Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

The 3 "Abilities" of Third-Party Risk Management

Three ingredients are essential to a well-designed TPRM program. How does your program stack up?
Brenda Ferraro
Vice President of Third-Party Risk
November 27, 2019
Blog three abilities nov 2019

In consulting sessions with Prevalent customers, we often start with a high-level evaluation of the three "abilities" that define an effective third-party risk management program: repeatability, sustainability and scalability. Each represents unique attributes that your team should possess as they establish the processes and procedures to manage third-party risk to acceptable levels. Let's take a closer look at each ability:


Repeatability is all about developing a consistent set of rules — from classifying and categorizing vendors to framing responses and mapping risks to controls. The outcome of a repeatable process is that you can apply this set of rules across your vendor landscape instead of doing it individually. This results in a predictable set of actions, activities and outcomes. As you consider the repeatability of your third-party risk program, know that:

  • Repeatability is required for compliance — Several compliance regulations and frameworks require that you have processes in place to recognize and address risk according to documented standards.
  • Policies, procedures and processes should be defined and measured regularly and consistently
  • Metrics are used for continuous process improvement — Risks are always changing, so you must have repeatability to constantly evaluate what constitutes a risk.
  • Repeatability reduces costs for you and your third parties


The most sustainable third-party programs are built on foundations of solid data and practices that can adapt to changing business requirements. As you consider the sustainability of your TPRM program, ensure that:

  • Deliverables are relevant — Clear and consistent reporting can reveal both immediate and impending risks, while tracking risk and remediation trends over time.
  • Information drives action — Your information sources should drive data-based decisions with clear next steps.
  • Risks are managed and activity is tracked — Focus on what matters most, so you can take action if vendor assessment data isn’t properly completed, verified or validated.


Scalability is about doing more with the resources you have. For instance, if you have a predictable, programmatic process for classifying and tiering vendors, you can more efficiently collect and analyze vendor assessment content. Consider the following:

  • Use a robust solution/platform — This can provide reliable and accurate inside-out and outside-in security control intelligence to deliver a complete picture of risk.
  • Automate manual processes — Move away from Excel spreadsheets, and streamline workflow processes and hand-offs wherever possible.
  • Ensure that reporting is flexible and actionable — Reports should inform you and your team of key performance and risk indicators to trigger appropriate next steps.
  • Strive for risk transparency — Leverage heat maps and other reports to gauge program health; ensure that you can identify business risk based on vendor selection; and evaluate your risk governance and risk management practices in a way that's transparent to the business and leadership.

Take the next step

If you're curious about the repeatability, sustainability and scalability of your TPRM program, I recommend engaging with one of third-party risk management specialists who can guide you through a complimentary, 1-hour maturity assessment. You'll walk away with a report that specifically outlines a roadmap to address any shortcomings in your third-party risk management program. Contact us to schedule this assessment today!

Leadership brenda ferraro 2
Brenda Ferraro
Vice President of Third-Party Risk

Brenda Ferraro brings several years of first-hand experience addressing the third-party risks associated with corporate vendors, services and data handling companies. In her quest to economize third-party risk, she organized a myriad of stakeholders and devised an approach to manage risk, receiving recognition from regulators and a multitude of Information Security and Analysis Centers (ISACs). In her role with Prevalent, Brenda works with corporations to build single-solution ecosystems that remove the complexities of Third-Party Risk Management by way of a common, simple and affordable platform, framework and governance methodology. Prior to joining Prevalent, Brenda led organizations through control standardization, incident response, process improvements, data-based reporting, and governance at companies including Aetna, Coventry, Arrowhead Healthcare Centers, PayPal/eBay, Charles Schwab, and Edwards Air Force Base. She holds certifications in vBSIMM, CTPRP, ITIL and CPM.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo