Framing TPRM for the C-Suite

Third Party Risk is increasingly a topic addressed in board rooms. As Rocco Grillo (Managing Director, Global Cyber Risk Services, Alvarez and Marshal) notes “the C-Suite and Board members are critical to the success and effectiveness of any TPRM program.  Successful TPRM requires executive sponsorship and the proverbial Tone-At-the-Top.”

As a risk practitioner, how do you reach through to the top to communicate the importance of your program? We’ve asked experts in risk:

What one piece of advice would you give to third-party risk managers presenting to the C-suite and boards?

The answers fit within the acronym FRAMES– Focus, Roadmap, Align, Maturity, Educate and Story.

To frame something is to provide a structure for understanding. Think of artwork: a frame complements, supports and highlights the work within. It directs the viewers’ focus offering “a guardrail for the viewer’s wandering eye.” In a conceptual sense, a frame supports your communication. Use it to convey your view and highlight the effectiveness of your Risk Program.


TPRM and the C-Suite

Similarly, Phil Bennett, Manager (Information Security Governance, Metrics & Analytics at Navy Federal Credit Union) suggests that you communicate to the board that “your risk footprint isn’t limited to the environment you control (on-premise data centers with public cloud) but rather what you control as well as your extended network (supply chain ecosystem).”



TPRM is a program - not a project 



Align Vendor Risk with C-Suite

Fattah continues “It is easier for me to tell C-suite that a vendor is putting our brand and customers at risk because they are not appropriately protecting our customer information, which is currently accessible via the Internet.  Make sure to be pin accurate about your finding, and MAKE SURE you have an ensuing plan…even that plan is one that is dependent on the business/vendor.”


Presenting TPRM to the board



TPRM and the C-Suite

Gary Roboff (Senior Advisor, Santa Fe Group/Shared Assessments) furthers Allen’s advice: “Speak the board’s language, quantify whenever possible, and show why and how what you’re presenting matters to your organization.”



TPRM and the C-Suite

“Yes, sometimes there is bad news to share, but the important part of the message is what to do about it that matters” continues Solem.


Charlie Miller – a great storyteller and Senior Advisor to Santa Fe Group/Shared Assessments – recommends that when framing TPRM for the C-Suite you “Tell a story of how one of your vendors stepped up (or not) to deal with a challenging business / customer issue.”