What is third-party risk management (TPRM)?
Third-party risk management (TPRM) is the process of identifying, assessing and managing risks arising from relationships with suppliers, vendors, outsourced service providers and other third parties. A structured TPRM programme helps organisations manage cyber, operational, regulatory and supplier-related risks across the entire third-party lifecycle.
What is the difference between vendor risk management and supplier risk management?
Vendor risk management and supplier risk management are both components of third-party risk management. Vendor risk management typically focuses on technology vendors and outsourced service providers, while supplier risk management addresses risks associated with suppliers supporting operational and business activities. Both require structured governance, risk assessments and ongoing monitoring processes.
What is included in a third-party risk assessment?
A third-party risk assessment evaluates cybersecurity controls, governance structures, operational resilience capabilities, data protection measures and regulatory compliance of a supplier, vendor or outsourced service provider. Assessments typically include vendor security assessments, supplier risk assessments and control reviews to identify critical risks and dependencies.
When is a third-party audit or supplier audit required?
A third-party audit, supplier audit or vendor audit is typically required when a supplier or outsourced service provider supports critical business functions, processes sensitive information or operates within a regulated environment. Independent audits help organisations assess control effectiveness, strengthen oversight and support regulatory and audit requirements.
What is supply chain cyber risk?
Supply chain cyber risk refers to cybersecurity threats and vulnerabilities introduced through suppliers, vendors, cloud providers and outsourced service providers. Weak cybersecurity controls within the supply chain can expose organisations to cyber incidents, operational disruption and regulatory consequences, even where internal controls are strong.
Which regulations and frameworks are relevant to TPRM in Switzerland?
In Switzerland, FINMA-regulated organisations must maintain appropriate oversight of outsourced activities and third-party risks. Third-party risk management programmes are commonly aligned with FINMA outsourcing expectations, the Swiss Data Protection Act (DSG) and recognised frameworks such as NIST CSF, COBIT and ISO 27001.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.