The most important next step after receiving a vendor questionnaire is to analyze the responses and identify any gaps, issues, or risks that may pose a threat to the organization or its customers. This analysis should be based on the inherent risk profile of the vendor, the criticality of the service or product they provide, and the applicable regulatory and contractual requirements. The analysis should also highlight any adverse or high priority responses that indicate a lack of adequate controls, policies, or procedures on the vendor’s part. These responses should be prioritized for further validation, testing, or remediation. The analysis should also document any assumptions, limitations, or dependencies that may affect the accuracy or completeness of the vendor’s responses.  References:

Shared Assessments CTPRP Study Guide , Section 4.2.2, page 43

Third-Party Risk Management: Managing Risk , Section “Assessing and monitoring third-party risk”

What Is Third-Party Risk Management (TPRM)? 2024 Guide , Section “Third-Party Risk Management Process”

External continuous monitoring solutions are tools or services that provide objective and timely data on the cybersecurity posture and performance of third-party vendors. They typically include components such as:

Status updates on localized events based on geolocation, which can alert the organization to potential disruptions or incidents affecting the vendor’s operations or infrastructure in a specific region or country 1 2 .

Alerts on legal and regulatory actions involving the vendor, which can indicate the vendor’s compliance status, reputation, or liability exposure 1 3 .

Reports that identify changes in vendor financial viability, which can signal the vendor’s ability to sustain its business operations, invest in security, or honor its contractual obligations 1 4 .

However, metrics that track SLAs for performance management are not typically included in external continuous monitoring solutions, as they are more relevant for internal monitoring and reporting. SLAs are service level agreements that define the expected quality, availability, and reliability of the vendor’s services or products, as well as the penalties or remedies for non-compliance. SLAs are usually measured and reported by the vendor itself, or by a third-party auditor or assessor, based on the specific criteria and frequency agreed upon by the parties . Therefore, option C is the correct answer.  References:

Third Party Risk Management Framework , Module 5: Program Implementation, Section 5.2: Ongoing Monitoring, p. 32

Bitsight Continuous Monitoring , Section: Uncover hidden risks

Best-Practices Guidance for Third-Party Risk , Section: Monitor Third-Party Compliance with Regulations and Standards, p. 3

Five Best Practices to Manage and Control Third-Party Risk , Section: Monitor Third-Party Financial Health, p. 4

[Third Party Risk Management Framework], Module 4: Program Components, Section 4.3: Contracting, p. 24

[A Better Way to Manage Third-Party Risk], Section: Establish clear service level agreements (SLAs) and key performance indicators (KPIs), p. 2

This statement does not reflect current practice in addressing fourth party risk or subcontracting risk because it is not sufficient to rely on external audit reports alone. Outsourcers should also perform their own due diligence and monitoring of the subcontractors, as well as ensure that the third party has a robust TPRM program in place. External audit reports may not cover all the relevant aspects of subcontracting risk, such as data security, compliance, performance, and quality. Moreover, external audit reports may not be timely, accurate, or consistent, and may not reflect the current state of the subcontractor’s operations. Therefore, outsourcers should adopt a more proactive and comprehensive approach to managing subcontracting risk, rather than relying on external audit reports.  References:

Shared Assessments Program , page 13: “Outsourcers should not rely solely on external audit reports to address subcontracting risk. Outsourcers should also inspect the vendor’s TPRM program and require evidence of the assessments of subcontractors.”

Five Best Practices to Manage and Control Third-Party Risk , page 3: " Restricting privileged accounts

 When a vendor contract terminates, one of the most important requirements for managing risk is to ensure that the vendor securely destroys or returns any data or assets that belong to the organization or its customers. This is to prevent any unauthorized access, use, disclosure, or loss of sensitive information or resources that could result in legal, regulatory, reputational, or financial consequences. The organization should also verify that the vendor complies with this requirement by requesting evidence or conducting audits.

The other options are also important, but not as critical as ensuring data and asset security. Performing a financial review of outstanding invoices is necessary to avoid overpaying or underpaying the vendor, and to resolve any disputes or claims. Performing a final assessment based on due diligence standards is useful to evaluate the vendor’s performance, identify any issues or gaps, and document any lessons learned or best practices. Defining contract terms for transition services is helpful to facilitate a smooth and orderly handover of responsibilities, deliverables, or processes to another vendor or internal team.

References:

1 : Shared Assessments, a leading provider of third party risk management solutions, offers a comprehensive guide for Certified Third Party Risk Professional (CTPRP) candidates, which covers the core concepts and best practices of third party risk management, including vendor offboarding and termination.

2 : Prevalent, a platform for third party risk management, provides a blog post on vendor offboarding and termination risk management, which includes a checklist and a template for secure data and asset destruction or return.

3 : Spendflo, a platform for vendor risk management, provides a guide on vendor risk management, which includes the importance of data and asset security when terminating vendor contracts.

When calculating residual risk, the best practice for an assessor is to adjust the vendor risk rating based on the changes to the risk level after analyzing the findings and considering the effectiveness of mitigating controls. Residual risk refers to the level of risk that remains after controls are applied to mitigate the initial (inherent) risk. By evaluating the findings from a third-party assessment and factoring in the mitigating controls implemented by the vendor, the assessor can more accurately determine the remaining risk level. This adjusted risk rating provides a more realistic view of the vendor ' s risk profile, aiding in informed decision-making regarding risk management and vendor oversight.

References:

The concept of residual risk calculation is discussed in risk management frameworks such as ISO 31000 (Risk Management - Guidelines), which guides the assessment and treatment of risks.

The " Third-Party Risk Management Guide " by ISACA outlines the process of assessing and managing risks associated with third parties, including the calculation of residual risk.

Risk treatment is the process of selecting and implementing measures to modify risk, according to the organization’s risk appetite and tolerance.  There are four main risk treatment options: avoid, reduce, transfer, or retain the risk 1 2 3 .  Among these options, risk transfer typically requires a negotiation of contract terms between parties, as it involves shifting the responsibility or burden of the risk to another entity, such as an insurer, a supplier, a partner, or a customer 1 2 3 4 .  Risk transfer can be achieved through various contractual arrangements, such as insurance policies, indemnity clauses, warranties, guarantees, service level agreements, or outsourcing agreements 1 2 3 4 .  These arrangements usually involve a cost-benefit analysis, a due diligence process, and a mutual agreement on the terms and conditions of the risk transfer 1 2 3 4 . Therefore, option D is the correct answer, as it is the only one that reflects a risk treatment approach that typically requires a negotiation of contract terms between parties.  References:  The following resources support the verified answer and explanation:

1 :  Risk Treatment — ENISA

2 :  Four Basic Risk Treatment Planning Approaches - DigiLEAF

3 :  3 Steps to Treating Your Organizational Risks - American Society of …

4 :  Risk Management Framework - Treat Risks - Chartered Accountants ANZ

 According to the CTPRP Job Guide, the TPRM program should establish minimum risk assessment standards for third party due diligence based on the company’s risk tolerance and risk appetite. This means that the TPRM program should define the scope, depth, frequency, and methodology of the risk assessment process for different categories of third parties, taking into account the potential impact and likelihood of various risks. The risk assessment standards should be consistent, transparent, and aligned with the company’s strategic objectives and regulatory obligations. The TPRM program should also monitor and update the risk assessment standards as needed to reflect changes in the business environment, risk profile, and best practices. The other options are not correct because they do not reflect a holistic and risk-based approach to third party due diligence. Setting the standards by each business unit may result in inconsistency, duplication, or gaps in the risk assessment process. Defining the standards in the contract or statement of work may limit the flexibility and adaptability of the risk assessment process to changing circumstances. Identifying the standards by procurement may overlook the input and involvement of other stakeholders and functions in the risk assessment process.  References:

CTPRP Job Guide , page 17

Third-Party Risk Management and ISO Requirements for 2022 , section “Benefits of Implementing Risk Management”

Managing third-party risk through effective due diligence , section “Complying with regulators’ demands”

Third-Party Due Diligence Checklist: 3 Essential Steps , section “Step 2: Conduct a Risk Assessment”