Third-Party Risk Management (TPRM) Frameworks
Third-party risk management frameworks systematically identify, assess, monitor, and remediate risks introduced by vendors, suppliers, and service providers across the extended enterprise.
Third-Party Risk Management (TPRM) — also called vendor risk management or supply chain risk management — has become a mandatory governance program under multiple regulatory frameworks: DORA Article 28 (critical third-party providers), NIST SP 800-161 Rev 1 (supply chain risk management for federal systems), SOC 2 vendor management criteria (CC9.2), ISO 27001 Annex A 5.19–5.22 (information security in supplier relationships), and sector-specific requirements from OCC Bulletin 2023-17 (third-party risk management for banks), HIPAA § 164.308(b) (business associate management), and the FTC Safeguards Rule (service provider oversight). TPRM programs typically operate a lifecycle: vendor identification and categorization, inherent risk assessment, due diligence (questionnaire and evidence review), contract negotiation, ongoing monitoring, and off-boarding.
TPRM due diligence intensity is calibrated to vendor risk tier. Critical vendors — those with access to sensitive data, providing business-critical services, or creating systemic concentration risk — receive full assessments including questionnaire (e.g., SIG Lite or SIG Core), review of third-party audit reports (SOC 2, ISO 27001, CSA STAR), penetration test results, and potentially on-site or virtual assessment. Inherent risk scoring typically considers data access (types and volume of sensitive data), connectivity (network integration depth), criticality (impact of service disruption), and substitutability (ease of replacement). DORA specifically requires that financial entities assess concentration risk from ICT third-party providers — where a single provider failure could impact multiple functions or industry-wide — and maintain exit strategies for critical dependencies.
Continuous monitoring has displaced point-in-time due diligence as the operational standard for critical vendors. Monitoring tools (SecurityScorecard, BitSight, RiskRecon) provide ongoing external attack surface measurement against vendors without requiring vendor cooperation — scanning for misconfigured systems, open ports, certificate issues, leaked credentials, and dark web exposure. These signals supplement (not replace) questionnaire-based assessments. Contract terms must include audit rights, right-to-test, notification obligations for security incidents affecting customer data (aligned to GDPR Article 28(3)(f), HIPAA § 164.308(b)(1)), and termination rights for material security failures. SLA provisions should address recovery time, data return/destruction, and business continuity provisions.
We implement TPRM programs with risk-tiered assessment workflows, pre-integrated questionnaire libraries (SIG Lite, SIG Core, CAIQ) mapped to client control frameworks, and continuous monitoring integrations with SecurityScorecard and BitSight. Contract term libraries include pre-approved GDPR Article 28, HIPAA BAA, and DORA-compliant ICT third-party clauses. Our vendor register feeds directly into ISO 27001 A.5.19 evidence requirements and SOC 2 CC9.2 criteria.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.