Back to Playbook Visit Our Blog


Formally charter the third-party risk management program and give it teeth through policies and standards. Measure and report program outcomes.


Establish policies that state the intended third-party risk outcomes. Implement standards and operating procedures to provide the framework within which the policy objectives are accomplished.


Policies formally commit the organization to the stated risk objectives. Standards and operating procedures are necessary to make good on the commitments. From these,follow investments in related people, process, and technology.


Create third-party risk management policies and related standards in collaboration with key stakeholders and executive management. Groundwork of educating decision makers on the value of third-party risk management will likely be necessary. In discussing policy options, be transparent about the bene ts, limitations, and costs.

Practice Status Adoption
Policies are established that state the intended third-party risk outcomes. Common 90%
Standards set the criteria against which third-party security risk is evaluated. Common 87%
Procedures are implemented for measuring third-party inherent risk. Common 77%
Procedures are implemented for assessing third-party risk performance. Common 77%
Assessment procedures account for di erences in third-party inherent risk. Common 60%
The third-party risk program is formally integrated with essential partners in the organization, such as purchasing, legal, and compliance. Common 77%
Program activities are measured and reported. Common 60%
Program risk outcomes are measured and reported. Emerging 37%