TPRM Fundamentals – An Intern’s Perspective

A college student majoring in Economics and Data Science, I love analytical thinking and learning. As part of my internship with Shared Assessments this summer, I leapt at the opportunity to take the Third Party Risk Fundamentals Certificate course. 


With no experience in TPRM, I hoped that Fundamentals would connect my computer science and business education to third party risk so I could answer the questions people have been asking me: 


  • What is risk management?
  • What is a vendor?
  • What is a third party? In particular, what is the difference between a second versus third party?
  • What tools can organizations use to mitigate risk?


I am able to understand and answer these questions after taking the Fundamentals Certificate course which introduced me to:


  • Terminology and drivers for third party risk
  • Core structures of a third-party risk management program
  • Basics of risk control objectives, risk statements, and types of controls
  • Components in managing assessments


A welcome relief to reading a long research paper, the Fundamentals course is conceptually intriguing. Flashcards, slides, and interactive dialogue are designed to continually engage the risk, information security, privacy, procurement or compliance newbie. 


Each section of the course interweaves a real-world example of how risk can be approached – this provides “ah-ha” moments which helped broaden my perspective through an applied example.  


Through the Fundamentals Course, I came to understand why Risk Management has become of paramount importance to organizations. No company or individual can forecast all risk in a dynamic and unpredictable environment, but all organizations must be prepared for uncertainty. Fortunately, as informed by the Fundamentals course, there are processes, roles and tools that can help an organization to navigate cybersecurity, supply chain and environmental risks. 


In my time interning at Shared Assessments, I have been particularly intrigued by the concept of the 5 Data W’s (as I call it) –  perhaps this is what connects my computer science and economics education with risk. The 5 Data W’s, as I define them, are

  • Who… defines, analyzes, owns, reports and evaluates the data?
  • What… is the data in question, what is it doing?
  • When… is it being updated?
  • Where… is the data coming from, is it now, where is it going? 
  • Why… are we looking at this data, are we storing it, is it important?


I have a new perspective on how organizations work, and how and why data might pose a risk. This summer, I called the internet provider when my service went down. The technician could identify the device, owner name, and determine where the data from the phone/computer was moving to and from. I began to think about all of the vendors and Nth parties associated with my information….

Risk comes in all shapes and sizes, and as the world is evolves with increasing use of technology, even more risks arise.