Skip to main content


Home Third-party risk management

Third-party risk management

Third-party risk management definition

Third-party risk management (TPRM) refers to a process of limiting business risks related to third parties that include vendors, partners, and contractors.

See also: key risk indicator, security event management

How does third-party risk management work:

  • Identify third-party relationships including vendors, suppliers, contractors, and partners.
  • Assess the risk associated with each relationship by evaluating factors such as the type of data being shared, the level of access that the third party has, and the third party's security controls.
  • Plan incident response with the vendors to ensure they are prepared to respond to security incidents. This helps minimize the impact of any security incidents and enables rapid response and recovery.
  • Establish controls to mitigate the risks that include requiring partners to comply with certain security standards and implementing additional monitoring and auditing.
  • Monitor and review company’s third-party relationships on an ongoing basis.

Why is third-party risk management difficult?

The biggest challenges with TPRM involve complex, ever-growing systems that need constant attention. For example, many companies rely on a large number of third-party vendors and partners, each of which may have their own security policies and practices. Identifying and addressing potential risks is difficult enough, but companies must maintain monitoring vendors and their security practices to ensure all third-party partners comply with the company’s security requirements.