Latest Discussions

Catch Up on the Latest Discussions
Network. Collaborate. Connect. 

This community provides a space where professionals in the industry can access third party risk management resources, and more importantly, interact with each other through discussion boards. You’re able to network, share stories, ask questions, receive feedback from others to help overcome your own challenges and more. 
  • Posted in: Risk Assessments

    We see a wide variety of strategies used to manage vendor and third party relationships. Some attempt to use one-size fits all, and others have a very complex and sometimes fully customized review process for each vendor engagement. We tend to find, however, ...

  • Profile Picture

    RE: Inherent Risk - Physical Access

    Posted in: Risk Assessments

    This message was posted by a user wishing to remain anonymous ​We definitely consider onsite service providers a vendor and they will go through our normal vendor risk assessment process. For consultants or temps that have access to our network, we ...

  • Profile Picture

    RE: Inherent Risk - Physical Access

    Posted in: Risk Assessments

    This message was posted by a user wishing to remain anonymous Physical access should definitely be considered/factored into the inherent risk score along with whether access will be accompanied or unaccompanied. Obviously, accompanied access carries ...

  • Posted in: Risk Assessments

    Hey there - An outside service provider's physical access, regardless of their service type or job function, is still factored into the inherent risk scores we apply as there can still be potential security and safety concerns if the individual(s) have ...

  • Posted in: Risk Assessments

    Unattended facility access is, in my opinion, absolutely a part of a vendor's risk profile. This is the area where the apocryphal story of the HVAC vendor hacking the network comes into play. Cleaners, maintenance folk, ...

  • Profile Picture

    Inherent Risk - Physical Access

    Posted in: Risk Assessments

    This message was posted by a user wishing to remain anonymous We have a secured campus and maintain a well established policy for vetting non-employees prior to providing them any building access. A key pass is required to use the elevator, enter staircases, ...

  • Profile Picture

    Delegation of assessments and approvals

    This message was posted by a user wishing to remain anonymous We are reevaluating the key roles within the business that support TRPM, specifically: completing internal assessments, reviewing/approving findings (potential issues). On occasion, these ...

  • Hi there - Below are responses and some helpful best practices to utilize in your program as it relates to managing and monitoring the risk associated with vendors with software escrow: 1) what triggers a review? (new software, RTO, Direct Impact (major ...

  • Hello, When it comes to a vendor's reputation, there are both objective and subjective reputation assessment methods that you can use. Starting with objective methods is always best. Objective methods include reviewing the legal and litigation history ...

  • Posted in: Contract Management

    We explicitly made certain types of subscription services out of scope for TPRM: magazines, periodicals and education resources. The remaining subscription services we handle as in scope and base due diligence requirements on assessed operational and ...

  • My advice is to put them in your Vendor Management system with some form of flag indicating they are an exception to your definition of vendor and to describe the exception. This way you have a centralized database of all vendors used by the organization. ...

  • Posted in: Risk Assessments

    We have a TPRM system for our third parties following standard ISO27001 principles. Do people use a deep framework for dealing with their strategic partners or one size fits all.

  • Profile Picture

    RE: Out of Scope Vendors

    This message was posted by a user wishing to remain anonymous We keep them in our TPRM system even if they are out of scope. It shows the regulators that we are aware of all our 3rd parties and, if anyone asks if we know about a vendor, if they need ...

  • I think the main answer here is "it depends". If you are putting a group like retail only transactions [e.g office supplies, facilities accounts, etc.], then I would say probably not. There isn't much data exchange there, and the ...

  • Profile Picture

    Out of Scope Vendors

    This message was posted by a user wishing to remain anonymous If we have documented certain categories of vendors to be out of scope for TPRM, is there any reason to create a vendor record for them in our TPRM system?

  • Hi TPRM Colleagues - As we collectively continue to leverage 3rd parties (specifically vendors) it would be great to understand what organizations are doing to understand, assess and measure vendors' reputational risk. * What areas are included ...

    1 person likes this.
  • Profile Picture

    RE: Due Diligence for SaaS Providers

    This message was posted by a user wishing to remain anonymous This was very helpful - Thanks!

  • Typically, the information stored in a TPRM software does not include the highest level of sensitive data, (at least, you should try to make sure it doesn't host any NPI or PCI). However, you are entrusted with assuring the sensitive company information ...

  • Posted in: Contract Management

    how are usually monthly subscription vendor's contract's are managed ? meaning they are usually into low to medium risk and they usually don't have any contract other than signing up a monthly subscription as their services are needed. I wanted to ask ...

  • When defining your out of scope vendors, it's up to you and/or perhaps your particular auditor and organizational appetite on on whether or not your "paragraph" (assuming in your VRM Policy?) has more or less detail. Here is an example of a broad statement: ...