R&C: Could you provide an overview of third-party risk management and what it entails for companies?

Matthews: Third-party relationships are a huge source of strength for most organisations. But without proper oversight, they could become a weak link, exposing the organisation to strategic, operational, financial, legal, regulatory, compliance, cyber security or reputational risk. That is where third-party risk management (TPRM) comes in. TPRM is about understanding which of the risks in the organisation’s universe are managed by third parties, assessing whether the third parties are capable of managing those risks in line with the organisation’s policies and establishing oversight of third parties after signing a contract. TPRM involves upfront risk-based due diligence to evaluate third-party controls and informs contract terms and conditions, as well as ongoing risk-based oversight to ensure third parties deliver in line with expectations.

Jan-Mar 2018 Issue