The 5Ws and H of Third-Party Risk Management

If you’re questioning whether third-party risk management (TPRM) applies to you or your organization, you’re in the right place. And I’ll give you a hint… yes, it does. 

Third-party risk should be a concern of everyone on both personal and professional levels. Personal applications of TPRM aside, here you’ll find some guidance on understanding the importance of TPRM and best practices for developing successful programs for your organization.  

Who should consider TPRM?  

All of us! Whether you outsource one function or 25, or, actually, even zero, you should consider TPRM as a critical step to set your organization up for success. 

Who is a third party? 

Any organization to whom another organization outsources a function. Outsourced functions can range anywhere from cleaning and custodial staff, to payroll processing, to data storage. If you’ve ever uttered the phrase “_____________ does that for us” you’ve got yourself a third-party. And they will present risk to your organization.  

What should you do to address that risk?  

Whether you’ve not yet outsourced or you currently contract with a plethora of third parties, a formal, documented and approved TPRM program is imperative in order to manage risk during the entire third-party lifecycle. 

When is a TPRM program applicable?  

A TPRM program should be applicable throughout the entire third-party lifecycle. An effective TPRM lifecycle is comprised of three phases:

1. Onboarding 

Onboarding begins at the point at which an organization begins looking for a third-party to perform a certain function for them. It includes planning activities in order to manage relationships as they become involved in TPRM lifecycle, and continues into a due diligence phase whereby an organization performs research on potential third parties in order to verify that they meet certain established, required criteria.  

2. Monitoring 

Monitoring follows onboarding and is the phase in which a third-party has been selected and continues until termination is necessary. . Monitoring is the fun part! (Without getting too existential, even the monitoring-of-a-third-party phase can be outsourced to a third-party.)  For the Monitoring phase to be effective, an organization should, during Onboarding, plan for the Monitoring activities that are most suitable to gain adequate assurance over the third-party’s security. For example, verifying that the third-party will have a SOC report available for review on an ongoing basis, and/or that a right-to-audit clause exists in the contract and/or verifying the willingness of the third-party to complete a security questionnaire at an agreed-upon frequency, etc.

Monitoring phase requirements include the need for an organization to develop criteria to determine the criticality of their third-parties which should dictate the scope and frequency of vendor assessments. The higher the criticality, the more often the third-party should be assessed for controls that directly relate to the risk posed by the third-party. For example, third-parties that store and process highly confidential data that are crucial to financial or operational activities will likely be scored with a high criticality rating and should be assessed annually.

Another factor that could impact the criticality ranking of a third-party is the related replacement risk of that third-party. i.e., a third-party may be high-criticality simply because of the lack of competition in their space, and, thus, no other third-parties to perform that service should your selected third-party cease operations.   

3. Termination 

Termination is the final phase of the third-party lifecycle and should be planned for during onboarding and exercised whenever needed to ensure relationships terminate and transition (whether back in-house or to another third-party) in an efficient manner. 

Anywhere that your own third parties have a presence, where your data lives, or where fourth parties have a presence, etc. The physical locations where the TPRM process is relevant and should be established during the onboarding process and updated as necessary. 

Why are TPRM programs necessary?  

Depending on your industry or regulatory environment, you may be required to do so. However, whether required to or not, TPRM addresses a specific kind of risk that in the past has gone unaddressed and resulted in multiple instances of data breaches due to third-party risk not being managed. It all boils down to one important fact: you can outsource nearly any function, but you cannot outsource risk. 

How to implement a TPRM Program? 

Implementing TPRM programs vary based on organizational landscape. However, one important first goal must be accomplished: executive support. In close second is cross-functional participation. Without a top-down, all-in approach, from C-Suite to staff, and from procurement to operations, a TPRM program will not be successful.

Related Articles

This article is part of a series exploring the importance of third-party risk management programs, you can view additional articles below.

View our entire Third Party Risk Management article library here

About Schneider Downs Third-Party Risk Management 

Schneider Downs is a registered assessment firm with the Shared Assessments Group, the clear leader in third-party risk management guidance. Our personnel are experienced in all facets of vendor risk management, and have the credentials necessary (CTPRP, CISA, CISSP, etc.) to achieve meaningful results to help your organization effectively achieve new vendor risk management heights.  

Learn more at or contact us for more information. 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2022 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Shared Assessment SIG Questionnaire – What’s New for 2023?
The Top Ten Most Common SOC 2 Exceptions
Proposed Interagency Guidance on Third-Party Risk Management
What Financial Institutions Need to Know About R-SAT
Operationalizing a Third-Party Risk Management Program in Higher Education
Third Party Risk Management IT Tools Are Not A Fix-All Solution
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.