Third Party Risk Management: Building a Resilient TPRM Programme

At BSides Luxembourg, Jyoti Upadhyay — a cybersecurity and risk management professional with over 15 years of experience — delivered a session on Third Party Risk Management that was practical, direct, and covered something most organisations get wrong before they even start.

The framing was simple: how do you identify and manage third-party risk while still meeting business needs and regulatory requirements? Because those two things are often in tension, and the organisations that handle TPRM well are the ones that have figured out how to balance both.

What TPRM Actually Is

Third party risk management is the process of identifying, assessing, monitoring, and managing the risks that come from your relationships with external vendors, suppliers, partners, and service providers. Every organisation today depends on third parties to function. Cloud providers, payment processors, IT managed services, legal firms. Each one is a potential entry point, a compliance obligation, and an operational dependency all at the same time.

When something goes wrong with a third party, it is your organisation that faces the consequences. Regulatory fines, data breaches, operational disruption, reputational damage. The risk does not stay with the vendor. It lands on you.

The Maturity Model

The session described TPRM maturity across four stages. Most organisations are at stage one or two and think they are at stage three.

• Ad Hoc — Vendor assessments happen inconsistently. No standard process. No central inventory. No clear ownership.
• Defined — A process exists. Standard questionnaire, defined risk criteria, approval workflow. The problem: it is mostly point-in-time. You assess at onboarding and forget until something goes wrong.
• Mature — Risk tiering in place. Monitoring is continuous. Clear ownership across procurement, IT, legal, and business. Contracts include the right clauses. Offboarding is managed as carefully as onboarding.
• Continuous Improvement — TPRM as a strategic capability. Learns from incidents, adapts to regulatory changes, feeds intelligence back into vendor selection. Very few organisations are genuinely here.

Risk Tiering

High tier — Strategic and critical relationships. Access to sensitive data, deep integration, high business dependency, limited substitutes. Full assessment, annual audits, continuous monitoring, C-level oversight.

Medium tier — Business efficiency without the same depth of dependency. Standard questionnaire assessments, biennial reviews, periodic monitoring.

Low tier — Commodity or administrative services. No access to sensitive data, low operational impact, easily replaceable. Basic due diligence, self-attestation, reactive monitoring.

The Six Common Pitfalls

• Incomplete vendor inventory — Shadow IT and ungoverned vendor relationships create invisible risk. If procurement, IT, legal, and business are all independently signing agreements, you will never have a complete picture.
• Point-in-time assessments — Annual questionnaires capture a vendor's posture on the day they were completed. They miss everything that changes in between.
• Questionnaire fatigue — When vendors receive excessive or duplicated questionnaires, their cooperation and response quality drops. Streamlining is not just efficiency — it is accuracy.
• Fragmented ownership — When accountability is split across procurement, IT, legal, and business without clear assignment, gaps in risk coverage are inevitable.
• Fourth-party blind spots — Your vendor's suppliers and sub-processors extend your exposure whether you have mapped them or not.
• Inadequate offboarding — When a vendor relationship ends, revoking access and recovering data should be a structured process. In practice it is often forgotten entirely.

Based on the session by Jyoti Upadhyay at BSides Luxembourg 2026.