Third-Party Risk Management Every organisation is different and for that reason, a one size fits all approach should not be applied to your third-party risk management (TPRM) program.Protiviti delivers third-party risk management (TPRM) solutions that are embedded into day-to-day business functions while aligning to industry and regulatory expectations. We identify cost savings, create efficiencies in processes, and mitigate today’s most critical risks.Successful TPRM drives value by helping business leaders gain visibility and understanding of the impact third parties have on increasing profitability, efficiency and compliance while ensuring your organisation's ecosystem has the resiliency to withstand new and unexpected challenges and manage vendor risks.If you're in a regulated environment, we help you drive compliance. If you're in a non-regulated environment, we will help increase profitability. Slash costs, improve processes, and mitigate the most critical risks of today Survey December 7, 2023 Executive Perspectives on Top Risks for 2024 and 2034 The 12th annual Top Risks Survey report highlights top-of-mind issues for directors and executives around the globe over the next year - 2024 - and a decade later – 2034. Learn more Our third-party risk management services Pro Legal Briefcase TPRM strategy and program assessment, design and implementation/transformation We provide better information that helps drive business decisions and generates revenue enhancing activities from assessing the current state, designing and building end-to-end programs, enhancing individual life cycle components and implementing impactful changes. Pro Building office Improvement of individual risk domains: operational resilience (business continuity), IT security, privacy, PCI, and compliance We help leaders streamline data gathering and assessment activities to produce actionable information for each risk domain, support the creation of meaningful and real-time monitoring mechanisms and inform contracting processes through the creation of governance mechanisms that drive stronger Key Risk Indicators, Key Performance Indicators and Service Level Agreements. Pro Document Stack Third-party audits (IT security/ shared assessments, operations, compliance) Protiviti’s assessment services drive decision making and inform risk stakeholders in a manner that is consistent with how your organisation manages its risks. We deliver meaningful output to our clients that informs whether a third party meets your expectations across the many risk domains. Pro Briefcase Technology enablement Implement robust TPRM programs across a variety of industries and geographies. TPRM requires technology enablement to make life cycle processes connect seamlessly and provide stakeholders with the information required to make better decisions. Protiviti helps you navigate through these implementations to help streamline programs and processes to keep costs down. Pro Document Consent Targeted issue remediation and incident response Identify and resolve vendor risk management issues in a manner that supports your business and reduces the future risk of the same or similar issues repeating at a third party. Issues will arise with third parties no matter how strong your program may be. An integrated approach to driving value Procurement and TPRM should be integrated across the life cycle to enhance your visibility, efficiency, risk management and cost management. The four sections of the TPRM life cycle each have an important part to play in helping you determine the right partners to drive your business growth and customer success. Protiviti offers an integrated one-stop solution for financial, information technology, compliance and operational due diligence. Transactions that have been through a comprehensive due diligence process are the most successful, and you are able to realis their expected value.Planning: Successful TPRM starts with strong linkages to business strategies and the value creation process.Due diligence & third-party selection: Risk assessment, due diligence & third-party selection should be coordinated, risk focused and intended to drive business value decisioning.Contract management: Contract management should be informed from the results of due diligence and end in contracts that align to business needs and provide appropriate risk mitigation requirements.Monitoring and management: Strong contracts drive accountability for oversight activities which helps establish expectations for all parties on what will be required to have a successful relationship. Risk management and regulatory compliance go hand-in-hand. Find out more about Protiviti's regulatory compliance services. Click here Leadership Hirun Tantirigama Hirun is a managing director with 15 years’ experience in providing risk and regulatory advisory services across a variety of clients and industries. He has led complex, transformational programs across areas such as operational risk, regulatory remediation, operational ... Learn More Leslie Howatt Leslie is a managing director, and Protiviti’s technology consulting solution lead. She specialises in digital and technology strategy as well as transformational change with over 25 years’ experience across consulting, industry, and government sectors. She has ... Learn More Mark Burgess Mark is a managing director and Protiviti’s risk and compliance solution lead. With over 17 years of risk and regulatory compliance experience in the financial services industry, he has a proven track record delivering deep insights for his clients.Mark has spent a ... Learn More Ruby Chen Ruby is a director with over 12 years of experience in the financial services industry, of which about ten years worked in the Big Four banks before transitioning into consulting. She has had a broad range of experience providing advisory services and secondments across ... Learn More Featured insights INSIGHTS PAPER Part 2: Risk transformation and the intersection with business transformation Risk maturity is a measure of an organisation’s risk management capabilities and culture. As organisations raise their risk maturity, it enhances elements across governance and framework, processes, people and organisations, methodologies, systems... IN FOCUS Will CrowdStrike serve as a reboot on tech resiliency? Global IT systems are still in reboot and recovery after a software update by cybersecurity vendor CrowdStrike caused a massive worldwide outage of Windows computers. Global businesses, governments and organisations were impacted across several... WHITEPAPER DORA Compliance: Untangling Key Hurdles to Implementation The Digital Operational Resilience Act (DORA), or more formally known as Regulation (EU) 2022/2554, took effect on 16 January 2023, with final industry compliance required by 17 January 2025. The regulation underscores the importance of digital... NEWSLETTER Sharpening the Board’s Focus on M&A Due Diligence Whether an acquisition is a stand-alone, complementary entity or an integration, the due diligence process is undergoing a paradigm shift due to the higher cost of funding and the impact of failed transactions. Boards should expect a more aggressive... BLOGS How tech firms can prepare for new EU operational resilience rules on ICT risks A two-step indicator-based approach proposed by EU supervisory authorities will be used to assess ICT services providers to determine whether they should be designated as critical and subjected to oversight under the Digital Operational Resilience... WHITEPAPER CPS 230 – APRA’s new standard to improve operational risk and resilience On 17 July 2023, the Australian Prudential Regulation Authority (APRA) released the final new prudential standard CPS 230 Operational Risk Management, which is mostly aligned to requirements in other jurisdictions, including the United States, the... Button Button Case Studies Global Systemically Important Financial Institution (G-SIFI) implements a third-party risk management (TPRM) program to meet global regulatory standards Protiviti partnered with a G-SIFI to design and implement a third-party risk management (TPRM) program in alignment with global regulatory standards with an additional goal of aligning program development with available technologies within the client’s environment. The company’s current TPRM program relied heavily on manual processes, data collection, and reporting which limited reporting on the overall program – status, risks, and performance. Protiviti completed a pilot of the inherent risk questionnaire across ~300 engagements to confirm scoring logic and approach and aligned the TPRM program to the revised issue management standard and procedures. In the end, enhanced risk assessment methodologies that align with regulatory expectations across the client’s global locations were implemented and due diligence methodologies and templates that provide more consistent results across subject matter areas were provided by Protiviti. Global Manufacturer of Technology Products revamps SIOP and warehouse operations to sustain growth A major U.S.-based manufacturer of technology products realisd its success was outpacing its capabilities in two key areas: sales, inventory and operations planning (SIOP) and warehouse management. The company’s foremost goal in SIOP was to increase top-line revenue by being more responsive to growth in demand. Protiviti conducted a comprehensive assessment of the organisation’s capabilities, analysed process metrics and researched emerging functionalities that could significantly upgrade SIOP capabilities. The result was a detailed list of recommendations that included: redesigned workflow and stakeholder engagement, better definition of the roles and responsibilities of key personnel, improved data flow among departments, substantially increased automation, and new metrics to improve visibility and accountability. Protiviti worked closely with IT and warehouse personnel to document business requirements for the D365 warehouse management system. The collaboration led the firm to redesign and update processes to account for both current and future workflows. A global bank partners with Protiviti to manage third-party risk A large global financial institution requested a transformation of its third-party risk management program and wanted to identify opportunities for enhancement. Protiviti designed and implemented an automated TPRM program, including an operating model, policies, frameworks, procedures, and enabling technology. The Protiviti team improved and streamlined processes throughout the third-party management function that provided deeper insight into performance, risk and compliance for the bank.