Upon completion of this course, participants will be able to:

• Establish a formal, end-to-end Third-Party Risk Management (TPRM) program lifecycle.
• Identify and categorize third-party risks (e.g., operational, cyber, compliance, financial) based on service criticality.
• Develop and execute comprehensive due diligence processes using structured questionnaires and audit reports.
• Analyze vendor contracts to ensure appropriate risk transfer, audit rights, and service level agreements (SLAs).
• Implement a continuous monitoring program to track vendor performance and control effectiveness.
• Master the management of **Fourth-Party Risk** (subcontractors) and supply chain dependencies.
• Ensure TPRM compliance with key regulations (e.g., GDPR, CCPA, financial industry guidance).
• Develop clear reporting metrics and dashboards for executive oversight of vendor risk exposure.

• Third-Party Risk Management (TPRM) Specialists
• Vendor Management and Procurement Professionals
• Information Security and GRC (Governance, Risk, Compliance) Analysts
• Contract Managers and Legal Counsel working with vendors
• Internal Auditors focused on outsourced services

• Group Vendor Risk Scoring and Categorization Workshops
• Case Studies on Major Third-Party Data Breaches and Regulatory Fines
• Individual Contract Clause Analysis and Risk Transfer Exercises
• Role-Playing Due Diligence Interviews with Fictional Vendors
• Discussions on Tool Selection for Automated Continuous Monitoring

Unit 1: The TPRM Framework and Lifecycle

• Defining Third-Party Risk and the scope of the TPRM program.
• The TPRM Lifecycle: Planning, Due Diligence, Contract, Monitoring, and Offboarding.
• Establishing TPRM governance, including roles, responsibilities, and the risk committee.
• Categorizing vendors based on the criticality of service and associated risk profile.
• Integrating TPRM with the Enterprise Risk Management (ERM) framework.

Unit 2: Due Diligence and Inherent Risk Assessment

• Developing standardized risk assessment questionnaires (e.g., SIG, vendor-specific).
• Analyzing vendor responses, SOC reports (SOC 1, 2, 3), and external audit findings.
• Conducting financial viability checks and background screening (reputational risk).
• Onsite audits and interviews for high-risk vendors and critical service providers.
• Defining the **Inherent Risk** score before control mitigation.

Unit 3: Contractual Risk Management

• Key contractual clauses for risk mitigation: liability limits, indemnification, and termination rights.
• Embedding strong security and compliance requirements (e.g., data privacy, security standards).
• Defining and managing Service Level Agreements (SLAs) and performance metrics.
• Ensuring the contract mandates acceptable **Fourth-Party Management** by the vendor.
• The process of obtaining senior management sign-off for residual risk acceptance.

Unit 4: Continuous Monitoring and Control Assessment

• Implementing control monitoring: automated tools, security rating services, and performance dashboards.
• Periodic re-assessment methodology for high and moderate-risk vendors.
• Managing and tracking remediation plans for identified vendor control deficiencies.
• Protocols for handling vendor-related security incidents and data breaches.
• Understanding the impact of vendor consolidation and M&A on risk profiles.

Unit 5: Offboarding and Lessons Learned

• Developing a robust offboarding process to ensure secure data return/destruction and access revocation.
• Risk considerations during vendor termination or transition to a new provider.
• Compliance considerations for long-term data retention obligations post-contract.
• Conducting post-relationship reviews to capture lessons learned for TPRM program improvement.
• Future trends: supply chain security, interconnected ecosystems, and regulatory focus.