This post provides an overview of Third-Party Risk Management (TPRM) processes
I. TPRM Fundamentals
TPRM is crucial for ensuring that the use of outsourced providers and suppliers does not create unacceptable potential for business disruption or negative impacts on business performance.
The scope of TPRM includes:
- A process to create and assess third-parties to understand the risk they pose to the organisation.
- Automation to reduce manual burden and cost.
A TPRM framework address:
- Governance
- Roles and responsibilities
- Process
- Technology
II. TPRM Workflow
The TPRM OOTB workflow generally includes these states:
- Request Due Diligence
- Internal Risk Assessment
- Element Collection (if needed)
- Due Diligence
- Pending Manager Approval
- Contract Risk Approval
- Closed
A. Request Due Diligence
- Any internal user can initiate a request for due diligence.
- The user provides essential information about the third-party and the engagement.
- The TPR manager reviews the request and can approve or reject it.
B. Internal Risk Assessment
- This step involves determining the third party's risk score by completing an Inherent Risk Questionnaire (IRQ).
- A designated internal contact responds to the IRQ.
- Based on IRQ responses, an overall risk rating is auto-generated.
- TPR Managers can close the IRQ once satisfied with the results and risk rating.
C. Due Diligence
- This step involves collecting information and evidence from the third party to determine the associated risk, typically through external assessments.
- Questionnaires and document requests are sent to third-party contacts.
- The third-party risk assessment can be managed by working with contacts to ensure responses are complete and accurate.
- The TPR manager communicates with third-party/engagement contacts to achieve closure on issues and tasks.
- The TPR manager validates that questionnaires are complete and closes the assessment phase to start the approval process.
III. Key Roles in TPRM
- Internal Roles:
- Third-Party Reader: Read access to third-party contact records.
- Third-Party Editor: Create/update/delete third-party contact records.
- Third-Party Assessment Reviewer: View assessment and questionnaire data.
- TPR Assessor: Includes all permissions of the third-party assessment reviewer role plus manage third parties, engagements, assessments, and issues.
- Due Diligence Approver: Includes all permissions of the Third-party assessment reviewer role plus approve IRQs.
- Third-Party Contract Negotiator: Includes all permissions of the TPR assessor role plus modify contract status and start/expiration dates.
- TPR Manager: Includes all permissions of the TPR assessor role plus manage assessment templates, scheduled assessments, property settings, and scoring rules.
- Third-Party Risk Admin: Includes all permissions of the TPR manager role plus create/edit questionnaire and document request templates.
- External Roles:
- Third-Party Contact: Responds to external questionnaires/tasks/issues for a third party.
- Engagement Contact: Responds to questionnaires/tasks/issues for an engagement.
IV. TPRM Components
- Third Parties: Any company or individual that an organization has entered a business relationship with or has interactions with.
- Third-Party Engagements: A product, service, or reason for interactions with the third party.
- Third-Party Hierarchy: Parent-child relationships between third parties (e.g., subsidiaries).
- Third-Party Elements: External organisations that an engagement relies on to provide goods, services, or support.
V. TPRM Technology
- Third-Party Portal: A web interface for third-parties and risk assessors to interact, with a centralised workflow.
- Vendor Management Workspace: Provides an overview of third-party risk and related activities.
- Approval Configurator: Enables configuration of approvals based on defined conditions.
VI TPRM Data Model: Refer ServiceNow Documentation here
