Third Party Risk Management Framework: Ask This;

Third Party Risk Management Framework: Ask This;

TLDR: Ask This;

1. Does your organization have metrics to measure the effectiveness of risk management activities?

2. Are identified risk factors being actively managed and tracked by the Program Management organization or projects, as appropriate?

3. How has your organizations third party management process corresponded to the nature and level of the enterprise risk identified by your organization?

4. Are significant changes in risk posture or the emergence of new risks being adequately identified across all projects and program management activities being actively managed and tracked?

5. How does management define your organizations risk management goals and objectives?

6. What technology/tools does your organization use to track and manage your third party risk processes?

7. Is the program managers risk assessment and management process being adequately implemented and is it providing timely actionable information for the program manager and owner?

8. Are risk management processes standardised across your organization and integrated with tools and data?

9. What roles do institutions assign to your organization wide, independent risk management group?

10. Do you have a strong risk management team in place with effective policies?

11. Do your vendors have a pro active approach to risk management and mitigation?

12. How well does your current third party risk management program satisfy the needs of your business?

13. How does management consider your organization level issues around IT risks and controls?

14. How does management develop a shared vision for the role of risk management in your organization?

15. Are policies in place for key risks laid out in the risk management framework?

16. Is there an effective process for reliable reporting on risks and risk management performance?

17. What percentage of third parties are in scope for your organizations risk management program?

18. Do organizations need to apply operational risk management and governance practices to outsourcing arrangements?

19. Is your third party risk management program a dedicated part of your organizations enterprise risk management program?

20. Does your organization have a risk manager who is responsible for risk control?

21. How does a risk impact your organizations ability to achieve its strategy and business objectives?

22. Which function benefits most from a well functioning vendor risk management process or program?

23. What area has primary ownership of the third party risk management function?

24. What area has primary ownership of the thirdparty risk management program/function?

25. How are cloud vendors/hosts risks managed from a third party risk management perspective?

26. Are identified risk factors being actively managed and tracked by the Owners organization or Program Manager as appropriate?

27. Does the risk management plan include adequate measures to identify changes to site condition?

28. Is the risk management process clearly recognized as being employed on the project?

29. How would management know if your organization level controls provide a strong control environment?

30. How capable are your organizations operational risk management technology platforms in areas?

31. Who has the most experience operating third party risk management programs?

32. How does your organization begin to develop an effective vendor management program?

33. Is there a compliance risk management system that addresses the quality and accuracy of reported consumer data?

34. Which steps has your organization taken in response to recent concerns regarding risk governance?

35. Why would a host need an integrated procurement, performance and risk management platform?

36. How does your organization ensure alignment between the management and staff?

37. What are the third party risk management related roadblocks to moving forward with business projects?

38. Do you have any recent audit findings that would inform your risk assessment of business unit/geography/risk?

39. Are risk allocation and management responsibilities between the Owner and Program Manager clearly defined?

40. Does management take a risk based approach to assessing and managing supply chain risk?

41. Where do you begin with compliance and how to prioritize your risk management program?

42. How long has your organization been performing third party risk assessments?

43. Have you adequately recorded and reported on the risk management process and relevant outcomes?

44. Is the current risk management process aligned with that of auditors and regulators?

45. Which programs does your organization have in place to manage AML risk?

46. What actions does your organization take if the vendor has security gaps?

47. Is there a clear understanding of the time frame that will be required and does the plan include commitments by appropriate parties for any long term management or monitoring?

48. Are third party risk management roles and responsibilities clearly defined within your organization?

Organized by Key Themes: SECURITY, RISK, MANAGEMENT, TECHNOLOGY, DATA, PRODUCT, COMPLIANCE, BUSINESS, THIRD, VENDOR:

SECURITY:

Is sufficient consideration given to how evolving technologies, market trends and disruptive forces present opportunities and challenges to third party relationships?

Ensure your operation is responsible for coordinating and scheduling information security and data protection impact assessments with business owners, working with team members to conduct assessments and develop remediation plans using evolving business processes and tools, documenting the effort in a Third Party Risk Management tool and following up with business owners on remediation plans.?

How do you ensure that enough partners will invest in security so that all the others will follow suit?

Invest in regulatory engagement for matters related to IT, information security, business continuity management, operational resilience, information governance, third party risk management, enterprise risk management and data privacy.?

Why is it so important to consider IT when evaluating internal control over financial reporting?

Make sure the responsibilities which need to be in place include developing programs and processes as security governance, internal controls reviews, third party risk management and program maturity reporting.?

What kind of due diligence review did you conduct to identify red flags?

Coordinate and conduct vendor risk assessments to ensure alignment with third party risk management security standards.?

Does your organization follow a clear and consistent due diligence process map?

Develop a go-forward strategy to evolve the TPRM program and continue to develop and oversee a third-party risk governance structure that ensures that all business owners and third parties that expose the organization to compliance, credit, information security, offshore, operational, and strategic risk follow appropriate controls.?

What is probability that either economic condition or financial support from organization occur?

Make headway so that your operation maintains an ongoing awareness of information security, vulnerabilities, and threats to support product creation and risk management decisions.?

How are you defining the tradeoffs between rapid remote services and key cyber/fraud/ privacy risks?

Invest in maturing the Third Party Risk Management program by defining security controls based on tiers of vendors.?

Is the planned outsourcing arrangement critical or an important function of your business?

Confirm that your strategy leads and conducts Architecture and Technical reviews, Business Impact Analyses (BIA), Security Risk Assessments (SRA), Privacy Impact Analyses (PIA), and other formal reviews related to the security and privacy of your organizations products.?

Which processes and practices do you have to manage fourth party risk?

Make sure your strategy manages the security operations, IT audit, and third party risk management (TPRM) practices.?

What is your strategy – do you have strategic plans, paths, focus areas, etc?

Own policies and procedures related to information security related policies as third party risk management, business continuity, privacy, segregation of duties, etc.?

RISK:

Is the type and sources of information needed to evaluate procurement options clear?

Work with other members of the Information Security Governance Team to analyze and audit processes, implementations, policy adherence and other information sources to evaluate compliance with multiple regulatory standards and risk management objectives.?

When an vendor has a security incident, who is responsible for doing what?

Establish that your company is responsible for your organizations Third-Party Risk Management Program including initial and periodic risk assessments, compliance with information security standards, service level agreements and recovery standards, and policy and procedures.?

How involved is the board of directors in overseeing risk management activities?

Oversee that your workforce is involved in providing oversight and guidance on third party risk management (TPRM) process, specifically address information security risk with vendors and business partners.?

What controls does the supplier have to protect against unapproved changes/updates?

Interface so that your strategy is leading the operationalization of security compliance programs to support various compliance regulations that (internal) client needs to comply with and leading a team of security risk assessment specializations who focus on performing risk assessments that address security threats, changes to systems and/or applications, process improvement initiatives, supplier assessments (including downstream outsourcers) and other requests from the business.?

How long has your organization been performing third party risk assessments?

Check that your workforce is leading and performing third party risk management process design assessments for alignment to TPRM Policy and Standard requirements and providing guidance to business partners.?

When does a third party vendor trigger contractual and reporting obligations for its clients?

Provide regular reporting on the current status of the information security program to the leadership team in the context of a strategic enterprise risk management program.?

Is there an overall approach to IT risk and control consideration that should be followed?

Set procurement and vendor management standards by researching good business practices and techniques that facilitate sourcing and risk mitigation, collecting and disseminating this knowledge and defining a consistent set of processes and procedures for staff to follow.?

Is there an documented internal compliance and ethics program to ensure professional ethics and business practices are implemented and maintained?

Develop, implement and maintain a strategic, comprehensive enterprise information security and IT risk management program to ensure that the integrity, confidentiality and availability of information is owned, controlled or processed by the organization.?

Do perform a secure architecture design review for high risk applications?

Work with third party risk management and contract teams on information security and privacy controls and perform Data Protection Impact Assessments.?

Has pge separately analyzed its revolving lines of credit requirements?

Be sure your team serves as product owner of the enterprise vendor risk management software and identifies necessary technical enhancements to address evolving business needs.?

MANAGEMENT:

How do you know if information risk practices are making a difference?

Establish and drive best practices and governance across all third party risk management activities to ensure compliance with organization policies and regulatory requirements.?

What event might trigger a risk which needs to be mitigated or addressed?

Integrate with third party risk management team to ensure vendor risks are identified and appropriately mitigated.?

How will you ensure the partner is adhering to your policies and procedures?

Partner with Enterprise Third Party Risk Management to ensure compliance with the corporate vendor management program.?

Does your facility reward staff financially for helping improve performance or reduce supply costs?

Make sure your strategy is supporting vendor due diligence process and help with overall third party risk management efforts.?

How will the external auditor view IT controls during the attestation process?

Interface with procurement, technology risk management, business teams, application management, and third party program management on cybersecurity issues.?

Do you have a risk based set of review requirements for all counterparties?

Support third party vendor risk management (TPRM) review process for technology related vendors (systems and applications).?

Does the csf assurance program support an assess once, report many approach?

Support related vendor relationships, including Third Party Risk Management requirements, security assessments, and performance management.?

Can the third party provider guarantee access to the same team for the duration of your contract?

Make sure the mission of the Project Management Office (PMO) is to provide best-in-class program and project management services to the enterprise (HR) through strong partnerships, robust communication, organization and discipline, and extensive risk management.?

Has your organization recruited, or does it plan to recruit, individuals or entities?

Mentor peers and team members on critical inputs and requirements of third party risk management to ensure the success of the program.?

What process is utilized by your organization to prioritize security related enhancement requests?

Ensure your TPRM portfolios of services includes a broad variety of solutions for your (internal) clients, including designing and implementing broad third-party governance and risk management frameworks/processes, developing third-party risk and control assessments, and implementing managed services to improve/enhance an organizations TPRM program.?

TECHNOLOGY:

What is your strategy – do you have strategic plans, paths, focus areas, etc?

Be confident that your company is involved in third party risk management and procurement policies, processes, controls, technology and tools, etc.?

Have you realized, due to the pandemic, that your ongoing monitoring needs to be strengthened?

Establish that your organization develops and conducts analysis, reviews and evaluations of business processes to field new Enterprise Planning Systems (ERP) or modify existing systems to improve efficiency, update technology, or strengthen internal controls.?

Does your organization have an understanding of all third parties supporting the enterprise?

Support the Operations Lead in identifying process improvements, defining business requirements and suggesting enhancements for any technology and tools supporting in scope processes.?

What release criteria does your organization have for its products with regard to security?

Collaborate closely with technology and business development teams on the development, QA, and release of products and balance of resources to ensure success for the entire organization.?

How are you defining the tradeoffs between rapid remote services and key cyber/fraud/ privacy risks?

Support the TPPM Ops Head in identifying process improvements, enhancements for any technology and tools supporting in scope processes, and defining business requirements.?

Is that third party supporting an essential business process within your organization?

Oversee that your operation is involved in working in an Information Technology organization supporting a corporate environment.?

How many critical third parties are within your organizations third party inventory?

Secure that your organization keeps informed regarding new and emerging information technology trends including IAM solutions, endpoint protection technologies, web application firewalls and intrusion prevention, encryption, access control methodologies, IDS/IPS systems, SIEM tools and network scanners.?

What would you do if any of the parties involved were the subject of a cyber attack?

Guarantee your process is involved in working through technology tool vendor selection and implementation process.?

How to gain excellence in third party risk management in a changing regulatory environment?

Certify your company reviews and makes decisions to revise and update to business goals and objectives based on changing technology and business needs.?

Are contingency plans being produced and implemented effectively when necessary?

Make headway so that your personnel resolves critical path issues across multiple divisions to keep business technology initiatives on plan.?

DATA:

Are third party vendor contracts up to date and cover all of expectations for security?

Confirm that your company is accountable for the cybersecurity risk posture of the enterprise with a focus on privacy, policy management, third party vendor risk management, and data protection and governance.?

Do you use specific criteria to classify third party risks as high, medium & low?

Oversee that your company is performing on project teams and providing deliverables involving multiphase data analysis related to the evaluation of compliance, finance, and risk issues.?

Is there a tracking system designed to monitor and obtain missing suitability information?

Warrant that your strategy utilizes data and analytics to deliver insight into (internal) customer and business process performance, identifying opportunities to influence (internal) customer and business process activities and inform key stakeholders.?

How do you conduct the appropriate level of third party due diligence, risk monitoring and early indication reporting?

Warrant that your team is possessing project management skills in relation to data management projects, including developing project plans, budgets, and deliverables schedules.?

Who has the most experience operating third party risk management programs?

Operating in a professional services organization or large enterprise as a consultant, data analyst, auditor or business process specialization.?

Has a budget been established for either the quality or safety program?

Be certain that your strategy performs various scientific data analyses to evaluate the quality of raw materials, in process materials, and finished goods and ensure compliance with established standards.?

How important/critical is the function/system/capability provided by the supplier to you?

Check that your company is analyzing external supplier data to drive recommendations to Sourcing and Procurement category and Supplier Management teams.?

Are you unable to scale your TPRM program or find the right skilled resources to support it?

Liaison so that your company interprets and utilizes analytical data to drive informed decision making and support complex business strategies.?

How important is understanding the information security risk of vendors?

Warrant that your strategy leads discovery sessions and requirements gathering in concert with Business Analysts to understand (internal) client processes, legacy systems and data, configuration specifications, and customization requirements.?

Are changes or improvements resulting from the project evaluation process?

Define KPIs to measure effectiveness of creative work and efficiency of processes and lead an optimization process that uses actionable reports and data to improve operational efficiency.?

PRODUCT:

Does your organization use automated exception reporting systems to flag potential compliance problems?

Warrant that your company works with the product development teams to continuously conduct risk assessments to understand the threats, define mitigations, monitor field deployments, and plan for incident response related to existing and new use cases of your product offerings.?

Which groups are less involved in different kinds of decision making, or in different kinds of implementation, or in different kinds of benefits, or in different kinds of evaluation?

Check that your organization is involved in building out, scaling, and integrating security and compliance into the product SDLC.?

Does your organization have a policy to improve its energy efficiency?

Interface so that your process creates and leads data governance processes to ensure the privacy and protection of your (internal) customers data that is created and/or collected by your products, systems, and services.?

What release criteria does your organization have for its products with regard to security?

Be confident that your operation is involved in engaging teams who are building technology products or services and involvement in working with engineering in defining technical requirements and seeing them through to development and release.?

Did/will the project facilitate positive communication/interaction between and within groups?

Be certain that your workforce is interacting with various business partners to provide detailed technical guidance and expertise in leveraging the IoT Core Platform deliverables, partnering with (internal) customers to create aligned roadmaps and facilitate utilization of the products, solutions and technologies that you oversee.?

Are there clear and unambiguous conclusions supported with technical information regarding risks associated with the current site condition?

Certify your personnel is analyzing data metrics from multiple systems to help identify key areas that need attention, justify resource utilization, support product lifecycle, and support user involvement.?

What is the best mix of incentives to reinforce corresponding concepts across your organization?

Liaise with UX, QE and release engineering team to ensure quality product is delivered to (internal) customers.?

Does the csf take a one size fits all approach to information security?

Be certain that your process applies your organization minded, results oriented approach to product leadership.?

Have other factors affecting the feasibility of project options been identified?

Verify that your team is monitoring production systems and making sure that you have the appropriate tools to do this properly.?

Are the contractual requirements for material outsourcing appropriate and sufficiently clear?

Provide data and recommendations to production and engineering for process adjustments to remove sources of special cause variation.?

COMPLIANCE:

Has clear and precise criteria for evaluating the project established?

Certify your organization performs various training materials and delivers training to first line business units to ensure compliance with established exposure limits and overall adherence to TPRM program requirements.?

What additional issues should your organizations consider related to internal and external dependency management and the covered entities use of third party service providers?

Warrant that your organization partners with the business unit(s) to ensure all, processes and procedures are in compliance with policies, standards and processes.?

What skills are required of leaders and teams to leverage the true value of analytics?

Assure your operation leads and conducts assesses for compliance and governance requirements based on standard programs to lead your organization in meeting business needs.?

What should a FinTech organization consider when partnering with a bank?

Secure that your organization is partnering with Sourcing business partners to ensure internal business owner compliance with all applicable (internal) client policies.?

Are there any high risk locations in which your organization operates?

Safeguard that your staff hids ethics and corporate compliance program is designed to prevent, detect, and mitigate misconduct and ensure hid operates its business with the highest standards of integrity.?

How effective is the evaluation and vetting of third parties security practices?

Check that your workforce is responsible for implementing and maintaining procedures and controls to assure compliance with applicable regulatory, contractual, and legal requirements as well as good business practices.?

Will the vendor require extra security measures either physical or virtual?

Support affiliate related standards and policy development and support oversight activities to ensure policies, standards and guidelines are in place and managed over time, with consistent compliance monitoring and enforcement measures.?

How do you determine if further due diligence needs to be conducted on a third party?

Conduct regular business reviews with key vendors to ensure compliance with contract deliverables.?

How do you monitor third parties?

Confirm that your process track and monitor internal items, tasks, and projects required for business and Compliance goals.?

How is your organization positioned and equipped to identify and mitigate risk?

Be confident that your operation is responsible for the execution of Compliance processes including controls, attestations and testing, monitoring and oversight of recommendations to correct or mitigate IT systems control and compliance weaknesses.?

BUSINESS:

What are the sources of the overnight capital costs for the resources used in the model?

Be certain that your organization manages capacity through effective demand planning and prioritization in collaboration with business stakeholders and sourcing team to ensure operational efficiency, drive value, and reduce cost.?

Can assessors use sampling to improve the efficiency of the assessment?

Ensure your team helps organizations develop TPRM business plans, cost benefit analyses, target operating models, short/long term strategies, and ultimately improve the effectiveness of the TPRM programs.?

Does the reporting aggregate your organizations operational risk in an understandable way?

Be certain that your strategy is responsible for ownership and maintenance the Business Continuity and Crisis Communication software, including user access and training, troubleshooting, reporting, and data analysis.?

Are third parties complying with new human rights focused legislation?

Create dashboards, visualizations, and analyses that surface insights and drive key business decisions; provide interpretation and analysis, or insight along with clearly-stated information, representing both the team and leadership.?

Does management address issues/concerns effectively, adequately, and timely?

Validate that business units (first line) are executing the TPRM program requirements effectively.?

How do you incorporate data from external sources into your review process?

Warrant that your strategy delivers objective, consultative advice and provides strategies that effectively address pain points, create value, and maximize business efficiencies.?

What technology will be used to support third party expenditure management?

Create product strategy documents that describe business cases, high level use cases, technical requirements, revenue and ROI.?

Does your ongoing monitoring approach cover a mix of design and operational effectiveness testing?

Make sure your design has involvement researching information, problem solving, and making solid business decisions.?

Is your organization also a third party that is required to complete customer assessments?

Be certain that your group designs solutions for unanswered business questions and anticipates future business needs.?

What do you need to have in place in order to conduct a longitudinal assessment?

Elicit, analyze, write Business requirements documents (including Agile stories, supporting documentation) and plan/conduct UAT testing.?

THIRD:

Is there a process that requires security approval to allow external networks to connect to your organization network, and enforces the least privilege necessary?

Work with Compliance and Information Security teams as well as internal stakeholders and external vendors throughout the Third Party Vendor life cycle.?

How will the results of corresponding processes and decisions be monitored, measured, and communicated?

Maintain strong, collaborative partnerships with key stakeholders across the business functions and corporate areas involved in vendor governance related efforts and communicate third party information across the organizational lines where beneficial to the enterprise.?

Is exposure to the pollutant also occurring from other environmental media?

Conduct regular meetings with aligned business engagement and relationship managers to ensure timely execution is occurring for all required activities under the Third Party Program lifecycle requirements 1-5.?

What is your strategy – do you have strategic plans, paths, focus areas, etc?

Work with business units to establish an effective process flow for third-party submission and continued third-party oversight, including setting minimum information requirements, SLAs for due diligence reviews, dispute resolution processes, etc.?

Which departments have key responsibilities for your third party risk management program?

Invest in ensuring overall adherence to information security policy and standards and implementation of best practices by third parties with whom Discovery engages.?

Do you have a centralized risk repository of your third party relationships?

Lead Business Units in onboarding, ongoing monitoring and exiting from relationships with Third Parties by following established procedures; ensure timely processing, monitoring progress, resolving issues, queries and escalations.?

Can the assessment be used as part of your institutions oversight of third parties?

Certify your company supports Business Partners and other stakeholders in effectively implementing the Third Party Policy, including the most effective use of third parties.?

Does your organization obtain and review, on an ongoing basis, research on issues?

Certify your workforce leads coordination with third party governance and line of business technology teams.?

Does your organizations IT and systems support KPI monitoring, reporting and performance assessment?

Maintain vendor monitoring plans and other centralized vendor documentation to facilitate analysis, cross-functional information sharing, and reporting across the full inventory of third-party relationships.?

Do you have a documented, organization wide program in place to manage risk?

Work as a member of the team, supporting necessary activities to ensure the success of the TPRM program as have to be delegated by the Head of Third Party Program Oversight.?

VENDOR:

Do you ensure your SLAs are integrated within your critical vendor contracts?

Confirm that your staff drives business unit relationship managers team members to define business needs and manage vendor performance to meet SLAs.?

What security measures are in place for the software packaging facility?

Ensure your team helps maximize value from vendor relationships and ensures your internal business partners across various business units and functions have the products, tools, and services they need to succeed.?

Are all suppliers of critical hardware, network services and facility services involved in annual continuity and recovery tests?

Certify your organization maintains vendor database, audit and tracking requirements, develops measures and provides reporting internally and externally; reports key results to internal stakeholders, regulatory agencies and select advocacy groups and tracks performance to supplier diversity goals and plans.?

Can the system support request and approval of project changes in a project defined format?

Own execution of and satisfaction of all head count, billing/invoicing, technology integrations/migrations, and business expansion/contraction support, as well as any and all support reallocation, reduction, expansion and termination of vendor SOWs.?

Do you provide a brief overview of the recent years market conditions and going forward?

Liaison so that your group advises and leads in the planning and due diligence for onboarding a new vendor and/or expanding services of an existing vendor for the Business Unit/Department.?

Does the system support the distribution of safety notices of a project?

Provide support to business stakeholders vendor evaluations through qualitative and quantitative analysis.?

When would the product normally be replaced as part of preventive maintenance?

Review vendor information for completeness, prevent duplication, and ensure on going data integrity of information.?

Are items requiring special protection isolated to reduce the general level of protection required?

Interface so that your team reach out to vendors hosting your data regarding current threats to ensure they are taking necessary steps to reduce exposure.?

How does your organization integrate relevant and actionable intelligence into security operations?

Understand business stakeholders objectives and business drivers and integrate into the commodity/category/vendor strategy with input from key stakeholders.?

How capable are your organizations operational risk management technology platforms in areas?

Guarantee your company is involved in Standardized Information Gathering (SIG) and vendor interviews.