Search Results

Third party risk management (TPRM) is a comprehensive process that involves identifying, assessing, managing, and continuously monitoring the risks faced by your organization and its customers due to business relationships with external vendors, suppliers, and service providers. In the past few years, TPRM has evolved beyond just managing direct relationships with your third parties; it now also includes identifying, assessing, and mitigating risks related to fourth-party or Nth-party relationships—essentially, the vendors of your vendors and beyond. This layered approach is crucial, as risks within the supply or service chain can propagate through your third parties, potentially impacting your organization unexpectedly. Common risks include information security vulnerabilities, operational disruptions, compliance issues, financial concerns, and reputational risks.  To illustrate what fourth and nth party relationships are, imagine your organization is utilizing a third party customer service call center experiencing an outage with its call management software provider (your fourth party). Even though you do not have a contract with the vendor providing the call management software, this outage can still lead to operational disruptions for your organization, resulting in service delays and dissatisfied customers. Consider another scenario where that same software provider suffers a data breach from their contracted data center (your Nth party), ultimately impacting your customers' data. In both situations, the issues do not originate directly from your third party, but rather from their vendors (and the vendors of those vendors) who are engaged to deliver products and services to your organization.   Just thinking about fourth and nth-party risks can be overwhelming, especially as the risk landscape seems to grow with each additional layer of a relationship. And many regulatory requirements now include effectively identifying and managing these risks. However, there is no need to panic. There are effective strategies you can implement to address them, even with limited resources.  How To Manage Fourth- and Nth-Party Risks  It's essential to recognize that managing all fourth-party and nth-party risks is neither feasible nor practical. Your organization has limited time and resources. And, you do not have direct contracts with these fourth and nth parties, so they are not legally obligated to you. Furthermore, your visibility into their operations may be limited, making oversight difficult. A strategic approach is essential, so defining what "managing" these risks entails and how it is implemented in practice is important. For many organizations, this means identifying where fourth-party and nth-party risks exist and ensuring that the third party manages those extended relationships effectively.   Consequently, having strong third party risk management practices at your organization is crucial for success. This includes conducting thorough risk assessments, assigning risk ratings, identifying critical vendors, performing due diligence, establishing contracts, and implementing continuous monitoring. These processes are vital for effectively identifying and managing fourth-party and nth-party risks.  Take a stepwise approach and start with your own critical third party vendors and service providers. Critical third parties are those relationships that can seriously impact your operations if there should be a business interruption. Critical third parties are those that access, process, transmit, or store Personally Identifiable Information (PII) or confidential data, or any vendor or service provider that interacts with your customers. Targeting your critical third parties first can help you narrow your scope and concentrate on where the most significant risks are.   Build your 4th and nth party inventory  Once you have your list of Critical third parties, you’ll need to understand which of their vendors and service providers are essential for delivering products and services to you, or those that could cause regulatory issues or customer dissatisfaction.  Here are some tips for accomplishing that task.  Ask your third parties to list their critical vendor and service provider relationships.  This should be a requirement in your critical third party contracts, but if it isn’t, schedule a meeting to discuss your objectives and criteria so they can report back to you. Ensure they provide the organization’s name, location, and product or service. It’s also important to ask if they have additional relationships through their vendors (your nth parties) that can impact your organization or its customers.  Check your critical vendors’ third party SSAE 18 (SOC reports)  to find relevant fourth-party vendors. Look in the “Subservice Organizations” section for this information. These vendors provide the controls needed to meet your third party’s system requirements or commitments to you.  After you have identified these fourth and nth party relationships, keeping the inventory current and organized is essential. Remember to look for fourth and nth parties servicing more than one of your third parties. For example, if all your cloud, data, and analytics providers are using AWS, you may need to consider and address that additional nth-party concentration risk.  Review Your Vendor’s TPRM Policy And Practices  You must rely on third parties to effectively manage their vendor and service provider relationships. A key aspect of successfully addressing third party risk is understanding how your vendors and service providers are managing their third party risks. Never assume that they have it under control. You must see evidence that their TPRM practices meet your requirements. Always review the following:  Policy : Review their internal third party or vendor risk management policy. Is it comprehensive? Does it clearly outline roles and responsibilities? Who is ultimately accountable for TPRM? Does the policy address each part of the TPRM lifecycle?  Risk assessments: Request their inherent risk assessments, risk ratings (including the methodology for rating), how they define critical risks, and the frequency of risk assessments conducted.  Due Diligence : Request real examples of due diligence conducted on critical third parties and review the vendor risk control assessments provided by qualified subject matter experts.  Contracts: Understand if minimum contract terms and conditions are utilized to reduce or mitigate risks. Ensure that there are legally binding contracts that are managed appropriately for critical 4th and nth parties. Ongoing Monitoring : Ask about their requirements for ongoing monitoring. Confirm if they are performing both risk and performance monitoring for their vendors. Ask for proof of monitoring and see if there have been any incidents or performance failures. Issue Management : Inquire about the processes for managing issues, which include reporting, remediation, and escalation related to TPRM. When you understand how your third parties manage vendor relationships and can see proof of effective and timely processes, you will be able to address nth-party risk more confidently.  Update your contracts  It is essential to recognize that your organization relies heavily on third parties to identify and manage risks associated with fourth and nth parties. If your current third party contracts do not require the disclosure of critical nth parties or do not include provisions for managing third party risks, it may be time to amend those contracts. If immediate changes aren't feasible, it's crucial to document the necessary improvements so your organization can effectively negotiate them before renewing the contracts.  Monitor nth party risk.  Like other risks, you need to stay aware of third-party and fourth-party risks that could impact your organization or its customers. You should require your third party vendors to provide monitoring information about their vendors and service providers, and review this information regularly, especially if any issues have arisen. Ensuring that you receive proof of remediation for these issues is essential. Additionally, consider utilizing risk intelligence services to monitor critical or high-risk fourth and nth parties.  In conclusion, although addressing fourth and nth-party risks may seem complex, they become more manageable with a strategic approach. By focusing on your critical third parties, building an inventory of their essential vendors, and requiring them to uphold robust TPRM practices, you create a solid framework for proactively identifying and mitigating risks. Committing to continuous monitoring and maintaining open communication with your third parties will enable you to identify and address the risks in your service or supply chains more effectively.

Compliance doesn’t wait—and neither should you.   Regulators aren’t sitting idle, and neither are the risks buried in your third-party ecosystem. As more organizations outsource critical services, the scrutiny around how those relationships are managed has grown sharper, faster, and more complex. Vendor oversight is no longer a back-office function; it’s a frontline defense in your regulatory playbook.  Whether it’s cybersecurity, consumer privacy, operational resilience, or responsible banking, compliance expectations now extend well beyond your own four walls. They travel with your data, systems, and customers straight into the hands of your vendors.  So, how do you keep pace without burning out your risk and compliance teams? By treating regulatory alignment as an active, continuous part of your third-party risk program, not a once-a-year fire drill. The good news? You can get ahead of the curve and stay there with the right approach.  Here are five practical strategies to make that happen:  1. Know the Rules—And Where They Apply  You don’t need to memorize every regulatory acronym, but you do need a solid grasp of which ones affect your third-party relationships. That includes direct regulations like:  GLBA, if your vendors access customer financial data.  HIPAA, if they touch health records.  GDPR and CPRA, if you’re dealing with global or California-based personal data.  Plus, there is a growing patchwork of cybersecurity and operational risk standards like NIST, OCC, and FFIEC guidance.  Start with a risk-regulatory mapping exercise. Connect the dots between your critical vendors, their services, and the applicable laws or guidance. Then build a compliance checklist for each category, so you're not scrambling the next time a regulator wants evidence.  2. Make Compliance Part of Your DNA, Not Just a Checkbox   You're likely missing something if your due diligence templates haven’t changed in the last 18 months. Regulatory expectations evolve, and your assessment process should too.  That means asking smarter questions and requiring supporting evidence. A “yes” on a self-assessment doesn’t cut it anymore. Ask for:  Recent SOC reports, penetration tests, or certifications (ISO 27001, PCI-DSS).  Policy documents that reflect specific regulatory controls (like data retention or breach notification).  Contractual language showing compliance with laws like GDPR or HIPAA.  If a vendor claims they’re compliant, they should be able to show you how. And if they can’t? That’s a conversation worth having before an examiner starts asking the same question.  3. Monitor, Document, Repeat  Initial due diligence is only the starting point. Regulatory compliance should be present day-to-day, not just during onboarding.  Set up a monitoring cadence that makes sense for the risk level, quarterly check-ins for your critical and high-risk vendors, and annual refreshes for the rest. Don’t wait for a contract renewal to find out if a vendor has changed sub-processors, moved data centers, or had a cyber event.  Key actions to build into your process:  Trigger-based reviews (e.g., regulatory changes, vendor incidents, service scope shifts).  Control monitoring, especially for data privacy, cybersecurity, and financial controls.  Evidence logging, saving emails, reports, certifications, and attestations. Document as you go, not in hindsight.  Well-organized documentation is not only essential during audits but also demonstrates that your program has meaningful substance.  4. Use Frameworks—and Foundational Guidance—as Your North Star   You don’t need to start from scratch. Established frameworks and regulatory guidance provide the scaffolding your program needs to stay aligned, scalable, and defensible. Used well, they’re more than checklists—they’re strategic tools that guide smart decision-making and help you demonstrate maturity.  A strong foundation starts with the Interagency Guidance on Third-Party Relationships: Risk Management ,  issued by the OCC, FDIC, and Federal Reserve. This guidance outlines key lifecycle elements—planning, due diligence, contract structuring, ongoing monitoring, and termination—and serves as a gold standard for banks and any organization managing critical vendor relationships.  Not a financial institution? The Third Party Risk Association provides the standard for Third Party Risk Management in their free, comprehensive  TPRM 101 Guidebook  that will walk you through all phases of the TPRM lifecycle in detail and provide you with practical tools, tips, and examples for its implementation.  Once that foundation is established, you can layer in frameworks tailored to your specific risk domains and industry. For example:  Financial Services :  Use the FFIEC Cybersecurity Assessment Tool (CAT)  to benchmark third-party cyber risk, and align your broader program with NIST 800-53  or the NIST Cybersecurity Framework (CSF)  to strengthen control mapping and monitoring.  Healthcare : Look to HIPAA Security and Privacy Rules   when evaluating vendors handling protected health information (PHI). Ensure Business Associate Agreements (BAAs) are in place—these are legally required contracts that outline each party’s responsibilities when handling PHI and help ensure HIPAA compliance. Vendor controls should also align with HITECH Act  provisions.  Insurance: Frameworks like NAIC Model Laws  and Guidance on Third-Party Administrators (TPAs)  help shape due diligence expectations, especially for claims processors, brokers, and customer data handlers.  Technology and Software Supply Chain : Adopt software-specific frameworks like SLSA (Supply-chain Levels for Software Artifacts )  and the NIST Secure Software Development Framework (SSDF)  to manage risks from open-source components, CI/CD pipelines, and outsourced developers.  Cross-Industry or Global Operations : To scale assessments across geographies and vendor types, use certifications like ISO 27001 . The goal here isn’t to follow all  frameworks—it’s to select the ones that make sense for your organization, risk profile, regulatory exposure, and operational reality.    By combining lifecycle-based regulatory guidance with targeted frameworks, you build a tailored and resilient TPRM program. This shows regulators, auditors, and your own leadership that you understand not just the “what” but the “why” behind your oversight approach.    Proactive risk programs stand out by effectively anticipating potential challenges and implementing strategic measures to mitigate them before they escalate.  5. Make TPRM Everyone’s Business   Even the best-designed compliance framework will fall apart if no one uses it. Training and communication aren’t optional—they’re how you operationalize your program.  Risk and compliance teams can’t do it alone. Your business stakeholders need to understand:  When a vendor relationship triggers regulatory requirements.  What documentation or approvals need collection.  How to recognize and escalate red flags.  Keep it simple, repeatable, and relevant. Offer live sessions, recorded refreshers, or just-in-time guidance during intake or onboarding. Compliance works best when built into the workflow, not bolted on as an afterthought.  Final Word: Stay Ready So You Don’t Have to Get Ready  Proactive regulatory compliance isn’t about predicting the future but building the muscle to adapt. When your program is designed to flex, monitor, and evolve, you’re not just reacting to audits or enforcement actions. You’re leading with confidence, clarity, and control.  And that’s what true TPRM maturity looks like.  MEMBER EXCLUSIVE  To learn more on this topic, watch our June TPRM Webinar, “Staying Compliant: Proactively Addressing New Regulations.” This roundtable focused on proactive strategies to navigate the dynamic regulatory landscape impacting third-party risk management.   AUTHOR BIO Hilary Jewhurst Sr. Membership & Education Coordinator at TPRA Hilary Jewhurst  is a seasoned expert in third-party risk and risk operations, with nearly two decades of experience across financial services, fintech, and the nonprofit sector. She has built and scaled third-party risk programs from the ground up, designed enterprise-wide training initiatives, and developed widely respected content that helps organizations navigate regulatory complexity with clarity and confidence. Known for turning insight into action, Hilary’s thought leadership and educational work have become go-to resources for professionals looking to mature their TPRM programs. She regularly publishes articles, frameworks, and practical guides that break down complicated risk topics into meaningful, accessible strategies. Hilary recently joined the  Third-Party Risk Association (TPRA)  as a staff member, supporting industry-wide education, peer learning, and advancing best practices. She is also the founder of  TPRM Success , a boutique consultancy that helps organizations strengthen their third-party risk management capabilities through targeted training, tools, and strategic guidance.

If you're tired of scrambling for documentation, chasing down vendors for evidence, or rewriting the same compliance answers every exam cycle, this is for you. This one-page infographic is built with real TPRM pain points in mind: inconsistent monitoring, reactive audits, evolving regulations, and the pressure to prove your program’s worth with limited resources. It distills five actionable strategies into a visual format you can actually use—with your stakeholders, during training, or as a north star for revamping your vendor oversight. You’ll find guidance on mapping regulations, upgrading due diligence, monitoring with intention, and embedding compliance into your daily operations, not just during audit season. Because real TPRM maturity isn’t about checking boxes—it’s about building a program that works when things go wrong. This infographic helps you start there. Perfect for sharing with your team, your boss, or anyone who still thinks compliance is a once-a-year event.

Introduction   In the modern business landscape, Third-Party Risk Management (TPRM) has become a focal point for organizations aiming to safeguard their operations. While much attention is given to assessing and managing the risks associated with third-party vendors using questionnaires, Boards of Directors are asking CISOs what the business is doing to protect the organization from third parties. Access Management in Complementary User Entity Controls (CUECs) is a crucial internal control often overlooked by TPRM when performing asses sments. Additional access protections are available through the organization’s implementation of a Zero Trust strategy  and utilizing Artificial Intelligence (AI) and Machine Learning (ML) applications.  Access Management in Complementary User Entity Controls (CUECs)  CUECs represent the controls that service providers expect you (as the customer) to implement to complement their own control environment. In the context of third-party management, these controls are crucial for maintaining a secure and effective relationship. Critical access management CUECs that organizations often overlook when managing third parties include the following:  Access provisioning and deprovisioning controls : According to a Black Kite study, 54% of all third-party breaches were due to unauthorized network access. ( 1) Monitoring of third-party activities : According to a Ponemon Institute study, only 34% of organizations effectively monitor third-party access to critical systems. (2)  This creates significant blind spots in security posture. Regular reassessment of third-party access needs : A Wiz Research study indicates that 82% of companies unknowingly provide third-party vendors with highly privileged roles. (3) Validation of CUEC controls : Conventional CUEC validation, if performed, focuses only on control existence and design effectiveness but not control operation and operating effectiveness, creating a false sense of security. Access Management in a Zero Trust Strategy  Zero Trust is fundamentally about “never trust, always verify” – a principle that can significantly enhance the protection of an organization's network and systems when granting third-party access. The implementation of Zero Trust requires a shift away from the traditional security models that rely on perimeter defenses and instead focus on securing individual assets and data. Traditional models grant broad network access once a user is authenticated; however, Zero Trust gives only the minimum access needed for a task. (4)  Zero Trust identity and access management controls are implemented using a risk-based approach and may include the following:  Multi-factor authentication (MFA): Third-party users are required to authenticate using at least two factors (something they know, have, or are). According to Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, MFA can stop 30% to 50% of account compromise attacks. (5)   Just-in-time (JIT) access: Third party users are provided temporary, time-limited access only when needed rather than persistent access. This minimizes the potential for attackers to exploit vulnerabilities and gain unauthorized access. Privileged access management (PAM): Session recording and monitoring is implemented   for all third-party privileged access. According to Gartner, organizations that implement PAM can reduce the risk of privileged credential abuse by 75%. (6) Micro-segmentation: Third-party access is limited to only specific network segments or applications required for their function. By isolating critical systems and sensitive data, detecting and responding to threats becomes easier. Device posture assessment: The security posture of third-party devices is monitored before granting access. Third-party devices must meet minimum security requirements (patches, endpoint protection, etc.) Leveraging Artificial Intelligence (AI) and Machine Learning (ML) in a Zero Trust Strategy  Organizations using AI-powered security tools have an 85% success rate at predicting cyberattacks. (7)  Examples of AI and ML applications used in a Zero Trust strategy include the following:  Anomaly detection: AI and ML algorithms can be trained to detect unusual patterns or behaviors within the organization’s network. Deviations from normal activity may indicate potential security threats, for example spikes in access requests from unfamiliar locations may trigger alerts for further investigation. (8) Behavioral analysis: ML models can analyze user behavior and establish a baseline of normal activities for each user. Any deviations from these patterns can raise flags for potential insider threats or compromised accounts. (8) Threat intelligence integration: By analyzing threat intelligence feeds alongside internal network data, organizations can make more informed decisions regarding access control and threat mitigation strategies. ML algorithms can prioritize and contextualize threat intelligence data, helping security teams focus on the most critical risks. (8) Adaptive access controls: ML-driven access control mechanisms can dynamically adjust permissions based on real-time risk assessments. By continuously evaluating factors such as user behavior, device health, and network conditions, these systems can grant or revoke access privileges dynamically. (8) Case Studies   Case Study 1:  Implementing Complementary User Entity Controls in a Retail Environment  A leading retail company implemented Complementary User Entity Controls to enhance its third-party risk management. This involved establishing strict access controls and clear usage policies for third-party vendors accessing its systems. By doing so, the company improved its ability to detect and respond to unauthorized access attempts, significantly reducing the risk of data breaches. The implementation of these controls also led to better accountability and adherence to security protocols among third-party vendors.    Case Study 2:  Adopting Zero Trust Controls in a Technology Firm  A technology firm adopted a Zero Trust strategy to manage third-party access to its network and critical systems. The approach required verification of every access request, regardless of the source, and continuous monitoring of user activities. By using multi-factor authentication and least-privilege access principles, the firm ensured that only authorized users could access sensitive data. This strategy not only prevented unauthorized access but also provided granular visibility into third-party activities, enabling proactive threat detection and response.  Conclusion  While third-party assessments remain a cornerstone of TPRM, it is essential to recognize and implement broader access controls that contribute to a more comprehensive risk management strategy. By validating both the design and operating effectiveness of critical access management CUECs and implementing Zero Trust access controls, organizations can enhance their resilience and better protect themselves against the myriad risks associated with third-party relationships. AI and ML applications can also play a crucial role to ensure access controls remain robust and responsive to evolving threats. TPRM is not just about the third party; it is about creating a holistic approach to risk management that safeguards the organization from within and beyond.    References:   Black Kite, “Third-Party Breach Report” Vol.5, 2024. [Online]. Available: https://blackkite.com/wp-content/uploads/2024/03/third-party-breach-report-2024.pdf .   Imprivata, “Imprivata Study Finds Nearly Half of Organizations Suffered a Third-Party Security Incident in Past Year,” February 13, 2025. [Online]. Available: https://www.imprivata.com/company/press/imprivata-study-finds-nearly-half-organizations-suffered-third-party-security .    Security Magazine, “82% of companies give third parties access to all cloud data,” January 26, 2021. [Online]. Available:  https://www.securitymagazine.com/articles/94435-of-companies-give-third-parties-access-to-all-cloud-data .    Cipher, Alex, “Zero Trust: Redefining Cybersecurity,” 2024  Cybercrime Magazine , “Mult-Factor Authentication is (Not) 99 Percent Effective,” February 23, 2023.   [Online] . Available:   https://cybersecurityventures.com/multi-factor-authentication-is-not-99-percent-effective/ .  CTO (Core Team One),   “Did you know? 74% of data breaches start with the abuse of privileged credentials,”  Wednesday, 12 June 2024. [Online]. Available:   https://www.bing.com/search?pglt=297&q=74%25+of+data+breaches+start+with+the+abuse+of+privileged+credentials&cvid=5411e708f64447b8b8e91782242cba48&gs_lcrp=EgRlZGdlKgYIABBFGDkyBggAEEUYOTIGCAEQRRg80gEKMTYxMzY2ajBqMagCALACAA&FORM=ANNTA1&adppc=EDGEBRV&PC=EDGEBRV .   Furness, Dylan, Emerj, November 9, 2024. [Online]. Available:  https://emerj.com/an-ai-cybersecurity-system-may-detect-attacks-with-85-percent-accuracy/#:~:text=An%20AI%20Cybersecurity%20System%20May,Accuracy%20%7C%20Emerj%20Artificial%20Intelligence%20Research .   Goraga , Zemelak, Dr., “AI and ML Applications for Decision-Making in Zero Trust Cyber Security,” Volume 1, SkyLimit Publishing, 2024, p. 2-3

From the Federal Financial Institutions Examination Council (FFIEC)

This video covers Reporting on Residual Risk , the 7th section of Pre-Contract Due Diligence , which is the second phase of the TPRM Lifecycle. Explore how to effectively report and communicate residual risks to decision-makers as the final step in Pre-Contract Due Diligence.

From the Office of the Comptroller of the Currency | Committee on Bank Supervision

TPRA recently released their Third Party Risk Management (TPRM) 101 Guidebook, a document that details the TPRM framework that all mature programs should have in place. It walks readers through all phases of the TPRM lifecycle and provide them with practical tools, tips, and examples for its implementation. It was developed over the course of three years from the input of numerous TPRM Practitioners, subject matter experts, and TPRM Service Provider organizations (i.e., the Third Party Risk Management Community). This Guidebook is the first of its kind, with close to 150 pages of in-depth details on the TPRM Program Lifecycle, with each section breaking down one of the six lifecycle phases. Complete with definitions, notes, examples, charts, diagrams, relevant resources, and best practices all designed with the goal of ensuring successful implementation and/or enhancement of your current TPRM program. The TPRM lifecycle outlined within the guidebook includes six phases: Planning and Oversight - Provides an organization with the foundation to build upon and properly support their overall program. Pre-Contract Due Diligence - Ensures the organization performs due diligence, commensurate with the level of inherent risk, to determine if the organization should proceed with a specific third party relationship and prior to signing a contract. This phase assists with determining if a third party meets business needs in relation to the risk presented. Contract Review - Ensures the organization documents relationship expectations in an agreement that can be upheld in a court of law. It also ensures risks noted within the due diligence process can be addressed within contractual clauses. Continuous Monitoring - Requires the organization to assess third party risk on a continual basis to ensure contract terms, business obligations, legal and regulatory requirements, and performance expectations are met. Disengagement - Ensures the organization is able to transition away from a third party with minimal impact should the relationship end due to contract expiration or when adverse/unplanned conditions are met. Continuous Improvement - Is an ongoing activity which seeks to enhance the organization’s TPRM program as third party risk management guidance, trends, and techniques are realized. The guidebook is currently available to TPRA members only. TPRA Members are able to get their FREE copy by clicking the link below. As this is the first edition draft of the Guidebook, TPRA members can also submit relevant comments, suggested edits, proposed additions, and/or critiques for the Guidebook, using the link below. The comment period will run through Friday, October 13th. Once comments are reviewed and edits are made, the guidebook will be available for free to the entire TPRM community. The guidebook will also be the foundation for TPRA's next certification, the Third Party Risk Management Practitioner (TPRMP). This certification will be available for pre-order Fall of 2023 and launch in early 2024. To provide readers with a taste of what is included in the Guidebook, see below a small excerpt from the "Contract Review" section. "It is important for TPRM practitioners to have a seat at the table (or be involved) when REVIEWING CONTRACTS. Third party contracts typically involve clauses related to cybersecurity, data protection, regulatory compliance, and other risk areas that are critical to protecting the organization. By having a seat at the table, practitioners can provide valuable insight and guidance as subject matter experts on these topics. TPRM practitioners are responsible for proactively identifying and mitigating risks associated with their organization's third parties. Therefore, by reviewing contract clauses, practitioners can identify potential risks in cybersecurity-related contract clauses before they impact the organization, as well as work towards mitigating identified risks. TPRM Practitioners should work closely with their Legal and Procurement teams to ensure contracts align closely with their organization’s risk management strategy. Templates for cybersecurity requirements should be drafted to ensure they provide sufficient coverage of key controls, define expectations for participating in compliance monitoring activities (i.e., due diligence assessments), as well as providing evidence items upon request, and detail appropriate remedies in the event that the third party fails to meet its obligations under the agreement. See "CR 2 – Contract Clauses & Template Agreements” subsection for a detailed list of specific contract clauses you may want to include within your contracts, specifically for third parties with inherently high risks. TPRM Practitioners may also want to review redlines within specific clauses that relate to cybersecurity terms, as well as terms that would allow a practitioner to perform his/her duties (such as a “Right to Audit or Review” and/or “Termination” clause). This will ensure any changes made to these clauses remain in line with the organization’s risk appetite and control expectations. Practitioners can also ensure any high-risk findings noted during the due diligence process are noted within contractual terms. TPRM practitioners should work closely with legal counsel to ensure that the contractual language is clear, specific, and enforceable. It is important to perform due diligence activities before a contract is signed. In doing so, companies can identify potential risks related to the third party’s financial stability, legal and regulatory compliance, reputation, cybersecurity intelligence, and other relevant factors. This can help companies make informed decisions about whether to enter into a contract with the third party and what contractual terms and conditions should be included to mitigate risks. Contracts should be reviewed on a regular cadence to confirm they remain in line with your organization’s risk appetite, as well as reflect any emerging risks that have been identified. If changes need to be made to bring contracts in line with current standards, then an amendment should be considered. Contract changes could also be made during the renewal process. It is important to have a clear and comprehensive contract in place at the beginning of the relationship to avoid misunderstandings and disputes later on. However, if changes need to be made to the contract, they should be made in a timely and transparent manner. The contract should include provisions for how changes will be made and how they will be communicated to all parties involved. The parties should negotiate the changes in good faith and reach an agreement that is fair and reasonable to all parties. BEST PRACTICE: TPRM practitioners should assist with the creation and review of contract clauses that relate to cybersecurity terms, as well as terms that will allow a practitioner to perform his/her duties, to ensure that the organization is protected from cybersecurity and other risks associated with third parties." TPRA also recently created a video on the Contract Review process. Click the link below to view the video and subscribe to Third Party Risk Association's YouTube channel.