Third-Party Risk Management (TPRM) is the discipline of assessing and monitoring risk from vendors and suppliers. When you rely on third parties for critical services or data, their failure or misconduct becomes your risk. This guide covers how to build a TPRM program in 2025: tiers, questionnaires, due diligence, and continuous monitoring.
Why TPRM Matters
- Operational risk: A key supplier goes bankrupt or fails to deliver.
- Cybersecurity and compliance: A vendor has a breach or fails SOC 2; your data or your customers' data is at risk.
- Regulatory: Regulators expect you to know and manage your third-party risk (e.g. financial services, healthcare, GDPR).
- Reputation: A supplier's labor or environmental practices can become your headline.
Building a TPRM Program
1. Define Risk Tiers
Not all vendors are equal. Tier by criticality: critical (core to operations or handling sensitive data), high, medium, low. Apply more rigor—questionnaires, audits, continuous monitoring—to higher tiers.
2. Assessment Questionnaires
Use standardized questionnaires (e.g. security, privacy, business continuity) so you can compare vendors and track changes over time. Score responses and flag gaps. Many organizations use industry templates (e.g. SIG, CAIQ) and customize.
3. Due Diligence
Before onboarding (and periodically for critical vendors): review financials, certifications (e.g. ISO 27001, SOC 2), insurance, and contract terms. Document everything so you can demonstrate oversight to auditors and regulators.
4. Continuous Monitoring
TPRM doesn't end at onboarding. Monitor for: certificate expiry, breach databases, news, and performance. Re-assess on a schedule (e.g. annually for critical) or when risk triggers change.
5. Link to Your Risk Register
Vendor risk should appear in your enterprise risk register. When a vendor is critical to a process, the risk of "vendor X failure" should be a risk in your GRC platform, linked to controls (e.g. contract, assessment) and to audit when you review third-party controls.
An integrated GRC solution like ActiveERM lets you maintain a vendor inventory, run assessments, track remediation, and link vendor risk to your risk register and controls—one view of third-party exposure. See our GRC Cloud and Risk OS pages.