How to Write a Third-Party Risk Management (TPRM) Policy for Your Organization

 How to Write a Third-Party Risk Management (TPRM) Policy for Your Organization

 

 

 

For more information about TPRM, please refer to the Beginner's Guide to Vendor, Supplier and Third-Party Risk Management. 

Due to stringent regulations regarding outsourcing, many institutions are implementing third-party risk management (TPRM) programs to ensure that third-parties meet their strategic objectives. Outsourcing to third-parties such as vendors and suppliers allows organizations to improve the efficiency of their functions and processes and as a result increase their profitability through decreased operational costs. 

 

Download Also:

• Planning and Schedule Free Templates
• Over 500 Contract Templates Free Download  

Despite the various advantages associated with outsourcing, there exist various risks that could undermine an organization’s efforts to maximize the benefits of utilizing third-parties. To combat those risks, effective institutions implement corporate-wide policies such as a TPRM policy to ensure that the entire enterprise understands the importance of considering risk when choosing to use outside third-parties to complete key functions and processes. An effective TPRM policy should answer the following questions listed below. 

- What is third-party risk management (TPRM)?

Define third-party risk management. For example, third-party risk management is the process of controlling activities that could potentially lead to positive or negative results due to outsourcing specific functions and processes to outside parties.

-What is the purpose of the TPRM policy?  

Explain the intent of the policy. For example, the purpose of the TPRM policy is to establish and communicate the standards and guidelines for all employees and contractors who work with third-parties such as vendors or suppliers that support internal functions and processes. 

-Why is TPRM important to the organization? 

Explain the importance of TPRM to the organization. For example, TPRM is important to the organization because it enables the organization to control the risks associated with outsourced relationships. A proper TPRM program ensures that a process exists to combat any potential threats to the strategic objectives of the organization. 

-What is the TPRM process?  

Summarize the TPRM process. Please refer to the tutorial Beginner’s Guide to Vendor, Supplier and Third-Party Risk Management under Training Guides, Templates and Checklists for a sample TPRM process.

When is a TPRM assessment required?  

Explain when a TPRM assessment is required and utilizing a risk-based approach to conducting TPRM assessments. For example, a TPRM assessment is required based on the level of criticality associated with the outsourced products/services. Please refer to the tutorial Beginner’s Guide to Vendor, Supplier and Third-Party Risk Management under Training Guides, Templates and Checklists. Also refer to the Sample Risk Classification Scheme and Assessment Type under Training Guides, Templates and Checklists.

 

Who in the organization should comply with the TPRM policy?  

The policy should apply to all employees within the organization. 

What regulations related to TPRM apply to the organization?  

Explain any regulatory obligations related to TPRM that the organization must meet. For example, list all applicable regulations such as OCC 2013-29, FRB SR 13-19, FDIC: FIL-44-2008 and any other regulations that apply to TPRM.

Who are the applicable stakeholders in the TPRM process?  

List any groups within the organization that are responsible for managing the TPRM process. Include all risk assessment subject-matter experts (SMEs) and any TPRM group that serves as the second line of defense. Also explain the role of the business units, lines and departments that serve as the first line of defense. Readers of the policy should also understand the role of the operating committee in the second line of defense and the executive committee in the third line of defense.

What are the exceptions to the TPRM policy?  

Explain any circumstances that exempt specific outsourced relationships from a TPRM assessment. For example, the level of criticality associated with the outsourced functions and processes should determine whether a TPRM assessment is required. The level of criticality should be determined by the inherent risk associated with outsourced services and the preliminary residual risk score as determined by the preliminary due diligence questionnaire (DDQ) sent to the third-party. Please refer to Beginner’s Guide to Vendor, Supplier and Third-Party Risk Management under Training Guides, Templates and Checklists. Also refer to the Sample Preliminary Due Diligence Questionnaire under Training Guides, Templates and Checklists.

What constitutes a violation of the TPRM policy and what are the consequences for not adhering to the TPRM policy?  

Explain any circumstances that constitute a violation of the TPRM policy and the consequences for not following the TPRM policy. For example, a violation would be utilizing a third-party prior to undergoing the due diligence process in the form of a TPRM assessment. The consequences may constitute disciplinary action such as termination.

Who are the appropriate parties to contact for any questions regarding the TPRM policy and process?  

List any contact information for stakeholders that are part of the TPRM process. Stakeholders should include the TPRM group and the risk SMEs.

Additional information in the form of an appendix section  

-Include any information that will help readers of the policy understand TPRM. The appendix should include any definitions that will help readers understand the terminology utilized throughout policy. Please refer to Beginner’s Guide to Vendor, Supplier and Third-Party Risk Management under Training Guides, Templates and Checklists.

Related Topics:

• Role of Project Risk Management in Project Management
• The guiding principles of Risk Management 
• Seeing What’s to Come: Digital Risk Management in Procurement
  

Overall, an effective TPRM policy enables organizations to establish a corporate-wide standard for how TPRM should be implemented within the organization. Without an effective enterprise-wide TPRM policy, organizations leave themselves vulnerable to strategic risk as they may utilize third-parties that are not in alignment with their risk management culture. By implementing a TPRM policy, organizations ensure that their workforce understands their role in TPRM and therefore minimizing operational risk to the organization.

The Author: Catherine Tibaaga

                                                

About:

I am a Risk Management professional who has over seven years of experience working for global firms such as Jones Lang LaSalle, E*TRADE Financial, JPMorgan Chase & Co. and Freddie Mac. I have worked in a variety of roles in third-party risk management, procurement and accounting. To provide value to organizations, I conduct and lead risk assessment activities for corporations that seek to outsource their activities to third-party suppliers. 

 

I also help companies build their vendor, operational, and enterprise risk management programs. Using my expertise in building risk management programs, I work with organizations to ensure that their vendor risk management programs align and comply with regulations (i.e. OCC 2013-29, GLBA and Privacy laws) and industry standards (i.e. ISO 27000 family of standards, PCI and NIST standards). 

My core expertise includes: 

Risk Management: Third-Party Risk, Operational Risk, Enterprise Risk RiskTools: Hiperos, MetricStream, Archer, Agiliance Regulations: OCC, GLBA and Privacy Laws, FRB, FDIC Industry Standards: ISO 31000, ISO 27001, ISO 27002, PCI Compliance, NIST Standards (800-14, 800-37, 800-52), COSO Framework.