JUST OUT: Read the 2019 Gartner Magic Quadrant for IT Vendor Risk Management

The 3 "Abilities" of Third-Party Risk Management

Three ingredients are essential to a well-designed TPRM program. How does your program stack up?

by Brenda Ferraro, VP of Third-Party Risk

November 27th, 2019


In consulting sessions with Prevalent customers, we often start with a high-level evaluation of the three "abilities" that define an effective third-party risk management program: repeatability, sustainability and scalability. Each represents unique attributes that your team should possess as they establish the processes and procedures to manage third-party risk to acceptable levels. Let's take a closer look at each ability:


Repeatability is all about developing a consistent set of rules — from classifying and categorizing vendors to framing responses and mapping risks to controls. The outcome of a repeatable process is that you can apply this set of rules across your vendor landscape instead of doing it individually. This results in a predictable set of actions, activities and outcomes. As you consider the repeatability of your third-party risk program, know that:

  • Repeatability is required for compliance — Several compliance regulations and frameworks require that you have processes in place to recognize and address risk according to documented standards.
  • Policies, procedures and processes should be defined and measured regularly and consistently
  • Metrics are used for continuous process improvement — Risks are always changing, so you must have repeatability to constantly evaluate what constitutes a risk.
  • Repeatability reduces costs for you and your third parties


The most sustainable third-party programs are built on foundations of solid data and practices that can adapt to changing business requirements. As you consider the sustainability of your TPRM program, ensure that:

  • Deliverables are relevant — Clear and consistent reporting can reveal both immediate and impending risks, while tracking risk and remediation trends over time.
  • Information drives action — Your information sources should drive data-based decisions with clear next steps.
  • Risks are managed and activity is tracked — Focus on what matters most, so you can take action if vendor assessment data isn’t properly completed, verified or validated.


Scalability is about doing more with the resources you have. For instance, if you have a predictable, programmatic process for classifying and tiering vendors, you can more efficiently collect and analyze vendor assessment content. Consider the following:

  • Use a robust solution/platform — This can provide reliable and accurate inside-out and outside-in security control intelligence to deliver a complete picture of risk.
  • Automate manual processes — Move away from Excel spreadsheets, and streamline workflow processes and hand-offs wherever possible.
  • Ensure that reporting is flexible and actionable — Reports should inform you and your team of key performance and risk indicators to trigger appropriate next steps.
  • Strive for risk transparency — Leverage heat maps and other reports to gauge program health; ensure that you can identify business risk based on vendor selection; and evaluate your risk governance and risk management practices in a way that's transparent to the business and leadership.

Take the next step

If you're curious about the repeatability, sustainability and scalability of your TPRM program, I recommend engaging with one of third-party risk management specialists who can guide you through a complimentary, 1-hour maturity assessment. You'll walk away with a report that specifically outlines a roadmap to address any shortcomings in your third-party risk management program. Contact us to schedule this assessment today!