A practical walkthrough of how compliance teams identify, assess, remediate, and continuously monitor vendor risk — from initial intake through to supervisory evidence and audit-ready reporting.
§ What is TPRM
Third-party risk management (TPRM) is the structured process of identifying, assessing, and continuously monitoring the risks that vendors, suppliers, and service providers introduce into your organisation. Every organisation that depends on external parties for ICT services, data processing, or critical operations carries third-party risk. TPRM is the discipline that makes that risk visible, measurable, and manageable.
of data breaches involve a third party, according to IBM Cost of a Data Breach 2024
EU and US regulatory frameworks require structured third-party risk programmes
average vendor-to-customer disclosure delay for third-party breaches
§ The TPRM process
TPRM is not a one-time assessment. It is a continuous cycle that runs from initial vendor intake through to ongoing monitoring and board-level reporting. Here is how the process works end to end.
Build a complete inventory of every third party that accesses your systems, processes your data, or delivers a service you depend on. Classify each by business criticality, data sensitivity, and regulatory scope. This vendor register is the foundation of your TPRM programme — without it, you cannot know what you are exposed to.
Before onboarding a new vendor, conduct structured due diligence proportionate to the criticality of the service. After onboarding, run periodic assessments aligned to the regulatory frameworks that apply: DORA Art. 28(4) for financial entities, NIS2 Art. 21 for essential entities, ISO 27001:2022 clauses 5.19–5.22 for any organisation seeking certification.
Assessments produce findings. Findings require owners, deadlines, and a documented remediation trail. For regulated entities, contractual gaps are as important as technical ones: DORA Art. 30 requires specific provisions in every critical ICT contract, and most organisations have gaps they are unaware of until they look systematically.
Risk does not stand still. A vendor that passed your assessment 12 months ago may have experienced a breach, changed their sub-processing arrangements, or had a key certification lapse. Continuous monitoring — combining automated OSINT signals with scheduled review cycles — keeps your risk picture current without requiring a full assessment for every change.
TPRM programmes only add value if the output reaches decision-makers and satisfies regulators. Board-level reporting, risk committee briefings, and supervisory submissions all require structured, consistent, and audit-ready outputs. For DORA-regulated entities, the annual Register of Information submission to the NCA is a hard compliance deadline.
§ Platform capabilities
Every vendor in your register is continuously scanned for DNS hygiene, TLS configuration, breach exposure, and threat intelligence signals. You start every assessment with the vendor's external risk grade already quantified.
Launch a full assessment cycle across your vendor portfolio in one session. Automated reminders follow up without manual chasing. One questionnaire can simultaneously satisfy DORA, NIS2, and ISO 27001 obligations.
Every assessment, finding, remediation action, and status change is logged with a timestamp. When your regulator or auditor asks for evidence of your TPRM programme, you export the full pack in one click.
§ Regulatory context
Banks, insurers, and investment firms must maintain a Register of Information, conduct structured due diligence, apply mandatory contractual provisions, monitor concentration risk, and hold tested exit strategies for critical ICT providers.
Read moreNIS2 Art. 21(2)(d)Essential and important entities must assess and manage security risks across their supply chains, including direct suppliers and ICT service providers. Non-compliance can result in fines exceeding €10M for essential entities.
Read moreISO 27001:2022Clauses 5.19–5.22 require documented policies and procedures for managing information security risk in supplier relationships, covering selection, contracting, monitoring, and offboarding.
Read moreGDPR Art. 28Every vendor processing personal data on your behalf must have a current, compliant data processing agreement. Sub-processor changes must be tracked and documented. Non-compliance is a leading trigger for GDPR supervisory reviews.
Read more§ Related guides
Book a focused session with our team. We will walk through your current vendor landscape and show you exactly where Supplier Shield structures the process.