Search Results

By Hilary Jewhurst, Head of Third-Party Risk Education & Advocacy at Venminder This past year was an eventful one for the third-party risk management (TPRM) industry. New headlines seemed to appear each month that brought attention to third-party risk, whether it was a significant cybersecurity event, like the MOVEit data breach, or the ongoing discussion of the potential risks and rewards of artificial intelligence (AI). The mid-year release of the Interagency Guidance on Third-Party Relationships: Risk Management was perhaps the most obvious reminder of the increased regulatory focus on TPRM. We’re going to review some of the lessons learned from the past year’s events and look forward to some best practices for 2024. Significant TPRM Events of 2023 and Lessons for 2024 The following list of events highlights a few TPRM trends that are worth exploring in greater detail. Although we can’t predict what 2024 will bring, TPRM leaders can stay informed of these trends and determine how to implement these best practices into their programs. Release of Interagency Guidance on Third-Party Relationships : Risk Management – The OCC, FDIC, and Federal Reserve released the final guidance in June, which brought a unified approach to TPRM best practices. The guidance offers a clear framework for how an organization should manage its third-party relationships, such as identifying critical and high-risk vendors and having awareness of subcontractors that can elevate risk. MOVEit Data Breach  – Thousands of organizations in the U.S. and abroad were impacted by the MOVEit data breach, either from using the software directly or being indirectly exposed to it through a third- or fourth-party vendor. The situation unfolded in June, but victims are still coming forward months later, indicating that this incident may not be resolved anytime soon. Emerging Risks of AI –  As AI continues to evolve with new possibilities, many experts are reminding business leaders to acknowledge the potential risks such as data manipulation and hard-to-detect automated cyberattacks. Because AI is changing so quickly, the Biden administration even released an executive order to promote new standards for the safe and secure use of this technology. TPRM continues to be a growing topic and 2024 will no doubt bring new regulatory expectations that will influence best practices across all industries. Third-party cyberattacks and data breaches will likely continue to grow in complexity and occurrence, so it’s important to have a strategy in place to respond and limit their impact to your organization. Staying aware of new risks and industry trends will help protect your organization as we head into a new year.

This video introduces the second phase of the TPRM lifecycle— Pre-Contract Due Diligence —and outlines how to structure this critical stage before onboarding a third party. Welcome back to TPRA’s Third Party Risk Management 101 series, a guide for creating and enhancing your Third Party Risk Management Program. For our fourth episode of the TPRM 101 series, we will be discussing Pre-Contract Due Diligence, the second phase of the TPRM lifecycle. This phase will be explored in a two-part video series.

The Third Party Risk Association (TPRA) is excited to bring you the first comprehensive Third Party Risk Management (TPRM) program guidebook. This guidebook will walk you through all phases of the TPRM lifecycle in detail and provide you with practical tools, tips, and examples for its implementation. It was developed over the course of three years from the input of numerous TPRM Practitioners, subject matter experts, and TPRM Service Provider organizations (i.e., the Third Party Risk Management Community).  We hope you find this guidebook to be helpful and easy to understand, providing you with relevant tips and examples to ensure successful implementation and/or enhancement of your current TPRM program. Downloading the Guidebook To download the Guidebook, visit the link below and complete a short form. Note: Contact information collected through this form will be used in the event TPRA publishes an updated copy of the resource. Downloaded by over 3,000 TPRM professionals! Feel free to leave a review in the comments below!

By Hilary Jewhurst, Head of Third-Party Risk Education & Advocacy at Venminder Most third-party risk professionals understand the importance of conducting thorough due diligence. After all, it’s essential to ensure that your potential vendors have the appropriate practices and controls to address the risks of the products and services they’ll provide to your organization. However, it’s important to remember that performing initial due diligence and signing a contract doesn't eliminate vendor risks. Due diligence only captures a snapshot in time. Vendor risks, controls, quality, and service fluctuate. To lessen the impact and severity of vendor risks on your organization, it's crucial to practice continuous monitoring – also known as ongoing monitoring. This ensures that your vendors remain in compliance with applicable laws and regulations, provide quality products and services, and address any issues effectively and promptly. What Does Continuous Monitoring on Vendors Mean? Continuous monitoring is the practice of constantly and consistently keeping your eye on your vendors and their risk and performance. You’ll need to periodically reassess their risks and validate controls throughout the contract term to verify vendor performance aligns with contractual requirements and industry standards. It's important to keep continuous monitoring risk based. This means that the frequency and rigor of monitoring is proportionate to the vendor's (and their products’ and services’) risk. A rule of thumb for reviews is annually for all critical and high-risk vendors, every 18-24 months for moderate-risk vendors, and every two to three years for low-risk vendors. Four Benefits of Vendor Continuous Monitoring Not only is continuous monitoring a best practice, but for many industries, it's a regulatory requirement. This may be your organization’s only incentive for performing continuous monitoring, but it has other important benefits, including: Decisions based on real-time data – As vendor risk is subject to change, it’s essential to gather multiple forms of data to compare and analyze. Initial due diligence can help you quickly compare two vendors, but continuous monitoring tracks changes over time in a specific vendor's risk. It offers the most comprehensive understanding of your vendors' risks and enables better organizational decision-making. Maximized productivity – To use your limited resources effectively, it’s important to clearly understand which vendors need the most attention. By identifying which vendors are a priority, you can allocate your time and resources so that pressing issues are addressed on time. Confirmed vendor value – Continuous monitoring keeps your vendor relationships productive and beneficial for your organization. This enables you to evaluate whether your vendors fulfill contractual expectations. You can then make the necessary adjustments to improve the partnership. Avoided expensive surprises. With continuous monitoring, you can identify and address potential costly situations, including regulatory violations, data breaches, and vendor instability. A proactive approach ensures your operations are efficient and mitigates the risk and expense of potential issues. How Vendor Continuous Monitoring Safeguards Your Organization It's crucial to have a clear understanding of how your organization should handle any issues that arise during vendor monitoring. It's not enough to simply recognize a problem exists, but you have to take action. Here are three significant outcomes of continuous monitoring: Identifying problems and issue management: Identified problems should be added to a formal issues log. The log should include a full description of the issue, root causes, ownership, remediation steps, and timing. Issues must be tracked and monitored until closed. Issues at risk or past due should be escalated to management to ensure proper closure. Identifying emerging risks: It's important to keep an eye on emerging risks that could affect your vendor relationship. Changes in vendor management or ownership, regulatory requirements, or even declining financial health are all examples of emerging risks. You should discuss any emerging risks with your vendor and gather additional documentation or remediation plans as needed. You may also need to perform vendor control assessments or other risk reviews. Don’t hesitate to sign up for vendor risk monitoring and alerts, such as Google Alerts, or seek help from outside risk intelligence firms that specialize in this. By taking these steps, you can ensure that emerging risks are kept in check. More frequent monitoring. If vendors have any issues or emerging risks, it's important to monitor them more frequently and rigorously. This is because problems rarely occur in isolation and can signal the presence of other potential issues or emerging risks. By keeping a close eye on problem areas, you can identify and address any problems before they become more significant or difficult to manage. Vendor risk is always changing, and continuous monitoring is an essential activity to minimize vendor risks and their potential impact on your organization and customers. By implementing a risk-based approach to continuous monitoring, your organization can identify and address issues early on before they become unmanageable. Although it may seem like a daunting task, don't view monitoring as a chore. Instead, embrace it as a valuable tool for successful third-party risk management.

This video unpacks the Contract Review phase of the TPRM lifecycle, guiding practitioners on how to protect the organization by documenting enforceable third-party expectations in legal agreements. The third video in TPRA's "TPRM 101" series explains Contract Review, the third phase of the TPRM lifecycle. Contract Review is an essential step in the TPRM process, as it ensures organizations document relationship expectations in an agreement that can be upheld in a court of law.

From the U.S. Securities & Exchange Commission

From the Office of the Superintendent of Financial Institutions

Author: Heather Kadavy, TPRA's Sr. Membership Success Coordinator Whether you are a board member, shareholder, or executive management assigned to review and provide credible challenge to a report on Third Party Risk Management (TPRM) effectiveness; a TPRM Leader or member of the TPRM team conducting oversight and reporting; or business unit who owns the risk of their outsourced relationship(s), it is important that everyone understands your organization’s risk appetite and risk tolerance. This will help ensure the effectiveness of a TPRM Program and align the program to the overall Enterprise Risk Management (ERM) program. Risk Appetite is the threshold of risk that an organization is willing to assume in order to achieve a desired result or its objectives. Risk Tolerance is the acceptable deviation from the organization’s risk appetite. 1. Understand Your Organization’s Enterprise Risks. Starting at the top – executive management under the direction of the Board of Directors typically identifies key risks and emerging factors facing their organizations. While the list may vary organization by organization, typically such risks will include but not be limited to compliance risk, credit risk, environmental risk, fiduciary risk, financial risk (e.g. interest rate risk, liquidity risk), legal risk, operational risk (e.g. transactional risk, fraud risk, information security risk), third party and supply-chain risk, Environmental Social Governance (ESG) risk, reputational risk, and strategic risk. 2. Understand Your Organization’s Risk Appetite & Risk Tolerance. Typically for each risk category, key performance indicators (KPIs) and key risk indicators (KRIs) are outlined along with a risk target. On a periodic basis (typically quarterly), each business unit provides metrics for each risk category and through analysis, the organization is able to assess if the organization's operations are aligned to their risk appetite and tolerance thresholds, as well as analyze inherent and residual risks that impact the organization. Any outliers are typically discussed and managed (either via remediation plans, risk acceptances, and/or via other avenues). 3. Understand How TPRM Risk Appetite & Risk Tolerance align to ERM. Similarly, a TPRM Program will typically base their risk appetite and tolerance metrics on those of the ERM program. This ensures all departments are speaking the same language with regards to risk and very high-risk issues are escalated to the appropriate stakeholders. This also ensures TPRM activities are and remain risk based. To ensure your TPRM program is aligned with your ERM program, TPRM leaders should ensure: a. The overall TPRM program considers the full threat landscape that each outsourced relationship faces. Different third parties pose different threats that typically roll up under one of the ERM umbrella risk categories. b. Risk appetite & tolerance are known, understood, and reviewed on a regular basis. Risk appetite and tolerance may be influenced by legal, regulatory requirements, industry, corporate expectations, geography, and technology. c. The total risk associated with an outsourced party is considered as a third party may provide your organization with several products and/or services. 4. Establish TPRM Risk Metrics for managing and monitoring outsourced relationship to ensure risks are mitigated in a timely manner. Some more common metrics linked to TPRM Program can include, but not be limited to: Third parties in total, by risk tier, by classification, by geographic region/location, and by risk category. Third parties by division, department/business unit, and TPRM member Assessments past their due date Risk acceptances and or escalations Active continuous monitoring alerts Service level agreements not being met Service level agreements which do not meet corporate thresholds (e.g. RTO/RPO timelines, incident or event notification timeline requirements that do not meet corporate, legal or regulatory expectations) Contracts signed prior to TPRM completion (e.g. due diligence) Risk assessments incomplete or missing information Third Parties that represent concentration risk to the organization Emerging risks and/or threats Regulatory matters Whether an individual is reviewing risk appetite and tolerance from the bottom up (TPRM metrics to ERM risk appetite) or alternatively from the top down, the key take-away is that the two are aligned to ensure risk is treated similarly throughout the organization and high-risk items gain the visibility they deserve. If your organization does not have a documented risk appetite or tolerance levels, then review what types of risks your organization accepts (either through a risk acceptance process or by not addressing specific risks). This is the risk appetite your organization has indirectly implemented. Therefore, it is crucial for all TPRM members to understand how their role impacts this overall alignment with the organization's risk appetite.

From the National Credit Union Administration