1/216
This set of flashcards covers the methodology, life cycle, and best practices of Third Party Risk Management (TPRM) as presented in the lecture notes.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai | Chat |
|---|
No analytics yet
Send a link to your students to track their progress
How is a 'Third Party' broadly defined in TPRM?
All entities that can or do provide products and/or services to an organization regardless of whether a contract is in place or monies are exchanged.
What entities are included in the definition of a Third Party?
Affiliates, Subsidiaries, Consultants, Contractors, Sub-Contractors, Vendors, Service and Solution Providers, Supply Chain Vendors, Fourth parties, etc.
What is the definition of 'Third Party Risk'?
The possibility of an adverse impact on an organization’s data, financials, operations, reputation, or other business objectives as a direct or indirect result of a third party.
What is the mathematical formula for Risk?
Risk=Impact×Likelihood
What is a 'Control' in the context of TPRM?
A process and/or activity used to monitor, review, and/or address a specific risk.
What defines the 'Third Party Risk Management (TPRM)' framework?
Policies and procedures, controls, and oversight established to identify and address risks imposed upon an organization by their third parties.
What is the goal of a Third Party Risk Management Program?
To adequately identify, monitor, and address third party risk to ensure third parties are operating securely and effectively.
Who often expects organizations to have mature TPRM programs in place?
Customers, board members, and regulators.
What is included in 'Confidential Organizational Data'?
All proprietary and restricted data a company holds, processes, or secures.
What is the definition of 'Inherent Risk'?
The level of risk after general information is provided, but absent of any controls that may be in place.
What factors are considered in the inherent risk of a third party?
Type of product or service provided, type of data accessed or transferred, geographic location, etc.
Does Inherent Risk take into account the controls a third party has in place?
No, it does not take into account safeguarding controls.
What is 'Residual Risk'?
The level of inherent risk remaining after implemented controls have been assessed and/or discovered risk has been mitigated.
Which risk measurement provides a more accurate picture of the risk landscape?
Residual risk, as it evaluates controls for sufficiency and effectiveness.
What are the two all-encompassing TPRM frameworks mentioned?
TPRA’s TPRM 101 Guidebook and OCC, FRB, & FDIC Interagency Guidance.
What is ISO/IEC 27036?
The standard series for cybersecurity and information security in supplier (third party) relationships.
What does ISO/IEC 27036 provide for acquirers and suppliers?
A structured approach to identify, assess, treat, and monitor information security risks across the full supplier lifecycle.
What are the EBA / ECB Outsourcing Guidelines?
EU frameworks requiring formal governance, exit plans, criticality assessment, and outsourcing registers.
What do the PRA / FCA Outsourcing & Third Party Risk guidelines require in the UK?
Operational resilience, outsourcing, and third party oversight.
What is the 'Shared Assessments Tool-Set'?
A set of tools including best practices for third party assurance.
What is the 'SIG' questionnaire in Shared Assessments?
Standardized Information Gathering questionnaire for vendor security & risk.
What is the 'SCA' in Shared Assessments?
Standardized Control Assessment for onsite/remote control assessment procedures.
What are the 'AUP' in Shared Assessments for?
Agreed Upon Procedures for targeted, independent testing.
What is Phase 1 of the TPRM Lifecycle?
Program Planning & Oversight (PPO).
What is Phase 2 of the TPRM Lifecycle?
Pre-Contract Due Diligence (PCDD).
What is Phase 3 of the TPRM Lifecycle?
Contract Review (CR).
What is Phase 4 of the TPRM Lifecycle?
Continuous Monitoring (CM).
What is Phase 5 of the TPRM Lifecycle?
Disengagement (D).
What is 'Continuous Program Improvement (CPI)' in the TPRM Lifecycle?
An ongoing activity seeking to enhance the program as guidance, trends, and techniques are realized.
What is the purpose of Program Planning & Oversight (PPO)?
Provides the foundation to build upon and properly support the overall program.
What does Pre-Contract Due Diligence (PCDD) ensure?
That the organization performs due diligence commensurate with the level of inherent risk before signing a contract.
What is the purpose of the Contract Review (CR) phase?
Ensures expectations are documented in an agreement upheld in a court of law and risks are addressed in clauses.
What does Continuous Monitoring (CM) require an organization to assess?
Third party risk on a continual basis to ensure contract terms, business obligations, and performance expectations are met.
What does the Disengagement (D) phase ensure?
The organization can transition away from a third party with minimal impact.
What is 'Reputational Risk'?
A negative public view related to dissatisfied customers, security breaches, or violations of law.
What results from inadequate or failed internal processes, people, and/or systems?
Operational Risk.
What is 'Transactional Risk'?
Issues with service/product delivery or a third party’s failure to perform as expected.
What are the three sources of transaction risk exposure?
Technological failure, human error, and fraud.
What is 'Compliance Risk'?
Results from a violation of laws or non-compliance with internal policies or procedures.
What is 'Cyber Risk'?
Results from the probability of exposure or loss of organizational data due to a technical failure or incident.
What is 'Financial Risk'?
Results from a third party’s failure to meet monetary requirements and expectations.
What is 'Strategic Risk'?
Results from failing to align strategic goals to business objectives or jeopardizing strategic objectives.
What does it mean to 'Accept' risk?
Acknowledge that potential loss is at a level the organization is willing to accept or not treat immediately.
What does it mean to 'Remediate' risk?
Working with a third party to create and implement an achievable action plan to add or enhance a control.
What is 'Risk Sharing'?
Distributing the responsibility of a risk across multiple organizations or individuals.
How can risks be shared contractually?
By sharing the responsibility of risk impact should it be realized.
When does 'Risk Transfer' often occur?
In instances where the impact is high, but the likelihood of occurrence is low.
To whom does an organization typically transfer risk?
Another organization better suited to handle large-scale risk, such as an insurance company.
How do organizations 'Avoid' risk?
By not taking on the risk, avoiding actions causing the risk, or terminating services.
Who is in the First LOD?
Front-line business units and operational teams that own and manage risk day-to-day.
What is the role of the Second LOD?
Risk management, compliance, and legal functions that set standards and provide independent oversight.
What is the Third LOD?
Internal Audit that provides independent, objective assurance over governance and internal controls.
To whom does Internal Audit functionally report?
The Board / Audit Committee.
Who makes up the Fourth LOD?
External parties like external auditors, examiners, and regulators.
What does Program Planning & Oversight (PPO) set the groundwork for?
A strong, sustainable third party risk program managed at the highest level.
What should Executives do as sponsors of the TPRM program?
Act as advocates for initiatives and provide oversight through risk escalation and acceptance processes.
What should a 'Business Case' for TPRM include?
Description and features, benchmarking, potential ROI, expectations of leadership, and the risk of not having a program.
What is a 'Pilot or Phased Approach' in gaining executive support?
Proposing a program with a select group of third parties to showcase value before full-scale rollout.
Who are 'TPRM Champions'?
Key decision-makers and influencers across risk, procurement, IT, and finance who advocate for the program.
At what frequency should TPRM policies and procedures be reviewed?
On an annual basis.
Name three items high-level P&P should include.
Purpose Statement, Roles & Responsibilities, and Version History.
Name five sources for developing an inventory of third parties.
Executed contracts, Accounts Payable invoices, P-Card reports, Software Discovery Tool reports, and Business Unit surveys.
Name five sub-service categories for products/services.
Software, Hardware, Professional Services, Data Management, and Marketing Services.
What inventory data element refers to 'Doing Business As'?
DBA Name.
What is 'Potential Business Impact' in the inventory context?
A data element tracking the possible effect of the third party on the organization.
List the four key benefits of TPRM Governance & Oversight.
Accountability, Consistency, Support, and Value.
What is the 'Accountability' benefit?
Benefit from setting clear expectations and defined roles and responsibilities.
What is the 'Consistency' benefit?
Benefit from defining program requirements and creating structured metrics.
What is the 'Support' benefit?
Benefit from executive-level oversight and participation.
What is the 'Value' benefit?
Benefit of program outcomes leading to risk mitigation and impact reduction.
What is the responsibility of the Board of Directors in TPRM Governance?
Ensuring relationships are managed consistent with strategic goals and risk appetite.
What does the TPRM Program Owner/Facilitator do?
Develops and implements the program, coordinates due diligence, and advises on risk strategy.
Who owns the risk related to a specific third party?
The Business / Relationship Owner.
What should Risk Ratings be in line with?
The organization’s risk appetite.
What is the purpose of a Risk Matrix?
Ensures a consistent methodology is applied to evaluation and ensures all departments speak the same language.
What are 'TPRM Program Metrics'?
Metrics such as the number of third parties, frequency of assessments, and program milestones.
What are 'Assessment Metrics'?
Metrics such as time to complete assessments, number of gaps, and number of risk escalations.
What are 'Incident Response Metrics'?
Metrics such as number of parties with identified incidents and time to remediate.
To whom should TPRM metrics reporting be tailored?
Specific target audiences like the Board, Executives, and Business Owners.
How often should TPRM training be held at a minimum?
Annually.
When should training be held for a new relationship owner?
When the new relationship owner is established.
What should third party training cover?
Due diligence activities, expectations, escalation procedures, and risk remediation.
Name three elements of a TPRM Training Program.
Regulatory Requirements, Due Diligence Activities, and Incident Management Process.
What can occur if a third party is not compliant with laws?
Exposure to legal liability, fines, and reputational damage.
How can organizations maintain compliance?
Staying informed of updates, regular audits, and having an incident response plan for non-compliance.
What should proposed budget requirements align with?
Roadmap, maturity level, and organizational risk appetite.
List six budget considerations for TPRM.
Resources, Operations, Maturity Model, Travel, Training, and Tools.
What budget consideration covers conferences and certifications?
Training.
What budget consideration covers costs associated with automation?
Tools.
Which phase informs contracting efforts and sets the tone for continuous monitoring?
Pre-Contract Due Diligence.
What is a 'Third Party Profile'?
A comprehensive profile for each third party including details relevant to the nature of the relationship.
What is the purpose of an Inherent Risk Assessment (IRA)?
To gain a comprehensive understanding of the potential impact a third party could pose prior to controls being assessed.
How many questions should the Inherent Risk Questionnaire (IRQ) typically have?
Between 10 to 20 questions.
Who carries out the Inherent Risk Assessment?
Usually the business, with input from the third party if necessary.
What should be used to consistently determine due diligence efforts within the IRA?
Tie due diligence activities to specific questions and responses.
Name three questions typically included in an IRA.
"Will the third party have access to data?", "Is this a hosted solution/service?", and "What is the spend over the life of the contract?"
How long can it take to replace a third party according to an IRA question?
It is a factor of concern; the question asks how long the replacement would take.
What is 'Residual Risk' assessment proportional to?
The level of risk noted within the inherent risk questionnaire.
Why should a risk-based approach be used for assessments?
To allow organizations to focus on critical areas where potential risks are higher.
Name five types of Risk-Based Assessments.
Cybersecurity, Cloud Security, Financial, Privacy, and Compliance assessments.