reactive.

Fittingly, there is no better time than now to strengthen your third-party risk management practices. One helpful resource for doing so is Effective Third-Party Risk Management: Key Tactics and Success Factors, a new guide that explores key third-party risk management principles, as well as practical tips for building a successful TPRM program. Read on below for an overview that introduces the fundamentals of third-party risk management, then download your free copy of our full guide


Third-Party Risk Management Guiding Principles

TPRM programs are designed to provide discipline, structure, and oversight to guide the plans, policies, and processes by which your organization:

  • Identifies and categorizes the third parties you engage. 
  • Understands and prioritizes the risks presented by third parties. 
  • Establishes and enforces key controls for mitigating those risks. 
  • Performs monitoring that tracks and regularly reassesses third-party relationships and risk exposures.  
  • Responds to real-time issues, and communicates TPRM awareness and accountability throughout the organization. 

Common TPRM Program Components

TPRM programs vary based on the size, scope, resource and budget constraints, regulatory requirements, and risk profiles of the organizations for which they’re built. One size does not fit all — but all programs share certain components.

third-party-risk-management-101-program-overviewTypically, TPRM programs:

  • Are cyclical. As new third parties enter the equation and existing relationships evolve over time, you should periodically revisit risk categorization, assessment, issue management, reporting, and continuous monitoring.
  • Occur against the backdrop of your organization’s enterprise and cyber risk assessment(s). As your risk profile, exposures, and prioritization evolve, so must your TPRM program. 
  • Are best built around a culture of accountability. TPRM responsibilities are often distributed across a range of functions and business units. Set the tone that everyone has an important role to play in managing the risks that are presented by the third-parties they engage with.

Common TPRM Gaps and Obstacles 

Despite these common guiding principles, all organizations face challenges in establishing effective TPRM programs. A 2021 AuditBoard survey of 800+ risk and compliance professionals across North America found the most commonly cited challenges, in descending order, were: 

  1. Resource constraints for assessments (e.g., time, budget, staffing).
  2. Lack of visibility into new third-party relationships.
  3. Nonexistent or poorly communicated vendor risk management plan/policies.
  4. Poor understanding of enterprise risks.


Whatever your biggest challenges, improving your understanding of key third-party risk management tactics and success factors can help you close gaps and overcome obstacles. For practical tips on building an effective third-party risk management program, download the full guide here


Richard Marcus

Richard Marcus, CISA, CRISC, CISM, TPECS, is VP, Information Security at AuditBoard, where he is focused on product, infrastructure, and corporate IT security, as well as leading the charge on AuditBoard’s own internal compliance initiatives. In this capacity, he has become an AuditBoard product power user, leveraging the platform’s robust feature set to satisfy compliance, risk assessment, and audit use cases. Connect with Richard on LinkedIn.

Related Articles