Third Party Risk Management - Consultancy, Assessment & Advisory

Dynamic Due Diligence – The Shared Assessments TPRM Framework Module 6

While at first glance the topic of due diligence may appear to be a stodgy one, the reality of a rapidly changing risk landscape and the evolution of due diligence techniques suggests that the opposite is true. The latest section of the Shared Assessments Third Party Risk Management (TPRM) Framework has just been released, providing a deep dive into a wide range of due diligence processes across the TPRM lifecycle.

Dynamic Due Diligence TPRM framework

Even within broad risk categories, specific areas requiring due diligence can change quickly. Emerging risks globally for example require consistent monitoring and can vary significantly over time, both in terms of likelihood and impact. The chart below shows how these broad categories of risk have changed substantially over a short period of time. Of note, in 2009 environmental issues did not appear in the top five risks either in terms of impact or likelihood of occurrence. Yet, by 2019, 60% of the top five issues – in terms of both likelihood and impact – were environmental in nature (extreme weather events, failure of climate change mitigation, natural disasters).


The Changing Nature of Global Risks

TPRM due diligence processes allow Outsourcers to more fully understand the type and severity of residual risks an outsourcing decision might introduce. While most Outsourcers have an appropriate focus on monitoring security hygiene of vendors once onboarded, fewer practice an appropriate level of due diligence during the vendor selection process as a regular part of Request for Proposals (RFPs) short-list candidate evaluations, especially for vendors that support “critical” or “important” services.

The Due Diligence Module of the Shared Assessments TPRM Framework discusses why RFPs should be designed to identify potential deltas between an Outsourcer’s TPRM (and other) requirements and the Third Party’s capacity to meet those requirements. Especially for critical relationships, RFPs are best constructed when they contain key clauses from an organisation’s Master Services Agreement (MSA). Not only can incorporating MSA clauses containing key risk requirements help cull RFP responses faster, a well-constructed set of clauses establishes base line security expectations for Third Parties very early in the outsourcing process. With today’s continuous monitoring techniques, Outsourcers can and should get a feel for vendor security hygiene while RFPs are still being evaluated. And for critical outsourcing parties, Outsourcers should consider onsite assessments before signing any contract.

Outsourcers should conduct wide-spread due diligence in a number of areas. Accordingly, this module explores Third Party due diligence nuances with focuses in:

Shared Assessments members can review the latest Framework module here.

This article was originally published by Shared Assessments and is used with their kind permission.


About the Author

Gary Roboff is a Senior Advisor to the Santa Fe Group where he focuses on payments, risk management, mobile financial services, and information management. Gary has almost four decades of experience in financial services planning and management, including 25 years at JP Morgan Chase where he retired as Senior Vice President of Electronic Commerce.

Gary has worked extensively in electronic payments, payments fraud, third party risk management, privacy and information utilisation, as well as business frameworks and standards for electronic commerce applications.