Download CTPRP exam 2025, third party risk management, TPRM study guide, vendor risk, GRC framework and more Exams Business Economics in PDF only on Docsity!
Professional).
Fully Expert Certified 100%
Fully developed TPRM Program has become a critical component of an organizations approach to....? - ansEnterprise Risk Management (ERM) Enterprise Risk Management (ERM) risk factors - ansstrategic risks, financial risks, operational risks, compliance risk, IT and infrastructure risks, reputational risks GRC - ansGovernance, Risk, and Compliance GRC Definition - ansGovernance, Risk, and Compliance (GRC) is the framework and tools such as policies; procedures; and controls and decision-making hierarchy. These are employed to manage risk in the organization. GRC systems partially automate risk management processes, such an onboarding, ongoing oversight, compliance, incident/issue management, and maintenance of TP risk registers and inventories. Definition of Frameworks - ansA framework is flexible and allows for adaptation. Frameworks outline a broad perspective of interlinked items in a field of practice. Definition of Standards - ansA Standard is clearly defined, rigid, and universally accepted as the best method for addressing a specific topic. Within a standard, there is typically one accepted way of accomplishing the task. Within TPRM, it is common for technology controls to leverage _____ , and risk management functions to leverage ____ to frame the requirements - ansStandards; Frameworks Regulations, Statutes, and Laws - ansManaging Compliance Obligations - Compliance obligations can be driven by statutory, regulatory, contractual, or industry requirements. While specific regulations are sectoral or country specific, there are more commonalities in how regulations are being shaped by international, federal, or state/provincial regulators that influence TPRM Industry Sector Guidance - ansIndustry sectors that are more highly regulated have designated governmental agencies or functions responsible for oversight of participants in that industry. These entities publish guidance that creates requirements and obligations for both Outsourcers and SPs within each respective industry. IN some sectors, like financial services and healthcare, there may be formalized audits or examinations to assess compliance for TP SPs. Established Risk Culture. The First step is to ensure that requirements for risk-based vendor management are communicated to the organization. Consider the following: - ansTone at the top Risk posture Risk tolerance Risk management methodology Acceptance process and exception process Comparing Vendor Management and Vendor Risk Management - ansThe point-of-view on roles and responsibilities between vendor management and vendor risk management are often misunderstood. Let's look at both the similarities and differences. Vendor Management - ansIn vendor management, the viewpoint is operations-based. The organization will focus on issues or service delivery complaints. This involves cross- functional resources to collaborate on defining requirements, contract terms and provisions, and key metrics that define the relationship.
Professional).
Fully Expert Certified 100%
Vendor Risk Management - ansIn vendor risk management, the viewpoint is risk-based. The organization will focus on risks and threats. Just like in vendor management, these processes involve cross-functional resources to collaborate on defining requirements, contract terms and provisions, and key metrics that define the relationship. The risk associated with an outsourced activity takes many forms - ansThese include the specific risks associated with outsourcing, including but not limited to, financial stability, financial criminal activity monitoring, reputational, concentration, legal, country, operational, technology, and security. The organizational function that identifies the need to outsource an activity should...... - ansdetermine the inherent risk associated with performing that activity. The inherent risks identified will then determine the type and level of due diligence and control validation to be performed to mitigate the risks associated with the activity. Types of Risks in Third Party Relationships - ansRisk in Third Party relationships can be looked at based upon process, technology, or external factors. Each type of risk requires processes for risk identification, quantification, prioritization, and mitigation. Risk in Third Party relationships may be viewed at the organizational level or at a product/service level. For TPRM programs, the fundamental point-of-view is to evaluate the risk based upon the function that has been outsourced. Performance Risk: - ansThe TP may not be able to meet its obligations due to inadequate systems or processes Reliability Risk: - ansThe TP may not be able to adhere to an expected or contracted level of service Reputation or Brand Risk: - ansdamage to reputation or loss of clients due to poor customer service, errors, processing delays, fraud, fines, etc.
- Competency Risk: - ansthe TP may not be able to retain skilled employees or maintain up- to-date personnel qualifications
- Availability Risk: - ansthe TP systems may not have sufficient redundancy or resiliency during an event or incident
- Technology Risk: - ansthe TPs technology becomes obsolete, or a change in technology triggers operational impact to the company
- Cybersecurity Risk: - ansthe TP may fail to appropriately manage threats, vulnerabilities, and controls which may result in loss of data
- Scalability Risk: - ansthe TP may not be able to support growth or spikes in demand without service failures or decline in performance Compliance Risk: - ansthe TP may not be in compliance with applicable laws, regulations, or contractual obligations When an organization decides to seek external assistance from a Third Party or establishes an internal dedicated entity (an Affiliate), to provide specific services and expertise, then that organization will leverage... - ansOutsourcing to enter into a contractual relationship to obtain those services. The development of optimal contract terms is a critical best practice in TPRM. However, contract terms should never replace oversight by the Outsourcer. ESG - ansEnvironmental, Social, and Governance GDPR - ansGeneral Data Protection Regulation
Professional).
Fully Expert Certified 100%
example, personal information that identifies racial origin, political opinion, religious belief, sexual orientation, criminal convictions, or certain healthcare concerns require stronger limitations on collection, use, and disclosure. Personally Identifiable Information (PII) - ansThe U.S. defines PII as a legal concept. It is any information about an individual, including any information that can be used to distinguish or trace an individual's identity. This includes name, social security number, date and place of birth, mother's maiden name, or biometric records. It also includes any other information that is linkable to an individual, such as medical, educational, financial, and employment information. The ISO/IEC defines PII as any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains, from which identification or contact information of an individual person can be derived, or that is, or might be directly or indirectly linked to a natural person. Protected Health Information (PHI) - ansPHI is any individually identifiable health information transmitted or maintained in any medium. This includes demographic information that is created or received by a health care provider, health plan, or health care clearinghouse. The US Office of Civil Rights (OCR) is the examination body for compliance to PHI data; and guidance is issued under the US Health and Human Services (HHS) Agency. PHI is a subset of PII because .... - ansPHI is also linked to an individual. PII is considered PHI when linked with health information and is obtained by or on behalf of a health plan or health care provider (i.e., when a patient's name appears on a prescription.) PHI is not a defined as data classification under the EU's GDPR. Under GDPR, healthcare information about an individual is classified as Sensitive Personal Data. Cardholder Data - ansPayment Card Industry Data Security Standard (PCI-DSS) sets obligations to protect this information. Cardholder data is credit or debit card information that includes the ... - ansPrimary Account Number (PAN). This is the payment card number that identifies the issuer and the specific cardholder account. Cardholder data may also appear in the form of the full PAN, combined with either the cardholder's name, expiration date, or service code (Three- or four-digit number on the magnetic-stripe that specifies acceptance requirements and limitations for a magnetic-stripe read transaction.) Data Governance - ansA Third Party that is entrusted with your organization's data should have controls to manage the lifecycle of your data. Assessments focus on data that is involved in the outsourced services, called "Target" or "Scoped" data. Data Flow - ansAccess of Personal Data --> Processing of Personal Data --> Storage & Retention of Personal Data Understanding the data environment of the entity or services being assessed starts with... - ansidentifying attributes about the environment where Target Data is collected, accessed, processed, or retained. Identifying the use of dedicated or shared environments and scope of international footprints are critical factors in planning a Third Party vendor risk review or
Professional).
Fully Expert Certified 100%
vendor assessment. It is equally important for your company to know where your data is and from where it can be accessed! TPRM and Managing Risk. The TPRM process evaluates and compensates for... - anspotential threats stemming from the use of Third Parties (agents, affiliates, vendors, Fourth Parties, and beyond in some instances) that support an Outsourcer's organization in order to better meet the organization's strategy and business objectives. While organizations can outsource actions and services, they can never .... - ansoutsource accountability. The TPRM lifecycle is a widely recognized model for understanding how TPRM works over time. In order to provide appropriate degrees of assurance, this model includes five components: - ansPlanning, Due Diligence and Third Party Selection, Contract Negotiation, Ongoing Monitoring, and Termination. By using this model as a guide for planning, development, implementation, and evaluation of its programs, .... - ansOutsourcers can gain a better understanding of the overall effectiveness of their own TPRM program. Planning - ansInvolves scoping objectives for outsourcing, determining what should be outsourced, establishing risk criteria at the scope of work (activity level), establishing relationship owner, and developing a TP inventory Due Diligence and Third Party Selection - ansInvolves assessing TPs before making the decision to enter into a contract and conducting assessments and evaluations on each TP. The type of due diligence is directly related to the type of risk that is posed by that TP Contract Negotiation - ansIncludes clearly defined expectations, formalizing control requirements, and how any control weaknesses identified during due diligence will need to be addressed. Procedures; processes; monitoring rights and expectations; notifications; and other internal and external communication requirements are addressed during this stage before onboarding. Contracts and addendums can be developed to allow for modification as needed over the life of the relationship. Ongoing Monitoring - ansApplies oversight against contractual requirements, with reporting to appropriate levels of the Outsourcer's management. Monitoring should be adapted as needed over the life of the relationship. In addition to point-in-time and continuous monitoring, a periodic TPRM program is an essential exercise. Insights from this phase are developed in the planning phase of subsequent cycles. Termination - ansExit or Termination Strategy utilizes a pre-defined exit strategy and comes at the end of a contract, through cause or identifying a contingency approach. Exits or terminations may be defined as hostile or non-hostile, depending on the drivers for discontinuation of the relationship. Hostile exits require additional risk mitigation focus. Contingency planning for unexpected terminations, if the activity needs to be continued, requires activities that are evaluated for transition to another TP or to bring the activity in house. Handling of the destruction or retention of intellectual property (IP) introduced during the relationships must be accounted for during the termination process. Agreements on handling of any residual data should be defined in the contract or transition plan. Each TPRM lifecycle component is based on the concepts of .... - ans"Plan," "Trust," "Verify," and "Evaluate"
Professional).
Fully Expert Certified 100%
Third Party Risk Analyst Perspective - ans- As a Third Party risk professional, it is important to understand these distinctions and "why" they are important in TPRM. Your role is to define control requirements and assess Third Party relationships to those requirements. You need to be aware of any absent, or failing controls that do not meet your organization's standards. You rely on the Third Party risk assessment process and risk assessors to identify and assess the controls in place to mitigate inherent risk or accept the remaining risks after understanding the vendor's control environment. TPRM and Documenting Risk - ansDriving and evaluating TPRM program effectiveness requires the development of a clear and documented organization-level understanding of the amount of risk an organization is willing to bear in order to pursue its strategic and measurable objectives. An organization's risk appetite statement documents, at a high level, the acceptable... - anslevel of risk that board and executive management agree is appropriate, given the organization's business objectives. The development of a clear and documented organization-level risk appetite statement and the acceptable risk threshold (risk tolerance) metrics that flow from it is typically a top-down and bottom-up iterative process. That process drives TPRM program development and processes. - ans Third Party Risk Analyst Perspective - ansAs a TP Risk professional, I must know and understand "Who is doing what?". Roles and responsibilities must be clearly defined for TPRM. I need to ask and assess "How does this fit into our enterprise policies?" I need to create a risk management framework to focus the approach. The structure should be the right size based on risk. I must consider the following: o Identify emerging risks that affect my program o Determine frequency of review o Identify the level of formality/documentation that I need o Identify the key processes in scope for my governance model Risk Culture - ansRisk culture is the set of shared values and beliefs that governs a company's attitudes toward risk. Attitudes include the approach towards risk taking, care, and integrity. This determines how risks and losses are openly reported and discussed. Risk Appetite - ansRisk Appetite is the threshold of risk a company is willing to assume in order to achieve a potential desired result. Risk Tolerance - ansRisk tolerance is the measurement of the range of acceptable outcomes that convey the willingness of the company to bear the consequences of a specific risk. Risk Treatment - ansRisk governance starts with ongoing processes to identify, assess, manage, and communicate risk. How an organization decides to handle a risk is called risk treatment. The company can take several courses of actions. This includes avoiding the risk; accepting the risk; monitoring the risk; transferring the risk; or mitigating the risk. Risk treatment describes how the organization will address the risk, which may be documented in a Risk Treatment Plan. Three Lines of Defense Model - ansdetermines how the TPRM Program aligns with the Three Lines of Defense for risk management within the organization.
Professional).
Fully Expert Certified 100%
While TPRM usually resides in the second line, establishing how it interacts with the other two lines of defense is critical. First Line of Defense - ansThe first Line of Defense consists of the lines of business who utilize the outsourced services. The business unit managers usually control the vendor relationship and may serve as the primary point of contact for gathering assessment due diligence and ensuring that remediation efforts are completed. They have ownership of the risks the business unit will accept. Second Line of Defense - ansThe second Line of Defense is comprised of the groups within the company who provide risk oversight (risk management, compliance, legal, etc.) These groups establish the policies, procedures, and controls for managing risk and provide oversight and guidance for the first line Third Line of Defense - ansThe third Line of Defense consists of the independent assurance providers - internal/external audit. These groups provide validation for the risk and control assessments established by the second line, testing them as appropriate. TPRM Foundation - ans"Trust, but Verify" Trust, but Verify - ansprovides a best practice approach for directing risk management resources in a way that is tailored to and commensurate with the degree of risk posed by the individual service, or services being outsourced. Ongoing Monitoring - ansallows outsourcers to gain ongoing insight into third party risk posture. Periodic Monitoring or Continuous Monitoring (CM) Continuous Monitoring - ansis a risk management approach designed to maintain an uninterrupted view of a Third Party's control posture, often in real-time.
- Which statement provides the best definition of the difference between vendor management and vendor risk management? a. Vendor management is primarily a procurement function of supply chain management. b. Vendor risk management is a function performed by the company's internal audit department, while vendor management is handled by the contract team. c. Vendor management takes an operational focus on controlling costs and performance based on contract terms. Vendor risk management adds additional risk assessment and controls assessment to that foundation, addressing multiples types of risk that are typically tracked in an Enterprise Risk Management Program. d. Vendor management and vendor risk management are interchangeable terms. - ansAnswer: C. Vendor management is a narrow focus on managing the relationship, while vendor risk management adds to that focus additional layers of oversight to what Third Party risks could impact the organization. If I answered A, explanation was: The organizational alignment is not the attribute that creates the difference in the terms. The difference is in the scope and nature of the functions performed. If I answered B, explanation was: The reporting structure is not the attribute that creates the difference in the terms. Internal audit may perform a review of the functions as part of their independent assurance role.
Professional).
Fully Expert Certified 100%
If Answered D: The model is flexible and is based on risk management and governance. The model provides a framework for organizational functions based on the size and complexity of the company.
- Risk is the likelihood that unplanned events will occur and impact the achievement of strategy and business objectives. Residual risk is defined as: a. The risk level or exposure that exists before any actions (e.g., implementing controls) are taken, or might be taken, to mitigate the risk. b. Risks that can be described qualitatively in terms of magnitudes in relation to other similar events or states. c. The remaining, potential risk after all mitigation and control measures are applied. d. Risks that can be demonstrated quantitatively using mathematics and actual historical data or predictive data modeling. - ansAnswer: C. Residual risk is the risk that remains after compensating controls or mitigation efforts. The remaining risk then needs to be evaluated for risk acceptance or treatment options. If answered A: This statement describes inherent risk. Inherent risk is the risk level or exposure that exists before any actions ( e.g., implementing controls) are taken, or might be taken, to mitigate the risk. If answered B: This is an example of qualitative risk. Evaluating risk in this method typically provides a high, medium, or low rating to the risk using judgement. If answered D: This statement defines quantitative risk where the impact of the risk can be specifically measured using formulas and methodologies.
- Which statement best describes how data protection regulations impact Third Party risk in today's environment? a. While some best practice frameworks recommend assessing Third Party security compliance, there are no regulations requiring that Third Parties be assessed for compliance. b. Most data protection regulations focus on consumer rights and principles and have little impact on the IT control environment or infrastructure. c. Data protection regulations are not as significant as emerging technologies in changing Third Party risk expectations. d. Data classification may be based on the privacy context of the data subject and the business model. Specific regulations will define distinct data protection requirements that apply to Outsourcers and service providers defining expected controls for privacy and security. Regulations are evolving to address changes in emerging technology. - ansAnswer D: Data protection encompasses both privacy and security. The type of personal information involved in a service will trigger different regulatory obligations that impact how Third Party risk is assessed. If answered A: Certain regulations define requirements for assessing Third Party risk and certain industries require formal audits or examinations for compliance. For example, in
Professional).
Fully Expert Certified 100%
healthcare and financial services, formal examinations are performed by the regulators and include inspection of Third Parties. If answered B: While data protection regulations may include notices or rights for individuals, delivering on those obligations require maturity in data governance, data mapping, and data flows which have significant IT implications to enable compliance. If answered C: Data protection regulations may be jurisdictional, industry, or service and technology based. Technology does evolve faster than regulations given the pace of change. Regulations provide the guidance on the expected use of new technology that defines the obligations of the Outsourcer, Third Parties, and Fourth Parties.
- Risk based classifications and criteria for outsourced services should be developed based on the risk they present to the organization. Each statement about a mature classification would be accurate, EXCEPT: a. Third Parties should be risk-tiered based on the inherent risk of the services provided. b. Classification is at the service level based on Inherent risk (critical, high, medium, low). c. Mature classification is assigned an Assurance Level or Tier (1-Critical/High, 2-Essential/ Medium, 3-Basic/Low, etc.). d. Classification is based on the number of resources available to conduct the assessments. - ansAnswer D: Vendor classification should be based on risk and risk acceptance, not resource allocation. A common challenge is that organizations may set a policy that defines more stringent expectations than resources can meet. But that is a compliance issue. If resources are not available, that is a new risk to bring back for risk treatment, or to justify a business case for additional resources to close the gap. If answered A: The starting point of a vendor risk classification is based on the nature of the services outsourced and the potential impact to the company in the absence of controls. If answered B: Once the potential risk is identified, the classification structure should define the criticality or severity of that risk using terminology that clearly conveys the tiering of the risk. If answered C: Based on the presented risk tier, due diligence requirements for that tier define the assurance levels of the scope of due diligence to be performed in order to assess the risk in the Third Party relationship.
- Which of the following does NOT reflect an attribute that defines an organization's risk tolerance? a. The organization's willingness or readiness to bear a risk after treatment b. How an organization measures what risk it is willing to assume in order to achieve its business objectives c. Risk tolerance is defined by legal or regulatory requirements d. The amount and type of risk an organization will accept - ansAnswer C: Risk tolerance is defined as the level of risk the company can accept after certain actions are taken. Tolerance
Professional).
Fully Expert Certified 100%
b. Virtual workforce and vendors c. Extended network endpoints d. Rise in monitoring solutions - ansAnswer A: Ransomware as a trend has increased due to shifts in the threat landscape. In an assessment, you may assess a vendor's readiness to respond to an attack, but you would focus on secure data recovery techniques. If answered B: Virtual workers and virtual vendors impacted the type of assessment, method of due diligence, and risk factors like remote access. The shift to virtual assessments was triggered by pandemic limitations. If answered C: Remote workers and remote vendors directly changed the footprint of the environment to be assessed. The shift to virtual work and remote access triggered a focus on a zero-trust methodology. If answered D: The extended endpoints of the enterprise triggered a rise in the use of monitoring solutions for access, activity, and data loss prevention. Monitoring functions can be used internally or for specific third party risk focus areas.
- Which list identifies factors that may be considered environmental hazards in ESG? a. Sustainability, energy use, climate change mitigation, and adaptation b. Management structures, employee relations, executive remuneration, and compliance c. Inequality, inclusiveness, labor relations, and human capital d. Heatwaves, water availability, floods, and wildfires - ansAnswer D: Environmental hazards are external factors that create risk due to changes in the external environment. All of the items listed are external factors the company cannot directly control. If answered A: This list focuses on environmental factors that can be influenced by internal company actions. A company can take a position on how to address sustainability in their operations but cannot influence environmental hazards like floods or wildfires. If answered B: This list focused on the governance factors in ESG that are internally driven. Governance is influenced by company culture, values, and risk posture and are based on internal factors. If answered C: This list focuses on the social aspects of ESG risk. The social element of ESG is focused on people, personnel, and relationships.
- Which statement best defines the distinction between a standard and a framework? a. Standards and frameworks are synonymous since they are both voluntary. b. A standard is clearly defined, rigid, and universally accepted as the best method for addressing a specific topic, while frameworks are flexible and allow for adaptation. c. Frameworks are self-regulatory, while standards are created solely by technology associations. d. Standards can be adapted to each organization's needs, while frameworks are not customizable. - ansAnswer B: Standards are measurable and distinct. Within a standard, there is typically one accepted way of accomplishing the task. Frameworks outline a broad
Professional).
Fully Expert Certified 100%
perspective of interlinked items in a field of practice. Frameworks are used to organize control concepts which simplifies communication to management. If answered A: Standards and frameworks are not the same concept even if voluntary. Organizations can align TPRM to external standards and create their own internal standards that align to a policy. A framework is more conceptual in how the TPRM program may organize policies and procedures but do not get at detailed configuration requirements. If answered C: Frameworks can be created for both technology but also non-IT risks. Frameworks organize concepts around common topics, and can be used for privacy, ESG, or many other control topics. If answered D: The opposite is actually true. Standards are distinct and measurable to enable the quantification of the gap to the desired control. A framework is adaptable to align to the organization's approach to risk. It organizes the business context of a particular risk focus area.
- Which event timeframe is the LEAST effective timeframe to perform due diligence? a. During the vendor selection process b. During the onboarding process c. After contract negotiation and execution d. Cyclically during the relationship - ansAnswer C. Conducting due diligence AFTER the contract is executed creates a gap in the ability to include specific criteria or requirements in the contract. Gaps identified may then require changes to contract terms, and the outsourcer has lost leverage with the vendor at this phase of the contract lifecycle. If answered A: Preliminary due diligence may be performed during vendor selection as part of the RFP. After vendor selection, more thorough due diligence should be performed to identify control gaps or areas for contract negotiation. If answered B: Onboarding due diligence may include controls evaluation based on decisions made for implementation of the new relationship. Assessing controls for application security or application integration may be a part of onboarding as decisions are made for system access, remote access, or network connectivity. If answered D: Due diligence may be conducted at any phase in the relationship based on standards or changes in risk. Due diligence standards and prior assessment results define the timeframes for periodic due diligence. Module 2 - Third Party Risk Program Management - ans Program Governance - ansstarts with aligning TPRM to the organization's risk culture to ensure that the requirements for risk-based vendor management are defined and communicated to the organization. Consider the following when thinking of program governance: Tone at the top
Professional).
Fully Expert Certified 100%
o ESG Third Party risk puts the spotlight on climate-related disclosure requirements and frame works
- Human Capital: the brand risk from practices regarding human capital are triggering a focus on labor, wage equity, and human rights
- Transparency: Supply chain distribution has exposed gaps in operational resilience. Ethical business practices and codes of conduct require transparency in data collection and use
- Artificial Intelligence (AI): Digital transformation leverages AI and machine learning to drive automation and relies on an interconnected network of relationships
- Adaptation: Traditional IT risk and data breach risk have changed as data governance practices adapt to new technology
- Computing: Edge computing brings the storage and processing of data near the source to enable efficiency with 5G and IoT adoption while minimizing use of network bandwidth
- Cybersecurity: the focus on cybersecurity changes TPRM practices to address the use of quantum computing to enable stronger cryptography to defend against attacks Third party risk is just one risk focus area that may be included in an organization's overall approach to ... - ansEnterprise Risk Management (ERM). The organization's ERM program brings together the different types of risk posed by third parties and identifies the methods and processes used to manage each risk. Consider the following: - ansReputation and strategic risk Financial, credit, or concentration risk Cross border or geolocation risks Fourth-Nth party risk Cybersecurity or data protection practices, including the use of emerging technologies Business continuity plans, recovery standards, and contractual remedies Supply chain risk for the development, acquisition, maintenance, and disposal of software, technology, and systems ERM is... - ans"umbrella" risk governance structure. It is designed to meet company goals and objectives, establish trust, and is aligned to company mission, vision, and culture. It also defines risk mitigation approaches based on each type of risk, and its governance model is adjusted based on changes and is communicated to the enterprise. The Third Party Inventory and Risk Register is .... - ansa shared responsibility and relationship. The key components are an inventory of Third Party relationships and the risks involved with outsourcing a specific service or activity; defining risk attributes; rating risks based on multiple factors; and creating a sum of all the risks associated with all Third Parties across the organization. Third Party Inventory - ansThird Party Inventory (in certain jurisdictions referred to as a Third Party Register) is a complete and accurate record of all Third Party providers and services. The inventory is a key requirement of the risk rating process and an important foundational requirement for the execution of a sound assessment process. Inventories provide an up-to-date record of all outsourcing relationships across an organization. The Third Party inventory contains a greater body of detail about each vendor than the Third Party risk register, which is a subset of the larger inventory. Third Party Risk Register - ansA Third Party risk register is an inventory set up and used throughout the vendor lifecycle in which an organization identifies all the risks involved in
Professional).
Fully Expert Certified 100%
outsourcing a specific service or activity, providing in sum a record of all the risks associated with all Third Parties across the organization. Risk Registers should reflect the tracking of risks within each Third Party relationship and across the entire TPRM portfolio. Attributes included in a Third Party Risk Register include: Unique identifier for each risk Description of each risk Assessment of the likelihood the risk will occur Grading of the possible seriousness and impact if it does occur Risk mitigation plan (accept, avoid, transfer, etc.) Grading of each risk Ownership for management Assignment of the risk Management of proposed mitigation plans Cost of mitigation strategy The inventory should detail.. - ansThird Party relationships that involve and support critical activities, as well as identify and track Fourth Parties (subcontractors) and affiliates being used to support the services provided. A complete and accurate inventory is a key requirement of the risk rating process and an important foundational requirement for the execution of a sound vendor risk assessment process. To be effective, inventory documentation should enable: - ansUnderstanding of the Process Common Inventory Repeatable and Reliable Process Understanding the Process - ansThere should be a consistent understanding across the organization about the required risk management processes involved in TPRM. This includes knowing who is responsible for those processes (e.g., due diligence, flagging, and escalating incidents and issues). Common Inventory - ansMake use of one common inventory, complete with tiered risk ratings across the organization. Ideally, the inventory should be centralized and accessible to everyone within the organization with need-to-know access. Third Parties may have multiple relationships with an Outsourcer, which should be documented to understand the aggregate inherent risk associated with all Third Party relationships. Repeatable and Reliable Process - ansA repeatable and reliable process should be established for identifying and categorizing Third Parties. Once established, this process can be used to keep vendor records up-to-date and to create records for new Third Parties as they are brought onboard. 4 Foundational Requirements of Maintaining Inventory - ans1) Centralized database for all Third Parties - this includes IT vendors, consulting firms (including independent contractors such as law firms, brokers, agents, affiliates, etc.) custodial, building maintenance, and physical security firms
- Detailed relationships that involve and support critical activities
- Fourth Parties (subcontractors) to support the services provided to the Outsourcer
Professional).
Fully Expert Certified 100%
Procurement team functions focus on finding suppliers and agreeing to terms, often using a tendering or competitive bidding process. Strategic sourcing - ansStrategic sourcing is an organizational function that focuses on indirect goods and services, developing channels of supply at the lowest total cost, not just purchase price. Both functions work together while procurement is more focused on the __________. Strategic sourcing team members take a more ________ to manage risk, analyze spend, define the vendor strategy, and qualify suppliers. Strategic sourcing teams will often negotiate and manage contract terms based on predefined contract templates that incorporate company requirements. - ansoperational tasks and activities of fulfillment; strategic approach Contracts Team Roles - ansMultiple teams are engaged in contract management and administration for third party agreements. Each organization will structure the roles and responsibilities for creating, negotiating, signing, and approving contracts based on internal policies. Contract policies define the structure or hierarchy for how contracts and contract exceptions are approved based on factors like criticality, spend, risk, or compliance. Contract teams may be centralized or decentralized based on the size of the company and volume of third party relationships. Procurement - ansWe handle the set ups, quotes, purchase orders, payment authorizations, and settlements Security - ansWe ensure that required security information and data protection contract provisions are in place and that security requirements have been provided and agreed to between parties. Third Party Risk Committee - ansWe review the status of the portfolio of vendor relationships, and the status of risks, issues, and performance. We receive summary reports from the TPRM team on the status of due diligence and monitoring activities. Legal - ansWe provide standard contract templates and authorized clauses. We also review non-standard language to protect the company from risk or liability. Third Party Management Team - ansWe apply the TPRM policies and standards to conduct due diligence and oversight of risk in the third party relationships based on contractual obligations. Business Lines - ansWe own the risk of the services being outsourced and are the business owners to approve the method of risk treatment Third Party Contract Management - ansthe contract defines the entire relationship with the vendor. It establishes the rights, roles, and responsibilities. This includes the organization's ability to assess and require remediation from the vendor. Prereqs for a robust Third Party Contract Management process include: - ansPresence of an effective risk control framework Presence of an effective Contract Management System (CMS) that tracks contract evolution across the lifecycle Strong and experienced legal support structure (internal and external)
Professional).
Fully Expert Certified 100%
Relationship owners providing detailed requirements for Statements of Work (SOWs) that are categorized by risk and service type Standard contract templates for Request for Proposals (RFPs), Master Services Agreements (MSAs), Statements of Work (SOWs), and Service Level Agreements (SLAs) Monitoring processes to trigger reviews or updates to contract provisions based on changes in the internal or external environment Third Party Contract Lifecyle - 4 stages - ansNew Relationship Planning Third Party Selection Relationship Management Contract Termination New Relationship Planning - ans- When thinking about TP contract management, we must first think about new relationship planning. You can break that up between Service specific planning and RFP requirements. o For new relationships, you define your requirements starting with service specific planning in order for you to craft a Request for Proposal (RFP). o Your service specific planning will define individual controls and other requirements for each service that will be required in any RFP. o Develop RFP: The RFP will include standard up-to-date security requirements, monitoring allowances, performance standards, and other service-specific contract requirements. o You must ensure that the RFP includes any special oversight provisions based on service criticality. o The following are key elements to consider when you are between the process of new relationship planning and Third Party selection: · Business unit need · RFI/RFP creation · Contract templates · Financial proposals · Operational requirements Third Party Selection - ans- Using your RFP rating criteria, you begin to negotiate terms, contracts, and reporting requirements. With contract negotiations, ensure that there is a deeper due diligence on short-listed parties. Complete the closure which is the mitigation of any issues discovered during due diligence ahead of onboarding. Now you can execute your contract and begin onboarding. o The following are key elements to consider when you are between the process of Third Party selection and relationship management: § Negotiation of terms § Contract term approval § Contract execution § Statements of Work (SOW) § Reporting requirements Relationship Management - anso Let's put a spotlight on contract reviews. This is a cyclical review that is consistent with risk ratings. Contracts must also be updated for increased
