CTPRP
Fully developed TPRM Program has become a critical component of an organizations
approach to....? - ANS-Enterprise Risk Management (ERM)
Enterprise Risk Management (ERM) risk factors - ANS-strategic risks, financial risks,
operational risks, compliance risk, IT and infrastructure risks, reputational risks
GRC - ANS-Governance, Risk, and Compliance
GRC Definition - ANS-Governance, Risk, and Compliance (GRC) is the framework and
tools such as policies; procedures; and controls and decision-making hierarchy. These
are employed to manage risk in the organization. GRC systems partially automate risk
management processes, such an onboarding, ongoing oversight, compliance,
incident/issue management, and maintenance of TP risk registers and inventories.
Definition of Frameworks - ANS-A framework is flexible and allows for adaptation.
Frameworks outline a broad perspective of interlinked items in a field of practice.
Definition of Standards - ANS-A Standard is clearly defined, rigid, and universally
accepted as the best method for addressing a specific topic. Within a standard, there is
typically one accepted way of accomplishing the task.
Within TPRM, it is common for technology controls to leverage _____ , and risk
management functions to leverage ____ to frame the requirements - ANS-Standards;
Frameworks
Regulations, Statutes, and Laws - ANS-Managing Compliance Obligations -
Compliance obligations can be driven by statutory, regulatory, contractual, or industry
requirements. While specific regulations are sectoral or country specific, there are more
commonalities in how regulations are being shaped by international, federal, or
state/provincial regulators that influence TPRM
Industry Sector Guidance - ANS-Industry sectors that are more highly regulated have
designated governmental agencies or functions responsible for oversight of participants
in that industry. These entities publish guidance that creates requirements and
obligations for both Outsourcers and SPs within each respective industry. IN some
sectors, like financial services and healthcare, there may be formalized audits or
examinations to assess compliance for TP SPs.
,Established Risk Culture. The First step is to ensure that requirements for risk-based
vendor management are communicated to the organization. Consider the following: -
ANS-Tone at the top
Risk posture
Risk tolerance
Risk management methodology
Acceptance process and exception process
Comparing Vendor Management and Vendor Risk Management - ANS-The
point-of-view on roles and responsibilities between vendor management and vendor risk
management are often misunderstood. Let's look at both the similarities and differences.
Vendor Management - ANS-In vendor management, the viewpoint is operations-based.
The organization will focus on issues or service delivery complaints. This involves
cross-functional resources to collaborate on defining requirements, contract terms and
provisions, and key metrics that define the relationship.
Vendor Risk Management - ANS-In vendor risk management, the viewpoint is
risk-based. The organization will focus on risks and threats. Just like in vendor
management, these processes involve cross-functional resources to collaborate on
defining requirements, contract terms and provisions, and key metrics that define the
relationship.
The risk associated with an outsourced activity takes many forms - ANS-These include
the specific risks associated with outsourcing, including but not limited to, financial
stability, financial criminal activity monitoring, reputational, concentration, legal, country,
operational, technology, and security.
The organizational function that identifies the need to outsource an activity should...... -
ANS-determine the inherent risk associated with performing that activity. The inherent
risks identified will then determine the type and level of due diligence and control
validation to be performed to mitigate the risks associated with the activity.
Types of Risks in Third Party Relationships - ANS-Risk in Third Party relationships can
be looked at based upon process, technology, or external factors. Each type of risk
requires processes for risk identification, quantification, prioritization, and mitigation.
Risk in Third Party relationships may be viewed at the organizational level or at a
product/service level. For TPRM programs, the fundamental point-of-view is to evaluate
the risk based upon the function that has been outsourced.
,Performance Risk: - ANS-The TP may not be able to meet its obligations due to
inadequate systems or processes
Reliability Risk: - ANS-The TP may not be able to adhere to an expected or contracted
level of service
Reputation or Brand Risk: - ANS-damage to reputation or loss of clients due to poor
customer service, errors, processing delays, fraud, fines, etc.
- Competency Risk: - ANS-the TP may not be able to retain skilled employees or
maintain up-to-date personnel qualifications
- Availability Risk: - ANS-the TP systems may not have sufficient redundancy or
resiliency during an event or incident
- Technology Risk: - ANS-the TPs technology becomes obsolete, or a change in
technology triggers operational impact to the company
- Cybersecurity Risk: - ANS-the TP may fail to appropriately manage threats,
vulnerabilities, and controls which may result in loss of data
- Scalability Risk: - ANS-the TP may not be able to support growth or spikes in demand
without service failures or decline in performance
Compliance Risk: - ANS-the TP may not be in compliance with applicable laws,
regulations, or contractual obligations
When an organization decides to seek external assistance from a Third Party or
establishes an internal dedicated entity (an Affiliate), to provide specific services and
expertise, then that organization will leverage... - ANS-Outsourcing to enter into a
contractual relationship to obtain those services. The development of optimal contract
terms is a critical best practice in TPRM. However, contract terms should never replace
oversight by the Outsourcer.
ESG - ANS-Environmental, Social, and Governance
GDPR - ANS-General Data Protection Regulation
, Personal Data - ANS-The General Data Protection Regulation (GDPR) defines
"Personal Data" as any information relating to an identified or identifiable natural person
(data subject). An identifiable person is one who can be identified, directly or indirectly,
in particular by reference to an identifier. This includes a name, identification number,
location data, online identifier, or one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural, or social identity of that person.
Sensitive Data - ANS-Processing of special categories of "personal data" refers to the
definition categories of Sensitive Personal Data that require additional levels of controls,
approvals, and authorizations. This includes genetic data and biometric data where
processing can uniquely identify a natural person. Sensitive personal data includes
information regarding racial or ethnic origin, political opinions, religious or philosophical
beliefs, trade union membership, a natural person's sex life, or sexual orientation."
When conducting a Third Party assessment, a critical component in the scoping of the
vendor relationship is the.... - ANS-knowledge of types of personal data or personal
information (PI) that is relevant for the types of services provided.
Two types within Data Classification - ANS-Data Category & Level of Confidentiality
Data Category - ANS-The data category is based on the identity of the owner of the
data or type of data subject. It includes:
Business information
Personal information
Employee information
Company information
Information of minors
Level of Confidentiatlity - ANS-The level of confidentiality is assigned to the data based
upon a hierarchy in data classification. It includes:
Public
Internal
Confidential
Sensitive
Restricted
Identifying and Assigning Levels of Confidentiality: Government - ANS-Government
agencies tend to define the level of classification of data based on the risk of disclosure.
These levels include: Top Secret, Secret, Confidential, Sensitive, and Unclassified. A
particular type of data or data record can change its' classification over time.