Third-Party Risk Management

FAQ

Our Third-Party Risk Management program ensures your organisation meets international standards for supplier risk protection, regulatory compliance, operational reliability and your organisation remains protected.

This FAQ outlines how we assess, onboard, and manage third-party relationships to identify and mitigate risks.

 

Identification & Tiering

Categories

Framework Fundamentals & Necessity

These questions address the core purpose and structure of the TPRM program.
Why is a formal TPRM framework necessary for your organisation?

Beyond simple vendor management, a formal TPRM framework ensures that risks introduced by external entities such as data breaches, operational outages, or regulatory non-compliance are systematically identified and mitigated. For financial institutions, this is often a regulatory requirement to ensure operational resilience and protect sensitive customer data.

Why is a documented "TPRM Framework" essential for staffing resilience?

A formalized, multi-phase framework provides a repeatable playbook that new staff can follow. When processes like "Due Diligence" and "Risk Tiering" are documented, the organisation reduces its reliance on the "tribal knowledge" of a small number of staff.

How does TPRM align with evolving regulations?

Regulators (like the FCA, SEC, or ECB) are increasingly focused on operational resilience.

  • Your TPRM framework must include "regulation tracking" to stay up to date with the latest requirements.
  • Maintaining "auditable evidence" of governance is mandatory to support regulatory reviews and supervisory scrutiny.

What defines an "Auditable" TPRM Governance structure?

To satisfy regulatory scrutiny, you must maintain auditable evidence of third-party risk governance and oversight. This includes documented escalation routes and clear decision-making paths for executive ownership.

Supplier Identification, Tiering, and Scoping

These questions cover the initial phase of identifying vendors and classifying them by risk level.
How should we categorize our suppliers?

Logica Security recommends a three-tiered risk methodology to prioritize resources:

Tier Classification Description
Tier 1 Business Critical Vital to operations; high impact if breached; full data access.
Tier 2 Medium Impact Supports significant processes; manageable short-term disruption; limited sensitive data.
Tier 3 Low Risk Non-essential services; no sensitive data; minimal business or regulatory impact.

How do we begin the supplier identification process?

The first phase involves establishing engagement with procurement. Key steps include:

  • Identifying Stakeholders: Engage all relevant internal departments.
  • Scoping Services: Ensure the review covers both data and physical products.
  • Centralizing the Supplier List: Consolidate all vendors into a single, manageable database.

How do we prioritize which legacy vendors to assess first?

You should apply the risk tiering methodology retrospectively. Focus immediate resources on "Tier 1: Business Critical" suppliers—those vital to core operations where a breach would have a high impact. Once the high-risk "head" of the backlog is secured, move systematically to Tier 2 and Tier 3.

What are the specific expectations for "Tier 3" Low-Risk suppliers?

Tier 3 suppliers are non-essential and do not handle sensitive data. While they have minimal business or regulatory impact, they should still be expected to comply with basic standards like "Cyber Essentials" and remain subject to periodic reviews to ensure they haven't "crept" into higher risk categories.

What role does "Systems Uptime" play in our tiering?

Uptime and Availability are key metrics for Tier 1 and Tier 2 suppliers. For Tier 2 suppliers, an outage should be disruptive but manageable in the short term, with a Recovery Time Objective (RTO) typically needing restoration within a business day. For Tier 1, the impact is considered "High" if these systems fail.

What is the role of "Amnesty Periods" or "Conditional Approval"?

For non-critical vendors (Tier 3), risk owners may grant conditional approval based on "Cyber Essentials" or similar baseline standards. This prevents procurement bottlenecks while ensuring that all suppliers are eventually captured within the centralized supplier list and assigned a risk rating.

How does centralizing the supplier list protect against staff turnover?

By moving away from individual spreadsheets and establishing a centralized supplier list, you ensure that institutional knowledge isn't trapped in one person's inbox. This creates a "single source of truth" that any authorized team member can access to track supplier risk shifts.

What is the "Procurement Team’s" role in risk management?

The Procurement Team acts as the "First Line of Defence." They are responsible for:

  • Establishing visibility over the initial procurement process.
  • Identifying stakeholders early in the supplier identification phase.
  • Ensuring the scope covers both data and physical product risks.

Due Diligence, Assessment, and Risk Definition

These questions focus on the process of evaluating risk and defining various risk concepts.
What does the due diligence process look like?

Due diligence depth should be commensurate with the supplier's tier.

  • Tier 1: Requires the most rigorous assessment, often involving onsite audits and physical security assessments.
  • Tier 2 & 3: May Focuses on security questionnaires and checking requisite certifications to assure the vendor's security posture.

How can we verify a supplier’s security posture beyond questionnaires?

While questionnaires are a starting point, Tier 1 and high-risk suppliers require more "active" verification. This includes:

  • Checking for requisite security certifications (like ISO 27001 or SOC2).
  • Conducting onsite audits, including physical security assessments.
  • Reviewing evidence of their internal security posture

Why is "Physical Security" included in digital due diligence?

For critical Tier 1 suppliers, digital security is only half the battle. Onsite audits should include physical security assessments to ensure that the hardware and infrastructure hosting your data are protected from unauthorized physical access or environmental hazards.

How do we ensure "Data Integrity" across the supply chain?

Beyond confidentiality, your framework must assess how a supplier maintains the integrity of your data. This involves ensuring that the supplier cannot improperly modify or corrupt the data they process. This is a core criterion for both Tier 1 and Tier 2 classifications.

What constitutes "High Impact" in a Data Protection Impact Assessment (DPIA)?

A DPIA is a requirement for suppliers with significant data access. A "High Impact" rating occurs when a breach would result in significant regulatory fines, legal action, or reputational damage. Tier 1 suppliers are almost always categorized by this high impact on data privacy.

How do we differentiate between "Inherent" and "Residual" supplier risk?

Inherent risk is the risk level before any controls are applied—essentially, "what is the worst-case scenario if this vendor fails?". Residual risk is what remains after you have applied due diligence, such as checking certifications or conducting onsite audits. Risk owners must decide if the residual risk falls within the institution’s risk appetite before awarding contracts.

What is "Concentration Risk?

Concentration risk occurs when your institution relies too heavily on a single vendor or a specific geographic region for critical services. If that vendor fails, or that region faces a geopolitical crisis, your entire operation could be paralyzed. Senior leaders must track these dependencies to ensure that a single point of failure doesn't exist across the supplier portfolio.

Can we use "Standardized Profiles" to speed up the process?

Yes. To clear a backlog quickly, check for existing market certifications like ISO 27001 or SOC2 instead of waiting for custom questionnaire responses. This allows you to verify a supplier's security posture efficiently without a manual deep dive into every control for lower-priority vendors.

Ongoing Monitoring & Lifecycle Management

These questions address the continuous nature of TPRM, covering the full "cradle to grave" supplier relationship.
What are the requirements for the supplier lifecycle?

The framework must manage changes from "cradle to grave":

  • Onboarding: Assess prospective suppliers for cyber and resilience risk before contracts are awarded.
  • Re-assessment: Adjust tiering and monitoring if the supplier's operating context or data access changes.
  • Offboarding: Use controlled exit processes to ensure data is returned/destroyed and access is terminated.

Is TPRM a "one and done" exercise?

No. Ongoing monitoring is essential to an effective TPRM programme. This includes:

  • Threat Intelligence: Activating cyber risk monitoring to track real-time supplier risk shifts.
  • Fourth-Party Monitoring: Tracking dependencies on downstream vendors, including concentration risks, that may impact your critical third parties.
  • Periodic Refreshes: Engaging in trigger-based evidence updates and maintaining an up-to-date framework against new regulations

How do we move from "Point-in-Time" to "Continuous" monitoring?

Static annual reviews are often outdated the moment they are finished. Risk owners should activate cyber risk and threat intelligence monitoring to track real-time supplier risk shifts. This allows for a dynamic view of the supply chain's health between formal audit cycles.

When should a supplier’s risk tier be re-evaluated?

Risk tiering is not a static label. You should trigger a re-assessment whenever:

  • The operating context changes (e.g., contract changes or a vendor moves data to a new jurisdiction).
  • The criticality of the service changes
  • Data access permissions are expanded

What are "Trigger-Based" assessments?

Instead of waiting for an annual review, "trigger-based" assessments are initiated by specific events. These might include a reported data breach at the vendor, a significant change in their leadership, or a dip in their cybersecurity health score as identified through continuous monitoring.

What are the "Trigger-Based" events for an off-cycle refresh?

While regular reporting is monthly or quarterly, certain "triggers" necessitate an immediate refresh of evidence. These include changes in the supplier's operating context, a reported cyber incident in their own supply chain, or a significant change in the services they provide to you.

How do we ensure "Exit Resilience"?

Risk owners must plan for the end of a relationship before it begins.

  • A "controlled exit process" ensures the secure termination of access.
  • It mandates that data handling obligations are met and all residual risks are formally closed out.
  • This prevents "vendor lock-in" and ensures you can migrate services without operational downtime.

Risk Mitigation & Remediation

These questions deal with the actions taken to address identified risks and manage dependencies.
How do we manage risks once they are identified?

Once gaps are revealed, you must:

  • Collaborate on Remediation: Work with the supplier to close security gaps.
  • Build Response Capabilities: Develop incident response plans specifically for supply chain security issues.

How do we mitigate risks that cannot be fully remediated?

Sometimes, a supplier has a gap that cannot be immediately fixed. In these cases, risk owners must:

  • Build internal incident response capabilities to handle potential failures.
  • Agree remediation activities, timelines and action owners.
  • Document formal escalation and decision-making routes for executive sign-off on "residual risk".

How do we bridge the gap between "Risk Identification" and "Risk Mitigation"?

The remediation phase of the TPRM lifecycle requires a collaborative approach where you work with the supplier to close identified security gaps. If a gap cannot be closed, you must document the risk and build internal incident response capabilities to cushion the impact of a potential failure.

What practical steps can we take to mitigate risk when we have no direct contract with the fourth party?

Since you lack "right to audit" over fourth parties, mitigation must be managed through your third-party contracts:

  • Contractual Flow-Downs: Ensure your third-party contracts require them to conduct the same level of due diligence on their subcontractors as you do on them.
  • Fourth-Party Monitoring: Activate cyber risk and threat intelligence monitoring specifically on the sub-vendors that support your Tier 1 suppliers to track risk shifts in real-time.
  • Exit Resilience: Maintain a controlled exit process that accounts for fourth-party dependencies, ensuring data can be retrieved even if the fourth party fails.

Governance, Reporting, & Accountability

These questions detail the role of senior leadership, regulatory compliance, and essential reporting requirements.
What is the role of the Board and Executive leadership?

Direct lines of accountability and oversight must return to leadership

  • Ownership: Establish clear executive accountability and defined decision-making routes.
  • Reporting: The Board should receive regular reports covering critical suppliers, concentration risk, and remediation status.
  • Assurance: Maintain auditable evidence of oversight to satisfy internal audits and regulatory scrutiny

What specific metrics should be reported to the Board?

The Board requires high-level, "certainty-focused" reporting. Key metrics include:

  • The status of remediation for identified security gaps.
  • Breakdown of critical (Tier 1) suppliers and their current risk health.
  • Key risk themes emerging across the supply chain.

How do we provide "Board-Level Assurance" of TPRM effectiveness?

Assurance is provided by maintaining an auditable trail of all governance activities. This includes documented evidence of third-party risk oversight, which is used to support internal audits and respond to ongoing supervisory scrutiny from regulators.

How do "Defined Accountability" routes reduce key person risk?

Establishing clear executive ownership and documented escalation routes ensures that risk decisions are not the sole responsibility of a single analyst. Distributing accountability across executive governance and the Board ensures the program remains functional even if key operational staff depart.

What are the regulatory consequences of inadequate reporting?

Poor reporting can lead to a lack of "Auditable Evidence," which is a major red flag during regulatory reviews or supervisory scrutiny. If the Board cannot prove they have oversight of critical suppliers and remediation status, the institution may face fines or increased capital requirements.

How does "Certainty-Focused" reporting mitigate executive blind spots?

Executive reports should move beyond raw data to focus on "key risk themes" and "concentration risk". By providing a monthly or quarterly status of supplier risk, you ensure the Board understands where the actual vulnerabilities lie rather than being buried in technical metrics.

How do we ensure reporting leads to actual risk reduction?

Effective reporting must include "Remediation Status" to show that identified gaps are being closed. This creates a feedback loop where the Board can provide the necessary "Operational Leverage" to ensure the Procurement and Risk teams have the resources to mitigate identified supplier gaps.

How does "Operational Leverage" impact our risk posture?

Operational leverage refers to the efficiency gained by using third parties, but it introduces dependencies. Risk owners must balance the cost-saving benefits of outsourcing with the increased need for executive governance and board-level assurance to manage those dependencies.

Logica Security is a UK based cybersecurity consultancy specialising in regulated and high-risk industries. We support organisations across cyber security, operational resilience and supplier risk.

©  Logica Security Limited | Company Registration: 11806049. All rights reserved.