What is third party risk management (TPRM)?

Third parties are important to business success but can introduce risk in various ways.

Working with a third party can introduce risk to your business.  If they have access to sensitive data they could be a security risk, if they provide an essential component or service for your business they could introduce operational risk, and so on. Third party risk management enables organisations to monitor and assess the risk posed by third parties to identify where it exceeds the threshold set by the business. This allows organisations to make risk-informed decisions and reduce the risk posed by vendors to an acceptable level.

Third parties are an important key to the success of a business. Organisations of all sizes are becoming more and more reliant on third parties for their innovation, growth, and digital transformation.

But, a strong reliance on third parties can be risky. The risk posture of a third party is crucial to the risk posture, resilience and reputation of a company using a third party. It can be very costly and difficult to deal with a third-party incident, with consequences including regulatory actions, damage to reputation and a loss of revenue. Third parties need to be carefully vetted with ongoing risk assessments to ensure that an organisation is protected and secure.

Prior to now, vendor risk management has been time-consuming and error-prone, consisting of manual processes using emails, spreadsheets, and siloed vendor risk management tools. These processes and tools are simply inadequate — neither the tools nor the teams can keep up with the growing number of third parties. Common challenges faced by enterprises who haven’t implemented modern or comprehensive solutions include:

  • Manual Processes: Low efficiency with monitoring third parties and a longer amount of time to find and mitigate issues.
  • Lack of scalability: Teams cannot keep pace with third-party management when they are using a tool that will not scale, which can increase risk.
  • Siloes: Too many siloes can create difficulty accessing risk information across the organisation.
  • Disconnected: No enterprise context makes it difficult to prioritise third-party risks through the vendor lifecycle or when requirements change.

Below are some important considerations that need to be taken into account when choosing a third party. The answers will determine the level of risk they pose to the business:

  • What type of data is being accessed? What type of access has been granted?
  • Do they work with 4th parties that could pose delivery challenges?
  • Are they in an unstable part of the world?
  • Are they providing a critical product or service?  If so, do we need to have an alternate vendor in place?
  • What is their security history, what best practices do they have in place and execute on? (basic hygiene, patching SLAs, history of breaches etc.)
  • Do they have business continuity plans in place?
  • Are they in compliance with the regulations your organisation has identified?
  • What is their financial situation?

Strategic risk

Strategy can be threatened when third parties and organisations aren’t aligned on decisions and objectives. It is crucial to monitor third parties to make sure that strategic risk doesn’t lead to a lack of compliance or eventual financial risk.

Graphic showing the different types of third-party risk.

Reputation risk

The reputation of a company can also hinge on the reputation of a third party with whom they do business. If a third party has an issue with reputation or a data breach, it can lower customer trust in a business that works with the third party.

Operational risk

Operations can sometimes hinge on third party applications and services, and there is always a risk that the third party can fall victim to a cyber attack or a lapse in service that can lead to operational interruptions, a loss of data or a privacy violation. If there are fourth parties involved the same concerns apply to them.

Transaction risk

There can be issues with a product or service delivery from a third party, which can cause transactional issues within an organisation.

Compliance risk

Standards are slowly beginning to incorporate third party risk as a requirement for compliance, so risk tolerance for compliance should be extended to third-parties as well.

Information security risk

Regardless of whatever form data may take, there is a degree of risk that arises from allowing a third party to interact with data, including risk from unauthorised access, disruption, modification, recording, inspection or destruction of information.

Financial risk

It is important to work with financially viable third parties to avoid disruptions to the supply chain.  Additionally, third parties who are in financial trouble may not be as focused on security measures, leaving themselves open to unnecessary risk.

There are a few essential steps for third-party risk management:


When considering working with a third party it’s important to do an initial risk assessment as part of the decision making process - prior to formally bringing a third party onboard. You can use external data to get a broader picture of the third-party risk using, for example, cybersecurity ratings to gauge their security posture.  This reduces the chance of unknowingly inheriting undesirable risk.


Either as part of the initial risk assessment, ideally performed prior to onboarding, or as soon as the third party has been brought onboard there should be a tiering assessment performed.  This assessment is performed internally and results in the third party being placed in a tier that dictates the type and frequency of assessments the third party will receive. Tier 1 or critical vendors are the highest tier.  Some vendors may be at a tier that does not require regular assessments (for example the third parties that cut the grass). External data from, for example, security ratings providers could be used to adjust the tier level if necessary.


Third parties in the upper tiers should have regular risk assessments performed.  These should be based on the area of risk posed by the third-party. For example vendors who manufacture a component may have questions around employee health and safety, while consulting firms may not.  But all third parties would have questions regarding their security posture and financial viability. The frequency of these assessments would be based on the tier, with the highest tier having the most frequent assessments.

Generate findings

When an assessment is returned there may be responses that are unsatisfactory or incomplete. Additionally any objective external data collected around the third parties financial or security posture should be evaluated at this time for any issues. Issues, or findings, can then be reverted back to the third party to respond.

Remediate issues

There may be a period where an assessment goes back and forth, tasks are generated, issues are responded to and evidence is provided if necessary.  All communication should be captured for future reference. In the end, there may be some risks that are accepted.

Report risk

After identifying, analysing and remediating the risk, report on it to the necessary parties. All stakeholders should be able to get the level of visibility they desire.


As previously mentioned, third parties should be continuously assessed, which ideally means monitoring for any changes in risk or performance.  This can be done through more frequent assessments or external data feeds such as continuously updated cyber security ratings.  Changes should automatically trigger an issue, assessment and/or tier change. It is crucial to continuously monitor to ensure that all third parties are fulfilling their obligations and do not pose an undesirable risk to the organisation.


All organisations should have a formal process to retire third parties and ensure all information that should not be stored is permanently deleted.

  • Total visibility into all third-party relationships
  • A formal, pre-contract assessment and due diligence
  • Use of standardised, risk-mitigating terms
  • Risk-based monitoring and oversight
  • Formal offboarding at the end of the relationship

  • Digitise and integrate all aspects of the vendor management lifecycle. Assessing risk should be part of the early stages.
  • Consolidate vendor information and collaborate with third parties while maintaining an audit trail of all collaborations.
  • Gain and maintain an understanding and visibility of third-party risk and performance, including subsidiaries (or fourth parties).
  • Develop a granular assessment of where risk originates.
  • Create risk scores to compare, prioritise and communicate risk.
  • Use machine learning and automation systems to accomplish more while reducing costs.
  • Create a resiliency plan and embed a plan into each aspect of the vendor management system.
  • Integrate with other applications (such as data feeds for cybersecurity rates) and third-party systems.

  • Improved customer experience
  • Improved overall security posture
  • Better operational efficiency
  • Improved customer acquisition and retention
  • Improved customer trust
  • Improved revenue, projections and profitability
  • Consistent third-party performance that matches expectations
  • Improved ability to execute an organisation’s objectives, both strategic business and project-level objectives
  • Minimise business disruption
  • More quickly recover from disruptions

Get started with ServiceNow Governance, Risk, and Compliance

Manage risk and resilience in real time with ServiceNow.

Loading spinner