Skip to content


Adapting Your TPRM Program to Internal and External Change

By Michael Volkov (Updated )

In order to weather today’s constantly-changing business environment, every organization needs a TPRM program tailored to its unique risk profile and risk tolerance, to its third-party ecosystem with varying risk exposure from different third parties, and to the organization’s business objectives, its unique strategic, operation, financial and competitive goals.  A well-structured risk appetite and tolerance framework become integral to an organization’s culture, which helps that organization successfully integrate changes in leadership and even changes in the fabric of the organization.  Just when it appears that businesses are getting over one catastrophe, two more are waiting in the wings.

Governing third-party relationships is cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategies, and more.  Organizations are in a constant state of flux, having to monitor the span of regulatory, geopolitical, economic, and operational risks across the globe in the context of their third-party relationships.  Just as much as the organization itself is changing, each organization’s third-party relationships are changing, introducing further risk exposure.

Best practices for TPRM design

Based on an organization’s risk appetite and tolerance framework, an organization can design a TPRM that is fit for purpose, meaning that its processes, configurations, and IT services are capable of meeting the organization's objectives.  Being fit for purpose requires suitable design, implementation, control, and maintenance.  Generally, best practice means leveraging technology such as Artificial Intelligence and automation, as well as content from external sources to fill in gaps in risk information, robust third-party screening, and due diligence to help teams make informed decisions about who to work with, an integrated risk data model in one platform that all facets of the organization can access, and assessing fourth-party risk – working with third parties to monitor subcontractors or utilizing external risk intelligence to do so.

Executive sponsorship is critical to forming the adaptable, sustainable culture necessary to weather today’s changing risk landscape.  Key stakeholders within your organization must actively support and sponsor the third-party risk management program and set the culture of risk and compliance.  Management must also be in tune with the effectiveness and efficiency of third-party risk management initiatives and processes throughout the organization.  This requires communication from the top down.

Adapting Your Change Management Processes for TPRM

While your organization’s activities can be outsourced, responsibility cannot.  Third-party management has grown exponentially in importance as well as as a subject of regulatory focus.  Your organization may have outsourced services, but your Board of Directors and executives remain accountable should your customer’s data get leaked.  Multiple regulations, such as Health Insurance Portability and Accountability Act (HIPAA), Anti-Money Laundering (AML) requirements, Conflict Minerals Reporting requirements, the Foreign Corrupt Practices Act (FCPA), the UK Bribery Act, the Federal Trade Commission (FTC) Act, Office of the Comptroller of the Currency (OCC), and the Dodd-Frank Act have increased the focus on third-party governance, forcing organizations to be sure of the third parties they take on board, as well as those that they choose continue a relationship with.  A deep and current understanding of all the regulations applicable to the organization must be established so that approaches can be developed for achieving the required compliance, measuring the level of compliance achieved, and proving it to the regulators.  While this is possible to do in-house, an automated solution is both more realistic and preferable.

New third-party risks emerge,  existing risks and enforcement intensify and non-compliance is simply no longer an option.  Your organization has the opportunity to develop an integrated response to regulatory obligations while gaining a competitive advantage.  With third parties accessing regulated company information, the likelihood and impact of IT security incidents are on the rise.  Regulators are looking for the methodology, approach, and sustainability of programs designed to capture and mitigate these risks and are generally seeking evidence on how a program and its processes are embedded and aligned within an organization’s risk culture and risk appetite.

The importance of TPRM during mergers and acquisitions

This is equally vital prior to any merger or acquisition.  Your organization must understand if and how a target company processes sensitive data and whether it’s sent to third parties.  Your organization should have any target company detail cybersecurity best practices, find out how mature practices are and whether there are major risks.  This includes identifying all third parties that provide cybersecurity services, reviewing all contracts and agreements with third parties, including determining what the ability to recover is in case of a breach, finding out if any recent security breaches have occurred, and documenting the target organization’s use of third-party software. Ideally, a Cyber Security Assessment will be performed on the target organization.

This is because the value of a prospective partner or target company’s business may be materially reduced if its network has been compromised and/or its intellectual property has been stolen and exploited by cyber adversaries.  An acquiring company may inherit massive liabilities if the prospective partner or target company’s environment has been breached and customer data has been stolen.  The risk of cyber adversaries gaining access to your organization’s systems is also introduced by merging your network and IT systems with an organization that has cyber vulnerabilities.  A significant investment may be required to bring that organization’s security controls up to an acceptable level.

To avoid this, screening, monitoring, and assessing the target company’s TPRM governance and culture is vital.  By gaining an understanding of how the target handles due diligence on its own Nth Parties’ providers' supply chains, a wider view of the scope of risk the target company presents can be gained.  But the greatest cause for concern in achieving M&A success is integration failure, and often the issue is cultural fit.  This brings us back to executive leadership.  After a merger or acquisition, a change in culture may be necessary in order to integrate TPRM into the culture.  For successful integration, support from senior management is critical.  Senior management must both ensure that appropriate resources and budget are available to develop the program and emphasize to both organizations the importance of TPRM.  Ideally, this will be completed before close of the transaction.

Benefits of effective TPRM programs

A sustainable third-party risk management program lowers costs due to the reduction of manpower, resources, time and remove redundancy within manual processes.  This improves efficiency throughout the whole process and augments decision-making through greater insight into the activities and exposure of third-party relationships throughout the organization.  A mature third-party risk management program needs to be a seamless part of your organization’s operations. Third-party risk and compliance have to be a part of the culture of the business, and this requires both an effort from the top and bottom of the organization to both adequately build on this culture and participate within it, meaning business functions need to effectively and efficiently monitor third-party risk and relationships.

In a dynamic business environment where potential, emerging risks lurk around every corner, a strong culture of third-party governance and compliance is the bedrock of an effective TPRM program.  This culture and framework ensures that all relevant employees and stakeholders involved in third-party risk management are collaborating with the same key points of data and information and that everyone involved within the organization understands their specific role, the potential consequences for a breach or violation of the rules and the expectations from senior management.  TPRM should be viewed as an essential function of the business, rather than a series of requirements to check off.  This will make your organization more adaptive and efficient, directly impacting your organization’s bottom-line.

Establishing a risk-based third-party risk management program and maturing processes over time probably isn’t as expensive as you think.  It is vital to your organization’s success to ensure your TPRM program remains adaptive to changes in the risk landscape.

Michael Volkov

Michael Volkov specializes in ethics and compliance, white collar defense, government investigations and internal investigations. Michael devotes a significant portion of his practice to anti-corruption compliance and defense. He regularly assists clients on FCPA, UK Bribery Act, AML, OFAC, Export-Import, Securities Fraud, and other issues. Prior to launching his own law firm, Mr. Volkov was a partner at LeClairRyan (2012-2013); Mayer Brown (2010-2012), Dickinson Wright (2008-2010); Deputy Assistant Attorney General in the Department of Justice (2008); Chief Counsel, Subcommittee on Crime, Terrorism and Homeland Security, House Judiciary Committee (2005-2008); and Counsel, Senate Judiciary Committee (2003-2005); Assistant US Attorney, United States Attorney's Office for the District of Columbia (1989-2005); and a Trial Attorney, Antitrust Division, United States Department of Justice (1985-1989).

Implement a tailored Third-Party Risk Management solution

View platform

Related reading

Join the E&C Community

Get the latest news from GAN Integrity in your inbox.

We respect your privacy. Your data will be kept confidential and will not be sold or shared with third parties. For more information, please see our Privacy Notice.