Shared Assessments Third Party Risk Management CTPRP Question # 12 Topic 2 Discussion

The risk of increased expense to conduct vendor assessments based on client contractual requirements is the least important factor in defining your risk assessment process for new global third party relationships. This is because the expense of vendor assessments is not a direct risk to your organization’s security, compliance, reputation, or performance, but rather a cost of doing business that can be budgeted and optimized. While vendor assessments are necessary and beneficial, they are not the primary driver of your risk assessment process, which should focus on the potential impact and likelihood of adverse events or incidents involving your third parties. The other factors (B, C, and D) are more important because they directly affect the level of risk exposure and the mitigation strategies for your third parties. For example, natural disasters and physical security risks can disrupt your third party’s operations and service delivery, government regulation and political stability can affect your third party’s compliance and legal obligations, and financial risk can affect your third party’s solvency and reliability. Therefore, these factors should be considered more carefully when defining your risk assessment process. References:

1: Third Party Risk Management: Managing Risk | Deloitte US

2: What Is Third-Party Risk Management (TPRM)? 2024 Guide | UpGuard

3: What is Third-Party Risk Management? | Blog | OneTrust