Module 24: Third-Party Risk Management
Outsourcing reduces workload.
It does not reduce accountability.
Third-party relationships introduce:
- Operational risk
- Compliance risk
- Security risk
- Reputational risk
- Strategic dependency risk
CRISC evaluates whether third-party risk is:
- Identified
- Assessed
- Contractually managed
- Monitored
- Escalated appropriately
What the exam is really testing
When third-party risk appears, CRISC is asking:
- Was due diligence performed?
- Is risk formally documented?
- Are contracts aligned with risk expectations?
- Is ongoing monitoring in place?
- Is ownership clear?
- Is risk aggregated enterprise-wide?
CRISC favors structured lifecycle management.
Third-Party Risk Lifecycle
Mature TPRM includes:
- Vendor identification
- Risk assessment
- Due diligence
- Contractual controls
- Ongoing monitoring
- Periodic reassessment
- Termination procedures
If any stage is missing, governance exposure increases.
Due diligence
Before onboarding a vendor, organizations should evaluate:
- Financial stability
- Security controls
- Regulatory compliance posture
- Data handling practices
- Subcontractor usage
- Incident history
CRISC often tests whether due diligence was performed before contract execution.
Contractual risk controls
Contracts should address:
- Security requirements
- Data protection obligations
- Incident notification timelines
- Audit rights
- Indemnification clauses
- Service level agreements (SLAs)
If controls exist operationally but are not contractually enforceable, exposure remains.
CRISC tests this nuance.
Transfer vs ownership trap
Common misconception:
“Since we outsourced it, they own the risk.”
Incorrect.
The organization retains:
- Accountability
- Regulatory responsibility
- Reputation risk
Transfer shifts financial impact — not governance accountability.
Example scenario (walk through it)
Scenario:
A company outsources payroll processing. No formal security assessment was conducted prior to contract signing.
What is the PRIMARY governance weakness?
A. Weak BIA
B. Incomplete due diligence
C. High inherent risk
D. Excessive appetite
Correct answer:
B. Incomplete due diligence
Due diligence must occur before onboarding.
Slightly harder scenario
A vendor suffers a data breach affecting customer data. The organization claims liability rests solely with the vendor per contract.
What is the MOST significant misunderstanding?
A. Risk aggregation
B. Accountability remains with the organization
C. Residual risk miscalculation
D. Control deficiency
Correct answer:
B. Accountability remains with the organization
Regulatory and reputational accountability cannot be outsourced.
Ongoing monitoring
Third-party risk does not end at onboarding.
Mature monitoring includes:
- Periodic reassessments
- Updated SOC reports
- Performance reviews
- SLA tracking
- Security incident tracking
- Compliance certifications
CRISC frequently tests failures in ongoing monitoring.
Concentration risk
If multiple critical processes depend on one vendor:
- Aggregated exposure increases.
- Systemic risk grows.
CRISC may test dependency concentration risk — especially in cloud providers.
Termination risk
Vendor offboarding must include:
- Data return or destruction
- Access revocation
- Transition planning
- Continuity planning
Failure here can create residual exposure.
Slightly uncomfortable scenario
An organization performs initial due diligence on a vendor but does not reassess for three years despite regulatory changes and service expansion.
What is the PRIMARY governance weakness?
A. Weak inherent risk
B. Failure in ongoing monitoring
C. Poor BIA
D. Excessive mitigation
Correct answer:
B. Failure in ongoing monitoring
TPRM requires continuous evaluation, not one-time assessment.
Third-party risk in the risk register
Third-party risks should:
- Be documented
- Have defined owners
- Reflect inherent and residual risk
- Be aggregated appropriately
If vendor risk is tracked separately from enterprise risk, visibility may be incomplete.
Quick knowledge check
1) Who ultimately owns third-party risk?
A. Vendor
B. Risk management team
C. Business process owner
D. Internal audit
Answer & reasoning
Correct: C
Business retains accountability even when outsourcing.
2) Which control is MOST critical before vendor onboarding?
A. SLA monitoring
B. Contract termination planning
C. Formal due diligence assessment
D. Residual risk calculation
Answer & reasoning
Correct: C
Due diligence must precede contract execution.
3) Purchasing cyber insurance from a vendor primarily represents which response strategy?
A. Avoid
B. Mitigate
C. Transfer
D. Accept
Answer & reasoning
Correct: C
Transfer shifts financial exposure, not accountability.
Final takeaway
Third-party risk management requires:
- Structured onboarding
- Formal due diligence
- Contractual protection
- Continuous monitoring
- Clear ownership
- Escalation discipline
Outsourcing does not eliminate accountability.
CRISC rewards candidates who preserve governance discipline across the vendor lifecycle.