What is third party risk management?

Third-party risk management is the process of identifying and managing the risks created when a third party provides goods or services. These risks come from vendors, suppliers, or service providers who may have access to your systems, networks, or data, or who perform critical business functions. The goal is to protect confidentiality, integrity, and availability of information, as well as regulatory compliance and business continuity. Effective third-party risk management involves several steps. Start with mapping who your external partners are and what data or access they handle. Then conduct due diligence to assess their security controls, privacy practices, and overall risk posture, often using evidence like security certifications, audits, or questionnaires. Develop a risk-based approach to contracts: include data protection addenda, clear security requirements, incident response and breach notification obligations, and rights to audit or assess changes. Implement mitigations where needed—controls, access restrictions, network segmentation, and monitoring. Finally, maintain ongoing vigilance through periodic reassessments, monitoring for changes in risk (like a vendor’s security posture or regulatory status), and a plan for offboarding when a relationship ends to ensure data is returned or destroyed. In short, it focuses on the risks that come with engaging external parties and the controls you put in place to manage those risks throughout the relationship. The other activities—onboarding employees, auditing vendor pricing, or managing internal software licenses—address different areas such as internal HR processes, commercial due diligence, or internal asset management, and don’t target the external risk landscape the way third-party risk management does.