TPRM 2.0: OPTIXX RESEARCH NOTE

Third party risk programs today are underfunded and under resourced. This results in only 2-10% of third parties being actively monitored. Third party risk management is audit and compliance control centric when it needs to be risk analysis and financial focused. The result of this approach is an output that is subjective, prone to bias, inconsistent and limited. Third party reports generally identify a risk rating (high medium or low) for a partner which has limited practical value.

A new approach is required that evolves the third party engagement process from controls documentation to risk scenario analysis which provides financial impact visibility. Identifying and executing specific risk scenarios like external threat actors targeting business disruption drive critical conversations around resilience and ultimately joint resilience testing.

We call this new approach TPRM 2.0.

Read the full note below to learn more about it.