TPRA recently released their Third Party Risk Management (TPRM) 101 Guidebook, a document that details the TPRM framework that all mature programs should have in place. It walks readers through all phases of the TPRM lifecycle and provide them with practical tools, tips, and examples for its implementation. It was developed over the course of three years from the input of numerous TPRM Practitioners, subject matter experts, and TPRM Service Provider organizations (i.e., the Third Party Risk Management Community).
This Guidebook is the first of its kind, with close to 150 pages of in-depth details on the TPRM Program Lifecycle, with each section breaking down one of the six lifecycle phases. Complete with definitions, notes, examples, charts, diagrams, relevant resources, and best practices all designed with the goal of ensuring successful implementation and/or enhancement of your current TPRM program.
The TPRM lifecycle outlined within the guidebook includes six phases:
Planning and Oversight - Provides an organization with the foundation to build upon and properly support their overall program.
Pre-Contract Due Diligence - Ensures the organization performs due diligence, commensurate with the level of inherent risk, to determine if the organization should proceed with a specific third party relationship and prior to signing a contract. This phase assists with determining if a third party meets business needs in relation to the risk presented.
Contract Review - Ensures the organization documents relationship expectations in an agreement that can be upheld in a court of law. It also ensures risks noted within the due diligence process can be addressed within contractual clauses.
Continuous Monitoring - Requires the organization to assess third party risk on a continual basis to ensure contract terms, business obligations, legal and regulatory requirements, and performance expectations are met.
Disengagement - Ensures the organization is able to transition away from a third party with minimal impact should the relationship end due to contract expiration or when adverse/unplanned conditions are met.
Continuous Improvement - Is an ongoing activity which seeks to enhance the organization’s TPRM program as third party risk management guidance, trends, and techniques are realized.
The guidebook is currently available to TPRA members only. TPRA Members are able to get their FREE copy by clicking the link below. As this is the first edition draft of the Guidebook, TPRA members can also submit relevant comments, suggested edits, proposed additions, and/or critiques for the Guidebook, using the link below. The comment period will run through Friday, October 13th. Once comments are reviewed and edits are made, the guidebook will be available for free to the entire TPRM community.
The guidebook will also be the foundation for TPRA's next certification, the Third Party Risk Management Practitioner (TPRMP). This certification will be available for pre-order Fall of 2023 and launch in early 2024.
To provide readers with a taste of what is included in the Guidebook, see below a small excerpt from the "Contract Review" section.
"It is important for TPRM practitioners to have a seat at the table (or be involved) when REVIEWING CONTRACTS. Third party contracts typically involve clauses related to cybersecurity, data protection, regulatory compliance, and other risk areas that are critical to protecting the organization. By having a seat at the table, practitioners can provide valuable insight and guidance as subject matter experts on these topics. TPRM practitioners are responsible for proactively identifying and mitigating risks associated with their organization's third parties. Therefore, by reviewing contract clauses, practitioners can identify potential risks in cybersecurity-related contract clauses before they impact the organization, as well as work towards mitigating identified risks.
TPRM Practitioners should work closely with their Legal and Procurement teams to ensure contracts align closely with their organization’s risk management strategy. Templates for cybersecurity requirements should be drafted to ensure they provide sufficient coverage of key controls, define expectations for participating in compliance monitoring activities (i.e., due diligence assessments), as well as providing evidence items upon request, and detail appropriate remedies in the event that the third party fails to meet its obligations under the agreement. See "CR 2 – Contract Clauses & Template Agreements” subsection for a detailed list of specific contract clauses you may want to include within your contracts, specifically for third parties with inherently high risks.
TPRM Practitioners may also want to review redlines within specific clauses that relate to cybersecurity terms, as well as terms that would allow a practitioner to perform his/her duties (such as a “Right to Audit or Review” and/or “Termination” clause). This will ensure any changes made to these clauses remain in line with the organization’s risk appetite and control expectations. Practitioners can also ensure any high-risk findings noted during the due diligence process are noted within contractual terms. TPRM practitioners should work closely with legal counsel to ensure that the contractual language is clear, specific, and enforceable.
It is important to perform due diligence activities before a contract is signed. In doing so, companies can identify potential risks related to the third party’s financial stability, legal and regulatory compliance, reputation, cybersecurity intelligence, and other relevant factors. This can help companies make informed decisions about whether to enter into a contract with the third party and what contractual terms and conditions should be included to mitigate risks.
Contracts should be reviewed on a regular cadence to confirm they remain in line with your organization’s risk appetite, as well as reflect any emerging risks that have been identified. If changes need to be made to bring contracts in line with current standards, then an amendment should be considered. Contract changes could also be made during the renewal process. It is important to have a clear and comprehensive contract in place at the beginning of the relationship to avoid misunderstandings and disputes later on. However, if changes need to be made to the contract, they should be made in a timely and transparent manner. The contract should include provisions for how changes will be made and how they will be communicated to all parties involved. The parties should negotiate the changes in good faith and reach an agreement that is fair and reasonable to all parties.
BEST PRACTICE: TPRM practitioners should assist with the creation and review of contract clauses that relate to cybersecurity terms, as well as terms that will allow a practitioner to perform his/her duties, to ensure that the organization is protected from cybersecurity and other risks associated with third parties."
TPRA also recently created a video on the Contract Review process. Click the link below to view the video and subscribe to Third Party Risk Association's YouTube channel.