Third Party Risk Management (TPRM) Training Flashcards

0.0(0)
Studied by 0 people
call kaiCall Kai
Locked
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/216

flashcard set

Earn XP

Description and Tags

This set of flashcards covers the methodology, life cycle, and best practices of Third Party Risk Management (TPRM) as presented in the lecture notes.

Last updated 3:09 PM on 7/3/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai
Chat

No analytics yet

Send a link to your students to track their progress

217 Terms

1
New cards

How is a 'Third Party' broadly defined in TPRM?

All entities that can or do provide products and/or services to an organization regardless of whether a contract is in place or monies are exchanged.

2
New cards

What entities are included in the definition of a Third Party?

Affiliates, Subsidiaries, Consultants, Contractors, Sub-Contractors, Vendors, Service and Solution Providers, Supply Chain Vendors, Fourth parties, etc.

3
New cards

What is the definition of 'Third Party Risk'?

The possibility of an adverse impact on an organization’s data, financials, operations, reputation, or other business objectives as a direct or indirect result of a third party.

4
New cards

What is the mathematical formula for Risk?

Risk=Impact×LikelihoodRisk = \text{Impact} \times \text{Likelihood}

5
New cards

What is a 'Control' in the context of TPRM?

A process and/or activity used to monitor, review, and/or address a specific risk.

6
New cards

What defines the 'Third Party Risk Management (TPRM)' framework?

Policies and procedures, controls, and oversight established to identify and address risks imposed upon an organization by their third parties.

7
New cards

What is the goal of a Third Party Risk Management Program?

To adequately identify, monitor, and address third party risk to ensure third parties are operating securely and effectively.

8
New cards

Who often expects organizations to have mature TPRM programs in place?

Customers, board members, and regulators.

9
New cards

What is included in 'Confidential Organizational Data'?

All proprietary and restricted data a company holds, processes, or secures.

10
New cards

What is the definition of 'Inherent Risk'?

The level of risk after general information is provided, but absent of any controls that may be in place.

11
New cards

What factors are considered in the inherent risk of a third party?

Type of product or service provided, type of data accessed or transferred, geographic location, etc.

12
New cards

Does Inherent Risk take into account the controls a third party has in place?

No, it does not take into account safeguarding controls.

13
New cards

What is 'Residual Risk'?

The level of inherent risk remaining after implemented controls have been assessed and/or discovered risk has been mitigated.

14
New cards

Which risk measurement provides a more accurate picture of the risk landscape?

Residual risk, as it evaluates controls for sufficiency and effectiveness.

15
New cards

What are the two all-encompassing TPRM frameworks mentioned?

TPRA’s TPRM 101 Guidebook and OCC, FRB, & FDIC Interagency Guidance.

16
New cards

What is ISO/IEC 27036?

The standard series for cybersecurity and information security in supplier (third party) relationships.

17
New cards

What does ISO/IEC 27036 provide for acquirers and suppliers?

A structured approach to identify, assess, treat, and monitor information security risks across the full supplier lifecycle.

18
New cards

What are the EBA / ECB Outsourcing Guidelines?

EU frameworks requiring formal governance, exit plans, criticality assessment, and outsourcing registers.

19
New cards

What do the PRA / FCA Outsourcing & Third Party Risk guidelines require in the UK?

Operational resilience, outsourcing, and third party oversight.

20
New cards

What is the 'Shared Assessments Tool-Set'?

A set of tools including best practices for third party assurance.

21
New cards

What is the 'SIG' questionnaire in Shared Assessments?

Standardized Information Gathering questionnaire for vendor security & risk.

22
New cards

What is the 'SCA' in Shared Assessments?

Standardized Control Assessment for onsite/remote control assessment procedures.

23
New cards

What are the 'AUP' in Shared Assessments for?

Agreed Upon Procedures for targeted, independent testing.

24
New cards

What is Phase 1 of the TPRM Lifecycle?

Program Planning & Oversight (PPO).

25
New cards

What is Phase 2 of the TPRM Lifecycle?

Pre-Contract Due Diligence (PCDD).

26
New cards

What is Phase 3 of the TPRM Lifecycle?

Contract Review (CR).

27
New cards

What is Phase 4 of the TPRM Lifecycle?

Continuous Monitoring (CM).

28
New cards

What is Phase 5 of the TPRM Lifecycle?

Disengagement (D).

29
New cards

What is 'Continuous Program Improvement (CPI)' in the TPRM Lifecycle?

An ongoing activity seeking to enhance the program as guidance, trends, and techniques are realized.

30
New cards

What is the purpose of Program Planning & Oversight (PPO)?

Provides the foundation to build upon and properly support the overall program.

31
New cards

What does Pre-Contract Due Diligence (PCDD) ensure?

That the organization performs due diligence commensurate with the level of inherent risk before signing a contract.

32
New cards

What is the purpose of the Contract Review (CR) phase?

Ensures expectations are documented in an agreement upheld in a court of law and risks are addressed in clauses.

33
New cards

What does Continuous Monitoring (CM) require an organization to assess?

Third party risk on a continual basis to ensure contract terms, business obligations, and performance expectations are met.

34
New cards

What does the Disengagement (D) phase ensure?

The organization can transition away from a third party with minimal impact.

35
New cards

What is 'Reputational Risk'?

A negative public view related to dissatisfied customers, security breaches, or violations of law.

36
New cards

What results from inadequate or failed internal processes, people, and/or systems?

Operational Risk.

37
New cards

What is 'Transactional Risk'?

Issues with service/product delivery or a third party’s failure to perform as expected.

38
New cards

What are the three sources of transaction risk exposure?

Technological failure, human error, and fraud.

39
New cards

What is 'Compliance Risk'?

Results from a violation of laws or non-compliance with internal policies or procedures.

40
New cards

What is 'Cyber Risk'?

Results from the probability of exposure or loss of organizational data due to a technical failure or incident.

41
New cards

What is 'Financial Risk'?

Results from a third party’s failure to meet monetary requirements and expectations.

42
New cards

What is 'Strategic Risk'?

Results from failing to align strategic goals to business objectives or jeopardizing strategic objectives.

43
New cards

What does it mean to 'Accept' risk?

Acknowledge that potential loss is at a level the organization is willing to accept or not treat immediately.

44
New cards

What does it mean to 'Remediate' risk?

Working with a third party to create and implement an achievable action plan to add or enhance a control.

45
New cards

What is 'Risk Sharing'?

Distributing the responsibility of a risk across multiple organizations or individuals.

46
New cards

How can risks be shared contractually?

By sharing the responsibility of risk impact should it be realized.

47
New cards

When does 'Risk Transfer' often occur?

In instances where the impact is high, but the likelihood of occurrence is low.

48
New cards

To whom does an organization typically transfer risk?

Another organization better suited to handle large-scale risk, such as an insurance company.

49
New cards

How do organizations 'Avoid' risk?

By not taking on the risk, avoiding actions causing the risk, or terminating services.

50
New cards

Who is in the First LOD?

Front-line business units and operational teams that own and manage risk day-to-day.

51
New cards

What is the role of the Second LOD?

Risk management, compliance, and legal functions that set standards and provide independent oversight.

52
New cards

What is the Third LOD?

Internal Audit that provides independent, objective assurance over governance and internal controls.

53
New cards

To whom does Internal Audit functionally report?

The Board / Audit Committee.

54
New cards

Who makes up the Fourth LOD?

External parties like external auditors, examiners, and regulators.

55
New cards

What does Program Planning & Oversight (PPO) set the groundwork for?

A strong, sustainable third party risk program managed at the highest level.

56
New cards

What should Executives do as sponsors of the TPRM program?

Act as advocates for initiatives and provide oversight through risk escalation and acceptance processes.

57
New cards

What should a 'Business Case' for TPRM include?

Description and features, benchmarking, potential ROI, expectations of leadership, and the risk of not having a program.

58
New cards

What is a 'Pilot or Phased Approach' in gaining executive support?

Proposing a program with a select group of third parties to showcase value before full-scale rollout.

59
New cards

Who are 'TPRM Champions'?

Key decision-makers and influencers across risk, procurement, IT, and finance who advocate for the program.

60
New cards

At what frequency should TPRM policies and procedures be reviewed?

On an annual basis.

61
New cards

Name three items high-level P&P should include.

Purpose Statement, Roles & Responsibilities, and Version History.

62
New cards

Name five sources for developing an inventory of third parties.

Executed contracts, Accounts Payable invoices, P-Card reports, Software Discovery Tool reports, and Business Unit surveys.

63
New cards

Name five sub-service categories for products/services.

Software, Hardware, Professional Services, Data Management, and Marketing Services.

64
New cards

What inventory data element refers to 'Doing Business As'?

DBA Name.

65
New cards

What is 'Potential Business Impact' in the inventory context?

A data element tracking the possible effect of the third party on the organization.

66
New cards

List the four key benefits of TPRM Governance & Oversight.

Accountability, Consistency, Support, and Value.

67
New cards

What is the 'Accountability' benefit?

Benefit from setting clear expectations and defined roles and responsibilities.

68
New cards

What is the 'Consistency' benefit?

Benefit from defining program requirements and creating structured metrics.

69
New cards

What is the 'Support' benefit?

Benefit from executive-level oversight and participation.

70
New cards

What is the 'Value' benefit?

Benefit of program outcomes leading to risk mitigation and impact reduction.

71
New cards

What is the responsibility of the Board of Directors in TPRM Governance?

Ensuring relationships are managed consistent with strategic goals and risk appetite.

72
New cards

What does the TPRM Program Owner/Facilitator do?

Develops and implements the program, coordinates due diligence, and advises on risk strategy.

73
New cards

Who owns the risk related to a specific third party?

The Business / Relationship Owner.

74
New cards

What should Risk Ratings be in line with?

The organization’s risk appetite.

75
New cards

What is the purpose of a Risk Matrix?

Ensures a consistent methodology is applied to evaluation and ensures all departments speak the same language.

76
New cards

What are 'TPRM Program Metrics'?

Metrics such as the number of third parties, frequency of assessments, and program milestones.

77
New cards

What are 'Assessment Metrics'?

Metrics such as time to complete assessments, number of gaps, and number of risk escalations.

78
New cards

What are 'Incident Response Metrics'?

Metrics such as number of parties with identified incidents and time to remediate.

79
New cards

To whom should TPRM metrics reporting be tailored?

Specific target audiences like the Board, Executives, and Business Owners.

80
New cards

How often should TPRM training be held at a minimum?

Annually.

81
New cards

When should training be held for a new relationship owner?

When the new relationship owner is established.

82
New cards

What should third party training cover?

Due diligence activities, expectations, escalation procedures, and risk remediation.

83
New cards

Name three elements of a TPRM Training Program.

Regulatory Requirements, Due Diligence Activities, and Incident Management Process.

84
New cards

What can occur if a third party is not compliant with laws?

Exposure to legal liability, fines, and reputational damage.

85
New cards

How can organizations maintain compliance?

Staying informed of updates, regular audits, and having an incident response plan for non-compliance.

86
New cards

What should proposed budget requirements align with?

Roadmap, maturity level, and organizational risk appetite.

87
New cards

List six budget considerations for TPRM.

Resources, Operations, Maturity Model, Travel, Training, and Tools.

88
New cards

What budget consideration covers conferences and certifications?

Training.

89
New cards

What budget consideration covers costs associated with automation?

Tools.

90
New cards

Which phase informs contracting efforts and sets the tone for continuous monitoring?

Pre-Contract Due Diligence.

91
New cards

What is a 'Third Party Profile'?

A comprehensive profile for each third party including details relevant to the nature of the relationship.

92
New cards

What is the purpose of an Inherent Risk Assessment (IRA)?

To gain a comprehensive understanding of the potential impact a third party could pose prior to controls being assessed.

93
New cards

How many questions should the Inherent Risk Questionnaire (IRQ) typically have?

Between 10 to 2010 \text{ to } 20 questions.

94
New cards

Who carries out the Inherent Risk Assessment?

Usually the business, with input from the third party if necessary.

95
New cards

What should be used to consistently determine due diligence efforts within the IRA?

Tie due diligence activities to specific questions and responses.

96
New cards

Name three questions typically included in an IRA.

"Will the third party have access to data?", "Is this a hosted solution/service?", and "What is the spend over the life of the contract?"

97
New cards

How long can it take to replace a third party according to an IRA question?

It is a factor of concern; the question asks how long the replacement would take.

98
New cards

What is 'Residual Risk' assessment proportional to?

The level of risk noted within the inherent risk questionnaire.

99
New cards

Why should a risk-based approach be used for assessments?

To allow organizations to focus on critical areas where potential risks are higher.

100
New cards

Name five types of Risk-Based Assessments.

Cybersecurity, Cloud Security, Financial, Privacy, and Compliance assessments.