Third-Party Risk Management Frameworks: An Overview

Overview of Third-Party Risk Management Frameworks

Shared Assessments Frameworks

Shared Assessments TPRM Framework

Shared Assessments has published a comprehensive set of TPRM best practices. This framework is designed to help organizations establish, monitor, optimize, and mature their TPRM program using a standardized set of controls. The framework is divided into two sections: fundamentals and processes. Fundamentals include four sections: introduction, basics, buy-in, and governance. Processes include eight families ranging from outsourcing analysis and due diligence to ongoing monitoring.

Shared Assessments is one of the few frameworks focused solely on third-party risk rather than broader topics such as supply chain risk management or organizational information security. However, a membership fee is required.

Shared Assessments Standardized Information Gathering Questionnaire (SIG)

Shared Assessments publishes a standardized information-gathering questionnaire that enables organizations to conduct third-party risk assessments that are easily pre-mapped to standards like ISO, HIPAA, NIST, GDPR, and PCI DSS. It includes a management tool that lets you select predefined questions, an implementation checklist, and guidance on what documentation to request from third-party vendors. SIG is beneficial for organizations that are starting their TPRM programs.

NIST Third-Party Risk Management Frameworks

NIST Supply Chain Risk Management Framework (NIST 800-161)

NIST 800-161 is supplemental guidance to NIST 800-53 Rev 5 specifically focused on helping U.S. federal entities manage supply chain risks. Although geared towards federal entities, NIST 800-161 can also prove extremely useful for designing a TPRM or SCRM program for private sector organizations. NIST 800-161 divides the supply chain risk management process into four phases: frame, assess, respond, and recover. It includes 19 control families ranging from awareness training to system and service acquisition.

While supply chain risk management and third-party risk management differ, significant overlap exists. Taking guidance from NIST 800-161 could provide an excellent basis for building a competent TPRM program. NIST 800-161 benefits large, multinational organizations with complex supply chains and advanced SCRM needs.

NIST Risk Management Framework (RMF) 800-37 Revision 2

NIST has also released a comprehensive risk management framework that enables companies in all sectors to integrate third-party risk management and information security management seamlessly. NIST 800-37 provides a solid foundation for managing risk across the enterprise, including those related to third and fourth parties. Section 2.8 of the NIST RMF is worth paying particular attention to when considering issues around supply chain risk. NIST 800-37 can be particularly useful when considering risk mitigation strategies for onboarding new third-party vendors.

NIST Cybersecurity Framework (CSF) 2.0

When designing vendor questionnaires, the best practices outlined in the NIST Cybersecurity Framework can prove invaluable. This library of best practices provides a set of standards that gives all participants the same reference model when discussing problems. The NIST CSF is widely considered the gold standard for building a cybersecurity program. It can help you accurately measure a potential vendor's cyber risk profile as part of the assessment process. Building your vendor risk questionnaire based on controls found in NIST CSF can be particularly useful for organizations with strong data privacy or regulatory compliance concerns.

ISO TPRM Frameworks

ISO 27001 & 27002

The ISO 27001 and 27002 standards set requirements for establishing, implementing, maintaining, and continually improving an information security management system. ISO requirements are much broader than purely third-party risk but include a significant section on managing supplier risk as part of a broader information security program. When designing your TPRM program, it is worth considering the ISO provisions that relate to third-party risk and the broader information security controls that could be applied to your vendor risk assessment process.

ISO 27036-2

If your organization has international third-party vendors and suppliers, leveraging the International Organization for Standardization processes specific to TPRM and information security may also be a good fit. ISO 27036-2 specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining, and improving supplier and acquirer relationships.

This standard is particularly relevant for third-party risk management as the requirements cover procurement and supply of products and services. Clauses 6 and 7 define fundamental and high-level information security requirements applicable to managing several supplier relationships at any point in that supplier relationship lifecycle. The standard includes professional physical risks such as security guards, cleaners, delivery services, equipment servicing, and more standard processes regarding cloud services, data domiciles, shared compliance processes, and requirements. ISO 27036-2 is designed to manage the entire business relationship lifecycle to include:

• Initiation - scoping, business case/cost-benefit analysis, comparison of insourcing versus outsourcing options as well as a variant or hybrid approaches such as co-sourcing
• Definition of requirements, including the information security requirements
• Procurement, including selecting, evaluating, and contracting with supplier/s
• Transition to or implementation of the supply arrangements, with enhanced risks around the implementation period
• Operation including aspects such as routine relationship management, compliance, incident and change management, monitoring
• Refresh is an optional stage for renewing the contract, perhaps reviewing the terms and conditions, performance, issues, and working processes.
• Termination and exit

Environmental, Social, and Governance Frameworks

ESG frameworks guide organizations in disclosing data on their environmental impact, social practices, and governance structures by providing a standardized blueprint for measuring and reporting sustainability and ethical impact. Developed by entities like NGOs, governments, and business groups, these frameworks define the metrics to track, the reporting format, and the disclosure frequency. They are crucial for standardizing ESG reporting across your supply chain, enabling stakeholders such as investors, regulators, and consumers to assess and compare organizations' performance. While some frameworks offer voluntary flexibility, others are government-mandated, requiring strict compliance.

Carbon Disclosure Project (CDP)

The CDP is a benchmark framework focusing on environmental governance and policy, risks and opportunity management, and environmental targets. It offers detailed questionnaires on climate change, water, and forests, which accredited partners score. The CDP is particularly valuable for organizations looking to improve transparency and accountability in their environmental practices.

Global Reporting Initiative (GRI)

The GRI is one of the most widely used voluntary ESG frameworks. It provides comprehensive standards for reporting on economic, environmental, and social issues. The GRI’s modular structure allows organizations to choose the standards most relevant to their material topics, making it a flexible and widely applicable framework.

Corporate Sustainability Reporting Directive (CSRD)

The CSRD is a regulatory framework developed by the European Union. It requires organizations to report on various sustainability topics, including environmental and social issues. The CSRD emphasizes double materiality, requiring companies to consider financial and societal impacts in their reporting. This framework is mandatory for organizations operating in the EU and is expected to impact thousands of companies worldwide.

Closing Thoughts on TPRM Frameworks

Taking guidance from NIST, ISO, Shared Assessments, and other framework providers can help cut out much of the manual labor of designing your TPRM program. The NIST 800-161 and ISO 27036-2 frameworks can provide valuable information for commonly adopted controls in TPRM and SCRM programs. Other frameworks, such as NIST CSF, ISO 27001, and NIST 800-37, can be extremely helpful in designing your vendor risk assessment process, while CDP, GRI, and others focus on ESG reporting in your supply chain.

Next Steps: Automate with Prevalent

The Prevalent Third-Party Risk Management Platform simplifies the process of building an effective and streamlined TPRM program. It enables you to quickly gather information on vendor controls, including IT security, compliance, performance, contract adherence, business continuity, financial position, reputation, ethics, anti-bribery and corruption, ESG, diversity, and more. You can then correlate these findings with continuous monitoring insights to validate control effectiveness.

Prevalent helps automate and standardize vendor risk assessments using various frameworks and regulations while offering vendor risk monitoring and remediation management throughout the third-party risk life cycle. With pre-built workflows and questionnaires mapped to industry standards, the platform makes establishing and managing your TPRM program significantly faster and more cost-effective. Additionally, it provides on-demand access to complete, standardized risk reports on thousands of companies through its vendor intelligence networks.

Contact Prevalent for a free maturity assessment to determine how your current TPRM policies stack up, or request a demo of the Prevalent TPRM Platform today.