Search Results

From the Federal Financial Institutions Examination Council (FFIEC)

This video covers Reporting on Residual Risk , the 7th section of Pre-Contract Due Diligence , which is the second phase of the TPRM Lifecycle. Explore how to effectively report and communicate residual risks to decision-makers as the final step in Pre-Contract Due Diligence.

From the Office of the Comptroller of the Currency | Committee on Bank Supervision

TPRA recently released their Third Party Risk Management (TPRM) 101 Guidebook, a document that details the TPRM framework that all mature programs should have in place. It walks readers through all phases of the TPRM lifecycle and provide them with practical tools, tips, and examples for its implementation. It was developed over the course of three years from the input of numerous TPRM Practitioners, subject matter experts, and TPRM Service Provider organizations (i.e., the Third Party Risk Management Community). This Guidebook is the first of its kind, with close to 150 pages of in-depth details on the TPRM Program Lifecycle, with each section breaking down one of the six lifecycle phases. Complete with definitions, notes, examples, charts, diagrams, relevant resources, and best practices all designed with the goal of ensuring successful implementation and/or enhancement of your current TPRM program. The TPRM lifecycle outlined within the guidebook includes six phases: Planning and Oversight - Provides an organization with the foundation to build upon and properly support their overall program. Pre-Contract Due Diligence - Ensures the organization performs due diligence, commensurate with the level of inherent risk, to determine if the organization should proceed with a specific third party relationship and prior to signing a contract. This phase assists with determining if a third party meets business needs in relation to the risk presented. Contract Review - Ensures the organization documents relationship expectations in an agreement that can be upheld in a court of law. It also ensures risks noted within the due diligence process can be addressed within contractual clauses. Continuous Monitoring - Requires the organization to assess third party risk on a continual basis to ensure contract terms, business obligations, legal and regulatory requirements, and performance expectations are met. Disengagement - Ensures the organization is able to transition away from a third party with minimal impact should the relationship end due to contract expiration or when adverse/unplanned conditions are met. Continuous Improvement - Is an ongoing activity which seeks to enhance the organization’s TPRM program as third party risk management guidance, trends, and techniques are realized. The guidebook is currently available to TPRA members only. TPRA Members are able to get their FREE copy by clicking the link below. As this is the first edition draft of the Guidebook, TPRA members can also submit relevant comments, suggested edits, proposed additions, and/or critiques for the Guidebook, using the link below. The comment period will run through Friday, October 13th. Once comments are reviewed and edits are made, the guidebook will be available for free to the entire TPRM community. The guidebook will also be the foundation for TPRA's next certification, the Third Party Risk Management Practitioner (TPRMP). This certification will be available for pre-order Fall of 2023 and launch in early 2024. To provide readers with a taste of what is included in the Guidebook, see below a small excerpt from the "Contract Review" section. "It is important for TPRM practitioners to have a seat at the table (or be involved) when REVIEWING CONTRACTS. Third party contracts typically involve clauses related to cybersecurity, data protection, regulatory compliance, and other risk areas that are critical to protecting the organization. By having a seat at the table, practitioners can provide valuable insight and guidance as subject matter experts on these topics. TPRM practitioners are responsible for proactively identifying and mitigating risks associated with their organization's third parties. Therefore, by reviewing contract clauses, practitioners can identify potential risks in cybersecurity-related contract clauses before they impact the organization, as well as work towards mitigating identified risks. TPRM Practitioners should work closely with their Legal and Procurement teams to ensure contracts align closely with their organization’s risk management strategy. Templates for cybersecurity requirements should be drafted to ensure they provide sufficient coverage of key controls, define expectations for participating in compliance monitoring activities (i.e., due diligence assessments), as well as providing evidence items upon request, and detail appropriate remedies in the event that the third party fails to meet its obligations under the agreement. See "CR 2 – Contract Clauses & Template Agreements” subsection for a detailed list of specific contract clauses you may want to include within your contracts, specifically for third parties with inherently high risks. TPRM Practitioners may also want to review redlines within specific clauses that relate to cybersecurity terms, as well as terms that would allow a practitioner to perform his/her duties (such as a “Right to Audit or Review” and/or “Termination” clause). This will ensure any changes made to these clauses remain in line with the organization’s risk appetite and control expectations. Practitioners can also ensure any high-risk findings noted during the due diligence process are noted within contractual terms. TPRM practitioners should work closely with legal counsel to ensure that the contractual language is clear, specific, and enforceable. It is important to perform due diligence activities before a contract is signed. In doing so, companies can identify potential risks related to the third party’s financial stability, legal and regulatory compliance, reputation, cybersecurity intelligence, and other relevant factors. This can help companies make informed decisions about whether to enter into a contract with the third party and what contractual terms and conditions should be included to mitigate risks. Contracts should be reviewed on a regular cadence to confirm they remain in line with your organization’s risk appetite, as well as reflect any emerging risks that have been identified. If changes need to be made to bring contracts in line with current standards, then an amendment should be considered. Contract changes could also be made during the renewal process. It is important to have a clear and comprehensive contract in place at the beginning of the relationship to avoid misunderstandings and disputes later on. However, if changes need to be made to the contract, they should be made in a timely and transparent manner. The contract should include provisions for how changes will be made and how they will be communicated to all parties involved. The parties should negotiate the changes in good faith and reach an agreement that is fair and reasonable to all parties. BEST PRACTICE: TPRM practitioners should assist with the creation and review of contract clauses that relate to cybersecurity terms, as well as terms that will allow a practitioner to perform his/her duties, to ensure that the organization is protected from cybersecurity and other risks associated with third parties." TPRA also recently created a video on the Contract Review process. Click the link below to view the video and subscribe to Third Party Risk Association's YouTube channel.

Today's episode of TPRM 101 will cover Risk Escalation and/or Acceptance , the 6th section of the Pre-Contract Due Diligence phase in the TPRM lifecycle. This episode explains how to handle risks that cannot be remediated—through escalation, exception handling, or formal acceptance.

Today’s video will cover Risk Remediation , the fifth section of the Pre-contact Due Diligence phase. It highlights the importance of documenting and mitigating risks discovered during third-party assessments, ensuring compliance with regulatory requirements, and maintaining good governance practices. The video also provides detailed strategies for documenting risks, creating mitigation plans, and ensuring effective communication and validation with third-party partners. Understand how to document, mitigate, and manage risks identified during vendor assessments—before finalizing agreements.

This video will focus on Risk Identification , the fourth section of the Pre-Contract Due Diligence phase of the TPRM lifecycle. Learn how to uncover and categorize risks in a potential third-party relationship as part of the Pre-Contract Due Diligence phase.

Artificial intelligence (AI) is everywhere, and it’s transforming the way we live and work. It’s rapidly revolutionizing industries with its potential to solve complex problems, enhance decision-making, and improve efficiency. As such, the integration of AI into many products and services offered by third-party vendors to organizations is also becoming more widespread, many times without the organization’s awareness.    Understanding the Risks of Third-Party AI   AI is an impressive technology, but it also comes with significant risks, especially when it’s integrated into vendor products or services.    Let’s examine two of the most common risks of third-party AI usage:   Data security and privacy – AI systems need a significant amount of data to function efficiently. Therefore, it’s essential to protect the data from theft and misuse. AI systems may access different types of data such as:   Customer/consumer information and personal identifiable information (PII): This includes addresses, driver's licenses, passports, family members, financial or health information, social media or web use data, shopping behaviors, and more.   Sensitive company data:  This includes employee records, financial information, customer data, legal and compliance information, supply chain inventory, logistics, forecasting, and all types of intellectual property.   Compliance and legal – It’s vital to understand there are significant legal and compliance concerns related to the use of data and other assets when they’re accessed and processed with AI. The use of AI in data processing may be subject to numerous laws and regulations, including:  Health Insurance Portability and Accountability Act (HIPAA)   Children's Online Privacy Protection Act (COPPA)   Gramm-Leach-Bliley Act (GLBA)   Electronic Communications Privacy Act (ECPA)   California Consumer Privacy Act (CCPA)   Numerous state privacy laws   Additionally, there’s a risk of violating permissible use requirements preventing out of context, unrelated, or unfair use of data.   While these are two significant risks associated with AI, they’re not the only ones. Ethical risks, including bias and fairness, require attention, as do algorithm transparency, financial risk, and intellectual property risks. As AI technology becomes more widespread, the risks associated with it are also expanding.   Identifying AI Risk in Your Third-Party Vendor Portfolio   You likely have third parties who are currently using AI in their products and services. If you haven't done so already, it’s important to identify these third-party vendors and assess the specific AI risks they pose to your organization and customers.     It's crucial to update your third-party risk management (TPRM) framework and tools to include AI risks. However, many TPRM programs haven’t incorporated AI risks, and it’s important to address this issue now.    A practical, two-prong approach can ensure you’re identifying existing third-party AI risks and building the infrastructure to properly assess and mitigate them:   Getting started  – Develop a short questionnaire to help identify the products and services utilizing AI. Here are three suggested questions that can provide a wealth of information:   Has AI technology been used in the research, development, or production of any of your products or services?  It's worth noting that different types of AI carry different levels of risk. For instance, a vendor might use image recognition for research purposes, generative AI to create a system that interacts with customers directly, such as a chatbot, or machine learning to identify fraud across a series of transactions.   Are there any plans to incorporate AI in your products, services, or operations?  It's crucial to consider that your third-party vendor's adoption of AI can significantly impact your organization, even if they aren't currently using it today.   Do you have any policies on employee use of AI?  Inquire whether your third-party vendor has any limitations or prohibitions regarding the workers' usage of AI for work-related assignments. With the increasing popularity of generative AI systems such as ChatGPT, it’s essential to understand how your vendor is supervising the utilization of such technologies among their employees, especially if the AI-based service uses the data input to train its model.   Begin with your critical and high-risk vendors and work your way down the list. This simple approach can help you determine where additional due diligence and risk reviews are needed.   Updating your TPRM framework  – It's not enough to identify third-party vendors with AI; you’ll also need proper tools and processes to ensure they have adequate AI risk management practices and controls, and that risks are well-managed and monitored throughout the contract. This means incorporating AI risk across your entire TPRM framework. Here are key areas to review and update:   Incorporate AI-related questions in the inherent risk assessment   Update vendor questionnaires to include AI-related questions   Identify the types of due diligence documentation you’ll request as evidence of AI controls   Review and update standard contract language to address AI risks   Consider how AI will be factored into third-party performance monitoring and management   Consider how AI will be factored into third-party risk monitoring    Update governance documentation    Evaluate stakeholder education and collaboration   Note: Don’t overlook this important consideration! It’s crucial to update your TPRM processes and tools with a sense of urgency. However, it should be noted that AI isn’t yet as well understood as other established risk domains. Even experienced TPRM professionals may face unique challenges when dealing with AI, which could lead to delays, rework or, in the worst case, ineffective risk identification, assessment, and management.     To help prevent these AI challenges and issues, your organization should find and work with a qualified AI subject matter expert who can guide you through the process of updating the TPRM framework. This expert can help determine the right questions to ask on a vendor risk questionnaire, identify the appropriate due diligence documents, and provide ongoing support for vendor risk reviews. If you don't have access to this expertise within your organization, you may need to engage external resources or consultants.   By taking this simple approach, your organization can begin to identify vendor AI usage within your organization and start taking steps to mitigate the risks. This will leave your organization in a safer, more prepared position.