Skip to content
FortaRisks
Back to the glossaryThird-party and supply-chain risk

TPRM (Third-Party Risk Management)

TPRM (Third-Party Risk Management) is the discipline of continuously identifying, assessing and monitoring the cyber, operational, financial and compliance risks that an organization's suppliers, service providers and partners introduce. It is now one of the leading breach vectors.

Updated on July 2, 2026

What is TPRM?

TPRM, or third-party risk management, refers to the set of processes through which an organization assesses and controls the risks introduced by the external entities it works with: software vendors, hosting providers, subcontractors, payment processors, partner firms and any other third party with access to its systems, data or premises.

Every third party extends the organization's attack surface. A weakness at a supplier can become yours, without any internal mistake on your part.

Why it matters for your organization

A growing share of major incidents originates with a third party rather than within the victim's direct perimeter. Attackers deliberately target the least protected suppliers to reach their customers downstream.

TPRM is not only a security requirement, it is also a rising regulatory obligation. NIS2, DORA and many frameworks now explicitly require assessing and governing supplier risk.

The components of a TPRM program

  • Third-party inventory: catalog every supplier and what they have access to.
  • Criticality classification: rank by the impact of a failure or compromise.
  • Due diligence: assess security posture before onboarding (questionnaires, evidence, certifications).
  • Contractual clauses: incident notification, right to audit, security requirements, exit terms.
  • Continuous monitoring: track external posture and risk signals throughout the relationship, not just at onboarding.
  • Exit plan: plan for data return and service termination.

Where organizations most often fall short

The classic trap is treating TPRM as a procurement formality: a questionnaire filled out once and never revisited. The third-party vulnerabilities that matter are often invisible to questionnaires: undeclared software dependencies, residual access, suppliers of suppliers. A mature program moves from point-in-time assessment to continuous monitoring.

Frequently asked questions

What is the difference between TPRM and supply-chain risk management?

TPRM focuses on your direct relationships with suppliers and providers (your third parties). Supply-chain risk management is broader and includes your suppliers' suppliers, known as fourth parties, as well as upstream software and hardware dependencies.

Is a security questionnaire enough to manage third-party risk?

No. A questionnaire is a point-in-time snapshot, often self-reported and quickly outdated. An effective TPRM program combines the initial assessment with continuous monitoring of external posture, a criticality-based classification of suppliers, and contractual notification and audit clauses.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.