RMIA: Third Party Risk Management

12:30pm Tuesday, 23 November 2021
2:00pm Wednesday, 1 December 2021
Professional Development Course

Third Party Risk Management


The reliance on, and the impact from third parties is dramatically increasing.  We can no longer view our organisations in isolation and must understand the complete picture of our operating ecosystem.  This is dramatically increasing the need focus on better management of the wide range of third parties that impact on the risks of our organisation. 

This course is aimed at providing a comprehensive overview of Third Party Risk Management (TPRM) from defining its scope, through the design of a robust framework, to the day to day operation of the TPRM processes.

Course Overview

1.    Defining Third Party Risk Management (TPRM)

  • Defining the scope of TPRM
  • What third parties should be covered?
  • Classifying your third parties

2.    Identifying and understanding the risks relating to the third parties

  • Identifying the objectives impacted by third parties
  • Defining the impact types from third party risks
  • Direct risks to your organisation
  • Indirect risks within your third parties
  • Developing a taxonomy of third party risks
  • Using Risk Bow Tie analysis to map and understand the risks

3.    A Third Party Risk Management Framework

  • Aligning to ISO 31000
  • Mapping the 8 elements of ISO 31000 to your TPRM processes
    • Communicate and Consult. Consider native language/
    • Scope, Context, Criteria
    • Risk Identification
    • Risk Analysis
    • Risk Evaluation
    • Risk Treatment
    • Monitoring and Review
    • Recording and Reporting
  • Mapping a TPRM ecosystem

4.    Compliance requirements

  • Understanding the key compliance requirements for TPRM, including:
    • Outsourcing
    • Modern Slavery
    • Anti-bribery and corruption
    • Privacy and data protection
    • Due Diligence
  • Factoring compliance and compliance management into your TPRM processes

5.    Mapping the steps in TPRM

  • Third party selection criteria and process
  • Initial screening and tiering
  • Initial Due Diligence
  • Decision and approval process
  • Onboarding including contractual arrangements
  • Ongoing monitoring and maintenance
  • Incident management: Non-performance, Failure.
  • Offboarding
  • Linkage to other risk types and processes
    • Link to key risks types internally e.g. Cyber, Fraud, Technology, Data etc.
    • Linkage to Operational Resilience

6.    Initial screening, tiering and Due Diligence

  • Key factors to consider in initial screen e.g. Data security, financial security etc. 
  • Sourcing the information: Internal or use of third party bureaus?
  • The role of, and link to Risk Appetite
  • Tiering methodology to understand importance of third party
  • Determining the extent of Due Diligence
  • Carrying out Due Diligence

7.    Ongoing monitoring and maintenance

  • Due diligence updates
  • Ongoing compliance
  • Ongoing SLA / contract monitoring
  • Ongoing management including third party training
  • Risk metrics and monitoring, external and internal data, and alerts
  • Escalation and treatment
  • Reporting and Analytics

8.    Complete risk management of third parties

  • Leveraging your ERM / GRC framework
    • Risk Assessments
    • Controls Assurance and Assessment
    • Risk Metrics and key risk indicators
    • Incident Management
    • Issues and Actions Management
    • Compliance Management
  • TPRM reporting
  • Integrating your TPRM within your overall ERM framework.

9.    Governance, Roles, Responsibilities and Accountabilities

  • Who is responsible for what?
    • Overall ownership? Procurement? Risk Management? The business?
  • The role of the “three lines”
  • Ensuring clear ownership, responsibilities and accountabilities for the complete process
  • Creating the right culture for managing TPRM

10.    Conclusions and Takeaways

Format of the Course

This course is delivered in an entirely online COVID-Safe format. The course is a total of six (6) hours delivered in four 90-minute sessions.

TRAINERDavid Tattam from The Protecht Group

Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. David is the founder and current Director Research and Training for the Protecht Group, an Australian firm specialising in risk management software, consulting, advisory and training to a wide range of clients both locally and overseas. His career includes many years working with PwC, as well as two international banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB). David’s passion is risk training, having developed numerous risk courses and trained many thousands over the past 2 decades. Protecht celebrated its 21st year in 2020.


Session 1          12:30pm - 2:00pm AEDT on Tuesday, 23 November 2021

Session 2          12:30pm - 2:00pm AEDT on Wednesday, 24 November 2021

Session 3          12:30pm - 2:00pm AEDT on Tuesday, 30 November 2021

Session 4          12:30pm - 2:00pm AEDT on Wednesday, 1 December 2021

AEDT = UTC +10:00 Daylight Savings

PRICE: $660.00 incl.GST for Members

$792.00 incl. GST for Non-Members

CPD: 12 points

When you register for this course you agree to the RMIA passing your registration details onto our Training Partner, The Protecht Group.

For Group Bookings please email events@rmia.org.au or call 02 9095 2500.

Sold Out

Contact Information