Third Party Risk Management: Ask This;

Third Party Risk Management: Ask This;

TLDR: Ask This;

1. Does your organization have a Risk Management program aimed at third party vendors that store, process or have access to vendors are applying appropriate security measures?

2. How does your organization ensure that third party risk management processes and standards are consistent across the business units?

3. Does your organization have established risk management policies and formal processes for selecting its vendors and third party providers?

4. What exposure data, policy data information and loss information along with other risk management data is released to third parties and how far back?

5. Does your organization conduct a regular review of third party risk management policies and programs to ensure they address the changing landscape of third party risk and regulations?

6. Does your organization have metrics to measure the effectiveness of risk management activities?

7. Are identified risk factors being actively managed and tracked by the Program Management organization or projects, as appropriate?

8. How concerned is your organization about which issues for its risk management information technology systems?

9. How has your organizations third party management process corresponded to the nature and level of the enterprise risk identified by your organization?

10. How much budget outside headcount does your organization have for third party risk management?

11. Can third parties be identified that have the capability to conduct comprehensive risk management program audits?

12. How does your third party risk management (TPRM) methodology/offering compare to TPRM companies which provide information based on passive monitoring?

13. Has your organization identified, assessed, and defined its risk profile?

14. Has management demonstrated a clear understanding of your organizations dependencies on third party vendors and the level of risk they introduce into the delivery of critical business services?

15. Does your organization engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?

16. What is the process used to assess your organizations cyber risk management program by a third party, and do the results offer a comprehensive view?

17. How does management define your organizations risk management goals and objectives?

18. What role does third party risk management play in security and privacy strategies?

19. Are risk management processes standardised across your organization and integrated with tools and data?

20. Is your organization updating critical risk management documents based on ongoing monitoring activities?

21. Is a management led risk organization established to enable risk conversation?

22. Are significant changes in risk posture or the emergence of new risks being adequately identified across all projects and program management activities being actively managed and tracked?

23. What is the likelihood that your organization will move to exit or de risk third party relationships that are determined to have the highest risk?

24. What technology/tools does your organization use to track and manage your third party risk processes?

25. How does management consider your business level issues around IT risks and controls?

26. What roles does your organization assign to your organization wide, independent risk management group?

27. How does your organizationknow when updates and adjustments need to happen to keep risk in check?

28. Controls, risk management and auditability – does your control framework also address outsourcing risks?

29. How does management assess the impact of services provided to third party service organizations on internal controls over financial reporting (ICFR), including the risks of material misstatements?

30. How does management assess the level of risk and complexity of each third party relationship?

31. Which functional area has primary responsibility for components of your organizations third party supplier risk management program?

32. Does your organization have a defined risk governance model and approach, which delineates functional responsibilities for risk management?

33. Does your supplier have a third party risk management framework and due diligence program?

34. How well does your current third party risk management program satisfy the needs of your business?

35. Where activities are outsourced, have third party certifications been sought to implement risk management activities?

36. Are additional risk management measures in place in your softwares design to mitigate risks posed by use of third party components?

37. How does your organization manage counterparty risk related to third party arrangements?

38. Are there individuals on your organizations staff who can perform the services if the risk or working with the third party proves greater than your organization would like?

39. How capable does the enterprise want its risk management to be for each of its priority risks?

40. How has the pandemic affected your organizations third party Cybersecurity risk management program?

41. How did management develop a shared vision for the role of risk management in your organization?

42. Who is in charge of managing third party risk in your organization, is it a function of procurement, legal, compliance, risk management or information security?

43. To identify potential third party risks, does your organization have an inventory of key business associates and have business associate agreements in place with them?

44. How does your organization reduce its oversight costs for lower risk relationships?

45. Is your third party risk management program a dedicated part of your organizations enterprise risk management program?

46. What percentage of third parties are in scope for your organizations risk management program?

47. Is there an effective process for reliable reporting on risks and risk management performance?

48. How does your organization compare with its peers and regulatory expectations for risk assessment and control?

Organized by Key Themes: QUALITY, RISK, SECURITY, COMPLIANCE, TECHNOLOGY, MANAGEMENT, PROJECT, PROCESS, DATA, SUPPLIER:

QUALITY:

Is your organization confident that suppliers are able to cope with any increases in demand?

Lead Information Technology (IT) Quality Compliance activities across your organization including setting strategic direction for the function, partnering with IT Operations to ensure minimal risk and effective mitigation strategies with internal and third party supplier systems, acting as a consultant to the (internal) client community, and managing IT compliance staff to ensure regulatory and business requirements are met.?

What roles does your organization assign to your organization wide, independent risk management group?

Assure your process oversees the IT enterprise business System analysis and quality assurance areas.?

How do you ensure that the data protection regimen is at least as good as your own?

Certify your staff develops a quality assurance staff by recruiting, coaching, and training team members.?

Does your organization measure whether line managers are monitoring the conduct of subordinates?

Provide Quality oversight to third party warehouses including inspections, process improvement and monitoring Quality Agreement compliance.?

Do you have a standard set of technology clauses that are included in each third party contract?

Ensure you define and set standards for quality, process and (internal) customer Story focused metrics.?

How effective are risk assessments at determining the control environment of third parties?

Assure your design ensures quality standards by defining and adjusting processes.?

Does the service provider allow for recovery of data and associated metadata when required?

Ensure quality and completeness of design history files for software activities.?

What additional requirements would you need to meet to expand into a new geographic market?

Implement and enforce quality control and tracking programs to meet quality objectives.?

How can the executive define and communicate the spreadsheet risk management requirements?

Set and communicate standards to ensure quality.?

RISK:

Are your third party partners better at managing certain types of risks than you are?

Lead a TPRM Governance and Reporting team that executes on key policies and procedures in accordance to the Third-party Risk Management (TPRM) program and partner with other SMEs as well as ORM to ensure organizational governance.?

How effective are your existing relationship management metrics in improving vendor performance?

Oversee that your company manages a team of Service Managers that perform oversight of Third Party Risk management on vendor services.?

Is there a formal process to ensure clients are notified prior to changes being made which may impact service?

Make sure the Third Party Program Coordinator works in concert with the Group Third Party Officer to ensure execution and ongoing compliance with the Third-Party Risk Management Policy and Third-Party Program Procedures.?

Is team and individual understanding of, and commitment to, work plans reviewed at appropriate intervals?

Lead development of content and training for the business divisions and supporting functions on third party risk management topics and in support of the 1LOD framework.?

Is that third party supporting an essential business process within your organization?

Provide business unit management support for law organization third party risk issues.?

Does the business carry out appropriate strategic monitoring of third party suppliers?

Collaborate with and support the Third Party Risk Management team in initial review and ongoing monitoring of vendor risk.?

Which groups are less involved in different kinds of decision making, or in different kinds of implementation, or in different kinds of benefits, or in different kinds of evaluation?

Be certain that your staff is involved in GRC tools and other risk management information systems is under management.?

Are you open to assessing current processes and aligning to an industry standard operating model?

Make sure the Chief Operating Office Third Party Program Team interfaces with Control Executive Office, Independent Risk Management, Operational Risk Business Oversight and Audit to drive comprehensive and consistent implementation of regulatory and corporate risk policies and programs across the Chief Operating Office lines of business.?

Does your organization have an understanding of all third parties supporting the enterprise?

Support third party vendor security risk management program and life cycle.?

SECURITY:

Do you have a workflow to remediate risks or incidents discovered during assessments and audits?

Safeguard that your personnel is responsible for conducting Cyber Security and Third Party Risk assessments that include security policies, standards, and controls management process including regular assessment process reviews and updates of the process flow narrative.?

What are the additional risks from planning and implementing new products or projects?

Develop and implement third party security risk management wide risk strategy consistent with changing enterprise-specific and industry-wide risk and regulatory environment, and develop reports and scorecards, and implement third party security risk management training program to educate staff.?

Does your organization have an understanding of all third-parties supporting the enterprise?

Oversee the execution of third party security risk management program in (internal) client engagements.?

Is your organization doing enough to inform customers, investors, third parties, and other stakeholders about its vision and values?

Establish that your workforce performs risk assessments on third party vendors evaluating on security best practices and legal requirements to ensure that Renown does not inherent unacceptable risk by doing business with that vendor.?

Has management demonstrated a clear understanding of your organizations dependencies on third party vendors and the level of risk they introduce into the delivery of critical business services?

Facilitate with involvement of IT, Software Development, Architecture and Security review of third party/vendor information management processes and ensure they are in compliance with IT specific policy and procedures, including regulatory laws for both state and overarching.?

Which impacts on your business have resulted from regulatory reform in the major jurisdictions where you operate?

Manage and operate the third party security risk management program and teams.?

How is leadership engaged and committed to addressing cyber risks facing the business?

Lead the design, implementation, maintenance, and enforcement of third party security risk management policies, procedures, and controls.?

Are all suppliers of critical hardware, network services and facility services involved in annual continuity and recovery tests?

Be sure your process is involved in leading security assessments and IT risk assessments/.?

Are there any adverse media reports or other relevant information sources about the customer?

Support the third party/vendor security risk assessment process; monitor and report on progress of third party/vendor security risk treatment activities by business owners.?

Is coverage provided on an actual cash value, replacement cost, or guaranteed replacement cost basis?

Provide oversight in the development and execution of third party security risk assessment criteria and (internal) client program.?

COMPLIANCE:

Is your vendor using proprietary technology or relying heavily on third party data sources?

Interface so that your workforce analyzes trends, news and changes in threat and compliance environment with respect to organizational risk; advises organization management and develops and executes plans for compliance and mitigation of risk; performs risk and compliance self-assessments, and engages and coordinates third-party risk and compliance assessments.?

How do you monitor your third party service providers?

Confirm that your process track and monitor internal items, tasks, and projects required for business and Compliance goals.?

Is the contractor completing the design/engineering services activities in a timely manner?

Facilitate periodic risk assessments and monitoring of the sanctions and third party risk compliance programs.?

How does your organization identify, analyze, mitigate, and escalate project risks?

Be confident that your operation is responsible for the execution of Compliance processes including controls, attestations and testing, monitoring and oversight of recommendations to correct or mitigate IT systems control and compliance weaknesses.?

What is your escalation process if a quality assurance issue arises or an incident occurs?

Inform Management of any non compliance incidents or regulatory compliance issues, which may arise internally, with outside (internal) customers, or with third party contractors.?

Did/will the project facilitate positive communication/interaction between and within groups?

Maintain open communication with the leadership team and department heads to facilitate adoption and compliance with your organization wide strategy.?

Are you expecting more extensive risk management requirements coming from your investors?

Invest in the contract execution process and ensure compliance with the contract approval process.?

Which most effectively ensures that service provider controls are within the guidelines set forth in your organizations information security policy?

Warrant that your design ensures the Operations Team is in compliance with all regulatory policies and procedures.?

Does your organization have an understanding of all third parties supporting the enterprise?

Ensure your organization with priority to independently manage and develop new/enhanced compliance programs supporting the Chief Privacy Officer as well as Privacy Heads of Regions.?

Will it utilize a third party that manages, hosts, or provides a framework for the program?

Make sure your group provides control oversight to ensure compliance with laws and regulations.?

TECHNOLOGY:

Are significant changes in risk posture or the emergence of new risks being adequately identified across all projects and program management activities being actively managed and tracked?

Be confident that your company is involved in third party risk management and procurement policies, processes, controls, technology and tools, etc.?

What is the security officers role in managing the risks involved in using open source and third party software?

Guarantee your process is involved in working through technology tool vendor selection and implementation process.?

How do you communicate, share and collaborate across your business?

Collaborate with other technology team members and business stakeholders.?

Are contracts in place to specify the performance and remuneration for all parties?

Warrant that your operation acts as project resource for implementation of new technology delivery systems.?

Have you adequately recorded and reported on the risk management process and relevant outcomes?

Safeguard that your company manages the activities and personnel associated with providing technical services to (internal) customers by identifying, prioritizing, and confirming resolution of reported problems with technology solutions including; audio visual, collaboration, network, and software solutions.?

Does your organization have a Risk Management program aimed at third party vendors that store, process or have access to vendors are applying appropriate security measures?

Warrant that your operation remains up to date on key technology, business and industry trends.?

Are risk management processes standardised across your organization and integrated with tools and data?

Integrate business rules and business data with technology.?

Do the risk assessments identify current risks and controls as well as new and emerging risks?

Warrant that your team is evolving your technology capabilities to support existing, new, and emerging technologies.?

Is that third party supporting an essential business process within your organization?

Be confident that your group is involved in supporting technology initiatives from a Finance and Accounting perspective.?

What are the main systems, platforms or vendor solutions functions in your organization are using to monitor risks?

Liaison so that your company is involved in using or testing web technology frameworks.?

MANAGEMENT:

How does your organization compare with its peers and regulatory expectations for risk assessment and control?

Coach peers and team members on critical inputs and requirements of third party risk management to ensure the success of the program.?

Do monitoring processes allow for the reliable assessment of third party performance?

Interface so that your strategy is involved in developing Third Party Risk Management analytics.?

What customer driven work are you seeing as a result of the growing customer base?

Drive process improvements to continuously mature the Third Party Risk Management Program and service.?

How will the risk response make it easier or more difficult to meet organization objectives?

Be confident that your staff is responsible for effective and compliant management of multiple third-party relationships high or critical inherent risk that could cause the Enterprise to face significant risk if the Third Party fails to meet expectations.?

How do you control third party access to your network?

Work closely with business units to oversee execution of model risk management policy.?

What skills are required of leaders and teams to leverage the true value of analytics?

Support the Compliance Divisions Programs, Enterprise Compliance Policy, Anti Corruption Program Office, and Third Party Risk Management lead function and related initiatives.?

How do you get corresponding companies to make the investments to move up the risk protection curve?

Liaison so that your staff is developing and implementing third party risk management processes and solutions.?

How important is the assessment of third party supplier controls in supporting activities for your organization?

Interface so that your team is supporting the completion of on going risk management activities.?

What is your organizations main business focus and what are its main product areas?

Guarantee your organization conducts Third Party Risk Management oversight for multiple vendors.?

How engaged is your board of directors with Cybersecurity risks relating to your vendors?

Make sure your company provides support to technology organization relating to data management and analytics.?

PROJECT:

Does your organization outsource any services to third party vendors that may involve a clients information?

Proactively leads and executes project risk management and mitigation.?

How should organizations manage people, embed processes and harness technology to increase transparency and mitigate data privacy risk?

Be sure your design maintains the project risk register to capture, monitor and mitigate potential risks that are associated with the project, including third party risks.?

Is complete it security involved when implementing / testing of user considerations?

Oversee that your operation is involved in Waterfall and Agile project management methodologies.?

Does your organization have established risk management policies and formal processes for selecting its vendors and third party providers?

Ensure strong Business Acumen and Project Management involvement.?

How do you source and implement the best tools for risk management?

Identify project risks and implement risk reduction plans.?

Will it utilize a third party that manages, hosts, or provides a framework for the program?

Check that your organization provides project management guidance across teams.?

Is the planned outsourcing arrangement critical or an important function of your business?

Make sure your staff derives and executes project management improvement efforts.?

What the assumptions and current status are that support the assessment of the risk?

Develop experience providing program/project management support to a organization client.?

PROCESS:

Does your organization maintain separate property files that include bills of sale, invoices, titles, or other evidence of ownership?

Develop and maintain a view of reductions in force process impact across groups, risk platforms, third party service providers, and on business continuity.?

Has your organization experienced wire transfer fraud or an attempt of wire fraud recently?

Lead execution of tech transfer and process risk assessments.?

What controls does the supplier have to protect against unapproved changes/updates?

Coordinates and communicates all key related business process and system changes with Integrated Services leaders and third party vendors.?

Is there an documented internal compliance and ethics program to ensure professional ethics and business practices are implemented and maintained?

Certify your team is involved in best practices and process improvement.?

How does your organization ensure that third party risk management processes and standards are consistent across the business units?

Manage the development and implementation process of a specific organization product.?

Is third party performance data gathered, recorded and monitored on one centralized platform?

Understand the activities and processes that individuals and teams at the (internal) client use to accomplish the work and ensure that the work environment supports optimal engagement and productivity.?

What are critical activities to your organization, and which third parties participate in corresponding activities?

Participate in product/process risk assessments.?

Do policies contain the needed detail to execute the risk management objectives outlined?

Partner with leadership and the broader payroll team to execute process improvement efforts.?

Are you unable to scale your TPRM program or find the right skilled resources to support it?

Establish that your staff is compiling data for preparing cost reporting in support of the annual budgeting process.?

Is complete it security involved when implementing / testing of user considerations?

Confirm that your workforce is involved in designing and implementing Finance and Accounting process and workflows.?

DATA:

Are specifications and estimates for the project suitable to allow resourcing to proceed?

Make sure your group performs third party risk assessments including data categorization and security control reviews.?

Are identified risk factors being actively managed and tracked by the Program Management organization or projects, as appropriate?

Review, draft and negotiate data protection agreements and security exhibits and work closely with the appropriate teams to advise on third party risk reviews; Handle the full commercial contracting cycle for heavily personal data-focused deals.?

What data protections and oversight practices are in place at your subsidiaries and third party service providers?

Oversee that your personnel is involved in data quality management tools and practices.?

Can the system support request and approval of project changes in a project defined format?

Identify data/technology needs and create project plans to execute and support the business strategy.?

What are the intellectual property ownership rights that relates to stored customer data?

Manage data access adhering to process and security requirements.?

Is complete it security involved when implementing / testing of user considerations?

Interface so that your organization is involved in architecture patterns and data integration design principles.?

What is the current average timeframe, to include due diligence reporting, to on board a new third party at your organization?

Support monthly reporting of IT risk metrics and data.?

What esg related risks are necessary and acceptable for achieving strategic ambitions?

Analyze third party risk data, including exit strategies and performance scorecards.?

Are all suppliers of critical hardware, network services and facility services involved in annual continuity and recovery tests?

Liaison so that your personnel is involved in data collection process and integration of core and third party data.?

Does management have adequate vendor oversight policies, procedures, and practices?

Be confident that your design is involved in data or system governance and integration practices.?

SUPPLIER:

How do you pass on counterfeit prevention requirements to your third party suppliers?

Participate in Supplier Risk Management (ORM) activities.?

How do you assess all corresponding third parties with so few resources?

Monitor and audit Supplier quality management systems (ISO, IATF, AS9100, etc).?

Can the cloud service provider provide a solution that meets organization business requirements?

Coordinate with project team in you to ensure suppliers meet requirements.?

How do you help your organization understand and recognize economically driven threats?

Support enhanced supplier contract management and drive improvements.?

Do you regularly monitor the operational, ethical and financial risk and performance of your suppliers?

Invest in establishing supplier management strategies.?

What about third party suppliers, which might be the weakest link of your organizations value chain?

Check that your strategy has business acumen, and involvement dealing with suppliers and/or (internal) customers.?

What security criteria, if any, are considered when selecting third party suppliers?

Validate organization information to support the supplier onboarding process.?

Which functional area has primary responsibility for components of your organizations third party supplier risk management program?

Make headway so that your company is involved in SIM for supplier onboarding is under management.?

Will it utilize a third party that manages, hosts, or provides a framework for the program?

Make headway so that your process leads initial supplier orientation, provides on boarding training with priority.?