“Start small with a minimum viable product, something that can improve the security posture right here, right now.”
—Zuzana Rebrova, Head of Third-Party Cyber Risk Management, Swiss Re
Blog
How to start a third-party risk management program: Get leadership buy-in
Create a TPRM program that addresses your organization’s highest security risks and aligns with strategic objectives
Katrina Dalao
Sr. Content Marketing Specialist, CIPM
July 11, 2023
Working with third parties is nothing new for most organizations. By the time leadership decides to start a formal third-party risk management (TPRM) program, there’s often multiple third-party relationships already in motion. This makes it challenging to create a TPRM program that addresses all vendors, suppliers, and third parties — each posing its own unique risks to the organization.
To help navigate the winding road of third-party risk management, we spoke with six InfoSec and third-party risk leaders from OneTrust and Fortune Global 500 companie about their approach to building a TPRM program and the lessons they learned along the way.
Whether you’re working with one or 1,000 third parties, establishing a TPRM program follows these general steps:
- Scope and get leadership buy-in for your TPRM program
- Identify and understand types of third-party risk
- Implement TPRM across your organization
- Maintain and monitor your TPRM program
In this post, we cover the first step of building your TPRM program: Scoping your program and getting leadership buy-in.
Download our InfoSec's guide to third-party risk management, which covers all the steps in setting up a TPRM program, from planning to monitoring and reporting.
How do you define the scope of your TPRM program?
While every TPRM manager wants a program that actively mitigates all third-party risks, the reality is that not all relationships need to be evaluated at the same level. It takes significant resources to perform security checks, risk reviews, and other due diligence tasks — which aren’t always available, especially at the start of a TPRM program.
Defining your program scope helps establish clear boundaries, deliverables, and timelines, and keeps the focus on efforts that deliver the highest value.
“There are a lot of considerations, but early on, you're trying to knock out the low-hanging fruit and figure out your risk exposure based on the partners you have,” says Tim Mullen, Chief Information Security Officer, OneTrust. "We’re going to have a lot more rigor when it comes to reviewing a security or financial services vendor versus a vendor that provides us with something like paper towels or toilet paper.”
Use these questions to help set the scope for your TPRM program:
- What are the goals of your TPRM program?
- Do you have specific compliance requirements or deliverables (i.e., for publicly traded companies or regulated industries)?
- What risk domains should be managed (i.e., InfoSec, privacy, financial, reputational)?
- What is the organization’s appetite for risk?
Next, take inventory of your current suppliers, contractors, partners, and other vendors, and determine which of the third parties will be included in the scope of your TPRM program.
The following questions can help determine if a third party is in or out of scope for your TPRM program:
- What type of services are they providing?
- What data do they have access to?
- Will they process or host any of your data?
- What functions or teams rely on the third party to operate?
- What are the costs and terms of your relationship (i.e., contractual, subscription, one-time project)?
- Are there any integrations between your systems?
- Will they be embedded into your product?
- Can they show certification or compliance with security regulations?
- What type of risks do they pose?
- How critical are they to your organization?
This inventory serves as a single source of information and helps organizations better categorize third parties according to risk. Therefore, it’s important to update third-party inventories with any new, terminated, or revised vendor contracts.
“Third parties are just another asset you're trying to manage. And with any asset, there’s always a level of risk or a threat that comes with it,” says Kevin Liu, Senior Director of Information Security at OneTrust.
“Identify third-party risks and understand their potential exposure and impact to the organization. Then, once you have those things, you can create an assessment process and assign a criticality to the third party.”
Once the scope and other details are defined, it’s time to present the TPRM program to the leadership team.
Learn everything you need to know about third-party risk management in this guide that covers best practices, the TPRM lifecycle, and more.
What’s the best way to get buy-in from leadership?
All the experts we interviewed aligned on one universal tenet: Getting buy-in from leadership is critical to the success of your TPRM program.
“Start from the top. Management needs to understand that third-party risk really matters, what the impact could be, and how it could affect the company,” says Zuzana Rebrova, Head of Third-Party Cyber Risk Management at Swiss Re.
This involves presenting the program objectives and strategies for achieving them, as well as the business case for how a TPRM program effectively protects the organization against risks and potential losses.
Whether it’s the board, C-suite, or other key stakeholders, having top-level support goes a long way in fostering a risk culture. Leadership can not only champion the program, but also help establish governance for how TPRM activities integrate into day-to-day operations.
“The more you coordinate and socialize your intended outcome with the leaders and stakeholders in the organization, the more you’re able to set resource levels, measure whether you're actually achieving the value you want, and structure your program accordingly,” says Matthew Solomon, VP of Technology and Cyber Risk Management at Humana.
Ultimately, TPRM is an organization-wide exercise requiring involvement from multiple teams. While InfoSec or compliance typically oversees TPRM, anyone who deals with third parties — including privacy, procurement, finance, and legal — needs to be aligned and in agreement with the program.
Getting started with your TPRM program
Taking the time to plan your third-party management program sets you up for success in the long run. The best way to start your TPRM program is to get leadership and stakeholder buy-in early on and then define the program scope in a way that mitigates the highest risks and aligns to strategic objectives.
Reduce risk, build trust, and enhance business resilience by unifying third-party management across privacy, security, ethics, and ESG. Book a demo today.
You may also like
Webinar
Third-Party Risk
Live demo: Building your third-party risk management program with OneTrust
Register for this live demo to learn more about OneTrust Third-Party Risk Management solutions.
July 24, 2024
Webinar
Third-Party Risk
Protecting your reputation: 3 ways a unified third-party management program can help
This webinar will show you how to develop strategies for assessing reputational risks as it relates to third parties and the impact of third-party relationships.
June 12, 2024
Webinar
Third-Party Risk
Third-Party risk management and due diligence: What's the difference and why does it matter?
In this webinar, we’ll discuss the unique competencies of third-party risk and due diligence programs and examine when and how to align them.
May 08, 2024
Webinar
Third-Party Risk
5 Best practices for increasing resilience when working with third parties webinar
Learn how to leverage financial, operations, compliance, ESG, and cyber scores to drive resilience insights and detect possible supply chain disruptions.
April 18, 2024
Video
Third-Party Risk
OneTrust third-party management demo video
Watch this demo video to learn how OneTrust third-party management helps organizations create resilient, secure, and scalable third-party ecosystems.
April 04, 2024
Checklist
Third-Party Risk
6 steps to effective third-party risk management
See the path to managing third-party risk effectively with a checklist that outlines the six steps for a sound TPRM program.
March 29, 2024
Webinar
Third-Party Risk
TPRM privacy compliance: 10 best practices when working with third parties
How can you build a privacy-focused TPRM program? In this webinar, we discuss best practices for privacy compliance when working with third parties, from onboarding to offboarding.
March 13, 2024
Video
Third-Party Risk
6 must-know trends in third-party management
Watch this video for the five top trends shaping the third-party management industry this year.
February 15, 2024
Checklist
AI Governance
Questions to add to existing vendor assessments for AI
Managing third-party risk is a critical part of AI governance, but you don’t have to start from scratch. Use these questions to adapt your existing vendor assessments to be used for AI.
January 31, 2024
Infographic
Third-Party Risk
4 top-of-mind challenges for CISOs in 2024
What key challenges do CISOs face going into the new year? Download this infographic to hear what experts from industries across the board have to say.
January 30, 2024
Webinar
Third-Party Risk
A look back at 2023 & third-party management trends for the new year
Join this webinar as we discuss key trends for third-party management and lessons learned over the last year.
January 24, 2024
Webinar
Third-Party Risk
Live demo EMEA: Master third-party risk management with OneTrust
Attend this demo to see how our TPRM solution can help you identify and mitigate risk as well as automate manual and repetitive tasks to ultimately reduce the time you spend managing your vendors
January 23, 2024
Webinar
Third-Party Risk
Utilizing inherent risk for more efficient third-party management
Insight into your third parties’ inherent risks can change the way you run your TPM program.
November 30, 2023
Webinar
Third-Party Risk
Elevating third-party safety: The art of TPRM and TPDD integration
Join our webinar to learn the primary goals of successful Third-Party Risk and Third-Party Due Diligence programs.
November 21, 2023
Webinar
Ethics Program Management
Ethics Exchange: Risk assessments
Join our risk assessments experts as we discuss best practices, program templates, and how provide an assessment that provides the best value for your organization.
October 25, 2023
Webinar
Third-Party Risk
5 Ways to save time when assessing third parties for privacy and security risks webinar
Join our webinar and learn how to save time and streamline third-party risk assessment throughout the TPRM lifecycle.
October 25, 2023
eBook
Third-Party Risk
Data privacy compliance and Third-Party Management: A unified approach
Understand the importance of data privacy in third-party risk management, and 10 best practices for achieving privacy compliance when working with third parties.
October 12, 2023
Webinar
Third-Party Risk
Live Demo EMEA: How OneTrust can help advance your third-party risk management program
Join us for a live demo of OneTrust's third-party risk management solution and see how it can help automate and streamline your TPRM program.
September 19, 2023
Webinar
Third-Party Risk
Where contracting fits in the third-party risk lifecycle: 5 opportunities for optimization
Join this webinar to learn how to manage the third-party risk lifecycle across teams while optimizing your processes with automation.
September 07, 2023
Webinar
Third-Party Risk
Staying vigilant: 7 practical tips for ongoing third-party risk monitoring
In this webinar, we'll share seven practical tips for effective third-party risk monitoring, helping you to identify new risks and take timely action to protect your business.
August 01, 2023
Infographic
Third-Party Risk
What are your third parties not telling you?
Learn how to actively screen and monitor your third parties in the OneTrust Third-Party Risk Exchange.
July 24, 2023
Webinar
Third-Party Due Diligence
Driving excellence in third-party risk management: An in-depth look at different due diligence approaches
Join our in-depth webinar and learn how to define third-party due dilligence levels and when to apply them during your vendor management lifecycle.
July 20, 2023
Webinar
Third-Party Risk
Automating third-party management workflows: 5 ways to drive alignment across teams
Join us as we explore how automating third-party management workflows streamlines processes, drives alignment across teams, and reduces reduntant work.
July 19, 2023
Webinar
Third-Party Due Diligence
A shortcut to third party due diligence fundamentals
In this webinar, we examine the scope of third-party due dilligence, best practices, and industry trends driving greater scrutiny on third parties.
July 13, 2023
Webinar
Third-Party Risk
Are your third parties a privacy compliance liability? 5 tips to reduce your exposure
Join our webinar and learn how to create an effective, privacy-focused third-party risk management (TPRM) program that streamlines recordkeeping and reduces your risk exposure.
July 05, 2023
Video
Third-Party Risk
Third-party management demo
See how OneTrust's third-party management solution can help scale your third-party lifecycle and evaluate vendors with real-time risk intelligence.
June 27, 2023
Video
GRC & Security Assurance
Third-party risk exchange demo
The OneTrust Vendor Risk Management provides businesses access to pre-completed vendor risk assessments while supporting industry standards.
June 22, 2023
Webinar
Third-Party Risk
Third-party data breach incident response: Essential workflows for effective recovery
Join OneTrust and HackNotice as we discuss effective ways to protect your organization from third-party data breaches and build strong incident response workflows.
June 13, 2023
Webinar
Third-Party Risk
Bridging the gap: How procurement and InfoSec can work together to reduce third-party risks
Join our upcoming webinar as we explore the pivotal ways procurement and InfoSec teams can collaborate to reduce third-party risks.
June 08, 2023
eBook
Third-Party Risk
InfoSec's guide to third-party risk management: Key considerations and best practices
Download our eBook to learn practical advice on how to approach third-party risk management like an InfoSec expert.
June 05, 2023
Webinar
Third-Party Risk
Unpacking the third-party risk regulatory landscape in the Nordic region and beyond
In this live webinar, our expert panel discuss emerging third-party risk regulatory trends in the Nordic region and show how OneTrust can help your business stay complaint.
May 30, 2023
Webinar
Third-Party Risk
Save time, save money: A practical guide to automating third-party risk management
In this webinar, you will learn how to reduce the use of spreadsheets for third-party risk management and cut costs when building your TPRM program.
May 03, 2023
Webinar
Third-Party Risk
Third-Party management secrets: Aligning risk management and due diligence
Watch this webinar to learn how to align your TPRM and TPDD programs to achieve workflow efficiencies and the distinction between the two discipline areas.
April 20, 2023
In-Person Event
Third-Party Risk
Risk on the Road: Navigating data management, compliance automation and third-party risk
Join this OneTrust live event series, which will address critical topics such as navigating data management, compliance automation and third-party risk.
April 11, 2023
Infographic
Third-Party Risk
Third-party risk: A growing spiderweb
The number of businesses and third-party suppliers has increased, widening the risk landscape. This infographic shows how businesses are managing that risk.
April 03, 2023
Webinar
Privacy Management
The US privacy landscape for third-party risk: a program prototype time
Learn how to balance the intricacies of CPRA, VCDPA, CPA, CTDPA, and UCPA when managing third parties and understanding privacy-related risks.
March 28, 2023
Webinar
Third-Party Risk
Efficient third-party risk management: 10 Best practices for streamlining workflows
Attend this webinar to learn about Third-Party Risk Management (TPRM) workflow definition and maintenance best practices you can apply to your business.NEED
February 13, 2023
Webinar
Third-Party Risk
Third-Party Management roundtable: 3 strategies for aligning Security, Privacy, Ethics, and ESG teams
In this webinar, you will learn how to utilize TPRM to help to optimize workflows, leverage data, and increase accountability across sourcing and procurement.
February 01, 2023
Webinar
Third-Party Risk
Third-party risk management demo
Our third-party risk software helps you build a vendor inventory, conduct vendor assessments, mitigate risks, monitor vendors over time, and more.
January 04, 2023
Report
Third-Party Risk
Gartner® Market Guide: IT Vendor Risk Management Solutions
Download this Market Guide from Gartner® to gain insights into this evolving market, including access to leading IT Vendor Risk Management solution profiles.
January 03, 2023
Video
Third-Party Risk
OneTrust third-party risk management for privacy professionals
Watch the demo video to learn how OneTrust Third-Party Risk Management can help your TPRM program meet your privacy team's expectations.
December 07, 2022
Webinar
Third-Party Risk
How do you manage your third-party cyber risks? 5 best practices to improve your cyber resilience webinar
In this session, we’ll outline how to identify, reduce, and monitor cyber risk as it relates to your third parties including methods for tracking cyber risks over time.
December 06, 2022
Webinar
Third-Party Risk
Canada and ISO 27001:2022: How automation streamlines compliance
Join OneTrust for a demo on how our privacy management platform helps Canadian businesses streamline ISO 27001:2022 compliance.
November 30, 2022
Webinar
GRC & Security Assurance
Analyzing ISO 27001:2022 reinforcing privacy and security compliance with automation webinar
Learn how InfoSec teams can automate scoping mandatory requirements and streamline generating evidence to prove compliance across ISO.
November 17, 2022
Webinar
Third-Party Risk
Do You Know Your third-party cyber risks? How to take a data-driven approach to reduce risk
In this webinar session, we’ll outline how to take a data-driven approach to understand, reduce, and monitor cyber risks as it relates to your third parties.
November 15, 2022
Webinar
Third-Party Risk
TPRM program blueprint: Your 5 step guide to third-party risk management success
This webinar focuses on the fundamental considerations when managing third parties and enables your organization to build a solid and scalable foundation.
October 31, 2022
Webinar
Third-Party Risk
How OneTrust can help scale your Third-Party Risk program
In this webinar, we provide a live product demonstration to show you how your organization can optimize and scale a third-party risk program.
October 18, 2022
Webinar
Third-Party Risk
5 Ways to save time when assessing third parties for privacy and security risks webinar
Watch this webinar as OneTrust discusses how privacy and security teams can save time throughout the third-party risk assessment lifecycle.
October 11, 2022
Webinar
Third-Party Risk
7 core metrics every third-party risk program must track (and how to track them)
We’ll discuss the 7 core metrics successful third-party risk programs track and how to track them, such as critical metrics to track as your program matures.
September 28, 2022
Webinar
Third-Party Risk
Do you know your riskiest third parties? 7 warning signs you shouldn’t ignore
Learn the top 7 red flags for risky third parties, mitigation tactics for reducing third-party risk, and key ways to streamline risk identification, and more.
September 22, 2022
Webinar
Third-Party Risk
3 Strategies for simplifying privacy compliance when working with third parties
In this webinar, we'll discuss third-party risk management's role in privacy compliance and cost-effective techniques for maintaining records for compliance.
September 18, 2022
eBook
Technology Risk & Compliance
The art of the enterprise IT risk assessment
Ensure your enterprise IT risk assessment is a success with a top-down approach that gets executive buy-in from the start
September 16, 2022
Webinar
GRC & Security Assurance
Supply Chain Due Diligence Best Practices: A Practical Implementation Guide to LkSG Webinar
Watch our LkSG webinar to understand the scope of LkSG, how your company will need to adjust, and the repercussions of noncompliance.
September 07, 2022
Webinar
Third-Party Risk
Security & privacy C-Level panel: Best practices for building your TPRM program
In this webinar, we discuss best practices for how privacy and security teams can work better to eliminate redundant work, save time, and be more efficient.
August 30, 2022
Webinar
Third-Party Risk
10 best practices for streamlining your third-party risk management workflows
Watch this webinar to hear how to leverage third-party risk management workflow creation and maintenance best practices.
August 30, 2022
Webinar
Third-Party Risk
Cybersecurity panel: How well do you know the threats posed by your third parties?
In this panel discussion, we address critical points such as defining the metrics to track in relation to third parties and their cybersecurity risks.
August 28, 2022
Webinar
Third-Party Risk
Third-Party risk and the U.S. privacy landscape: the top 5 things you need to know
In this webinar, we’ll review services providers under the ADPPA and outline how you can ready your third-party risk program to align with privacy regulations.
July 31, 2022
Checklist
Third-Party Risk
LkSG readiness checklist: Is your company prepared for the German supply chain due diligence act?
Download our LkSG readiness checklist to understand your readiness for risk management systems and responsibilities, and due diligence obligations.
July 26, 2022
Infographic
GRC & Security Assurance
The state of IT & third-party risk infographic
In this infographic, you'll discover third-party risk and learn how to operationalize a "3A approach", including addressing evolving risk factors and timelines.
July 19, 2022
Webinar
Third-Party Risk
Better by tomorrow: 7 third-party risk assessment best practices you can implement today
In this webinar, we’ll explore these questions and layout 7 must-know best practices to conduct more meaningful third-party risk assessments.
July 15, 2022
eBook
Third-Party Risk
Building your third-party risk management program
Understand what it takes to build a successful third-party risk management program through OneTrust's third-party risk management guide.
July 08, 2022
Webinar
Trust Intelligence
Become a trusted brand: 7 ways to promote your security, privacy, ethics and ESG programs
We discuss key points, such as choosing which certifications count the most to your business and how to save time when answering questionnaires.
June 20, 2022
Webinar
Third-Party Risk
How to comply: German supply chain Due Diligence act and Forthcoming EU rules
Join our panel of experts as we discuss the German Supply Chain Due Dilligence Act and the best practices for compliance.
June 15, 2022
Webinar
Third-Party Risk
Third-Party risk best practices: How to align privacy & security teams for greater productivity
This webinar will discuss best practices for how privacy and security teams can work together to eliminate redundant work, save time, and be more efficient.
June 06, 2022
Webinar
GRC & Security Assurance
Elevating your third party risk program with an integrated infosec platform
Join this webinar to learn how you can integrate your Third-Party Risk Management program within a broader IT Security platform
May 26, 2022
Webinar
Third-Party Risk
Preparing your TPRM program: A 30-day implementation guide
In this webinar, we will provide you with the steps that you need to define a solid third-party risk management program
May 25, 2022
Webinar
Third-Party Risk
Accelerating automation: How the pandemic forced third-party management to scale
Watch this webinar and see how the COVID-19 pandemic forced companies to accelerate automation and scale their third-party management.
April 26, 2022
Webinar
Third-Party Risk
Secrets to Success: The winning game plan for security questionnaire response
Discover effective strategies for preparing security questionaire responses with our free webinar.
April 04, 2022
Webinar
Third-Party Risk
Ready, set, launch your TPRM program: A 30-day implementation roadmap
Watch this webinar and learn how to launch an effective third-party risk managment program and practical methods to track success.
March 30, 2022
eBook
Third-Party Risk
The shift to third-party management
Download our guide on third-party management and learn what you need to know to shift your buisness to TPM.
March 29, 2022
White Paper
Third-Party Risk
Third-party risk: A turbulent outlook
Download this joint research report conducted by CyberRisk Alliance and Vendorpedia to understand today's third-party risk landscape.
March 02, 2022
eBook
Third-Party Risk
The business value of third-party risk management software
In this eBook, learn the business value of TPRM software and why all leading organizations rely on it when working with third-party vendors.
February 03, 2022
Webinar
Third-Party Risk
5 Ways to step-up your business resilience with better third-party management
Join this webinar to learn best practices on how your organization can step-up business resilience with better third-party risk management.
February 02, 2022
Webinar
Third-Party Risk
Optimizing third-party risk: enhance automation with an integrated IT risk platform
Watch our free webinar to discover how to optimize your third-party risk program and reduce manual data management with automation.
February 02, 2022
Webinar
Privacy Management
2022 Third-party trust predictions and preparations
Prepare for 2022 Trends in Third-Party Risk Management and future-proof your Third-Party Trust program.
January 04, 2022
Webinar
Third-Party Risk
Are your third parties a privacy compliance liability? 5 Tips to reduce your exposure
This webinar will discuss how to create a Third-Party Risk Management (TPRM) program that prioritizes privacy compliance and simplifies record-keeping.
December 31, 2021
eBook
GRC & Security Assurance
Vendor risk management for privacy professionals
Download the OneTrust Vendor Risk Management Handbook for an in-depth understanding of updated regulations, requirements and more.
November 17, 2021
Webinar
Third-Party Risk
Are you a trusted vendor? 10 things every customer wants to know
Access this free webinar to learn how to be a trusted vendor.
July 22, 2021
eBook
Third-Party Risk
Mastering the third-party risk management lifecycle
Download our third-party risk management eBook and get a complete roadmap to your TPRM lifecycle.
July 13, 2021
Video
Third-Party Risk
Questionnaire Response Automation demo
Watch the demo of our Questionnaire Response Automation tool and learn how it helps vendors automatically answer any questionnaire.
April 08, 2021
eBook
Third-Party Risk
The value of the Exchange Community for customers and vendors
Learn how an exchange community of customers and vendors improves security and builds trust.
Webinar
Third-Party Risk
Third-party management academy
Join this webinar series, which will focus on the four foundational pillars of Third-Party Risk Management: Automation, Compliance, Reporting, and Collaboration.
