CRF

LOGIN

Third Party Risk Model

What Is the CRF Third Party Risk Model?

The CRF – Third Party Risk Model (CRF–TPRM) is a repeatable framework designed to help organizations assess, control, and validate risks arising from external relationships. As businesses grow more dependent on vendors, suppliers, contractors, and service providers, third-party risk becomes a critical concern. The 2025 edition of CRF–TPRM offers a structured, seven-step process—aligned with CRF’s Governance & Risk Model (GRM)—to govern external dependencies with the same rigor applied to internal cybersecurity. Rather than presenting abstract concepts, CRF–TPRM emphasizes operational execution: which safeguards to require, how to embed them contractually, and how to validate compliance over time.

Why You Need a Structured Third Party Risk Model

Modern organizations depend on a broad ecosystem of vendors, suppliers, and service providers to operate and grow. But these relationships also introduce cybersecurity, compliance, and operational risks that can’t be managed through ad hoc reviews or informal checklists.

The CRF–Third Party Risk Model provides a structured, scalable approach to managing those risks. It:

  • Ensures third parties align with business goals and don’t compromise operational resilience

  • Embeds risk awareness into procurement, turning external reliance into a strategic strength

  • Integrates third-party governance across procurement, IT, legal, and enterprise resilience functions

  • Uses the same safeguard-based approach as the CRF Safeguards, enabling consistent governance across internal and external environments

With this model, third-party risk management becomes a coordinated, proactive discipline—not just a compliance checkbox.

What You’ll Get

The 2025 edition of the CRF–TPRM delivers:

  • A Prescriptive, Seven-Step TPRM Roadmap: A clear lifecycle from program initiation through inventory, selection, education, contracting, validation, and communication—each step building on the last to create a repeatable process.

  • Operational Guidance Over Abstract Theory: Detailed instructions on which safeguards to apply, how to embed them into vendor contracts, and how to verify their effectiveness in practice.

  • Interoperability with Existing CRF Frameworks: Seamless integration with the CRF Governance & Risk Model, CRF Safeguards library, and CRF Audit Framework—allowing organizations to extend a common governance architecture to both internal and external domains.

  • Scalability and Flexibility: Best practices for categorizing vendors by risk tier, tailoring controls to the nature of each relationship, and evolving the program as regulatory requirements and third-party ecosystems change.

  • Enhanced Communication and Reporting: Templates and recommendations for role-based reporting—ensuring executives, procurement teams, legal, and technical stakeholders receive the right level of insight at the right time.

Key Takeaways

  • Seven-Step Lifecycle: A structured process—Initiate, Inventory, Select, Educate, Contract, Validate, and Communicate—guides the full third-party risk lifecycle from onboarding to ongoing oversight.

  • Business-Aligned Safeguards: Controls are tailored to each vendor’s risk tier, function, and criticality—ensuring governance is right-sized and operationally efficient.

  • Contractual Enforcement: Security and privacy requirements are built into contracts, making expectations enforceable and reducing ambiguity in vendor obligations.

  • Evidence-Based Validation: The model encourages periodic reviews and evidence requests, supporting consistent evaluation without over-reliance on automation.

  • Practical Governance Tools: Templates, checklists, and reporting frameworks help teams operationalize third-party risk management using proven best practices.

Who Is This For?

The CRF–TPRM is essential for:

  • Security Leaders formalizing third-party governance structures and oversight practices.

  • Procurement and Legal Teams responsible for vendor selection, contract negotiation, and enforcement of security obligations.

  • Risk and Compliance Managers building or maturing third-party risk programs in industries subject to privacy, regulatory, or contractual requirements.

  • Business Unit Owners overseeing critical vendor relationships and needing clear guidance on assessment criteria

  • Organizations of All Sizes—from startups establishing their first vendor oversight program to large, regulated enterprises refining mature third-party governance.

Download - v2025

Frequently Asked Questions

The Third Party Risk Model is a practical, seven-step framework that guides organizations through the end-to-end process of identifying, assessing, and managing risks posed by external vendors, suppliers, and service providers. It emphasizes operational execution—embedding safeguards into contracts, validating controls, and communicating risk posture—to ensure that third-party relationships support, rather than jeopardize, business objectives.

As organizations become more interconnected, third-party dependencies introduce cybersecurity, compliance, and operational risks. Without a structured TPRM approach, vendor oversight is often inconsistent, reactive, and fragmented. The CRF–TPRM provides a repeatable process to align vendor selection, contracting, and validation with organizational risk tolerance—transforming third-party risk from a liability into a strategic enabler.

CRF–TPRM follows a seven-step roadmap:

  1. Initiate: Secure executive sponsorship, define scope, and establish governance structures.

  2. Inventory: Catalog all third-party relationships and classify vendors by risk.

  3. Select: Define risk criteria, develop a safeguards library, and prioritize controls based on vendor tier.

  4. Educate: Train internal teams and inform external partners of security expectations.

  5. Contract: Embed safeguards into legal agreements to ensure enforceability.

  6. Validate: Collect evidence, review audit reports, and use continuous monitoring to confirm vendor compliance.

  7. Communicate: Provide tailored reports to executives, business owners, and technical teams—enabling data-driven decision-making.

A successful TPRM program requires cross-functional collaboration among:

  1. Executive Sponsors (e.g., CISO, Risk Committee): Provide leadership commitment and resources.

  2. Procurement and Sourcing Teams: Integrate TPRM steps into vendor selection and contracting workflows.

  3. Legal Counsel: Review and negotiate contract language to embed security and compliance obligations.

  4. IT and Security Operations: Define technical controls, validate evidence, and monitor ongoing compliance.

  5. Business Unit Leaders: Own critical vendor relationships, approve risk assessments, and manage exceptions.

  1. Gather Early Data: Compile existing vendor lists from procurement, finance, and IT.

  2. Secure Sponsorship: Appoint an executive sponsor and form a cross-functional TPRM working group.

  3. Draft a Program Charter: Define objectives, scope, roles, and decision-making authority.

  4. Select a System of Record: Choose a centralized platform or repository (spreadsheet, GRC tool) to track inventory and assessments.

  5. Begin Inventory: Classify vendors by type, function, and risk exposure, then apply risk-tiering criteria.

Download for Free

Provide your email address below, and we’ll instantly send the Third Party Risk Model – v2025 to your inbox.

Agreement(Required)

Become a member

  • Access to our entire catalog of research and resources
  • Customizable Third Party Risk Model templates (MS Excel, Markdown)
  • Unlimited Downloads
  • Removed CRF Branding
  • Commercial License to use our Third Party Risk Model templates
Subscribe for $350 / Year