What to Ask When Buying a Third-Party Risk Management Solution?

April 10th, 2017 posted by Aravo Reading Time: 3 minutes
Blog - Navigation cardinal points compass - FI

Third-party risk management is a complex discipline, that combined with the scale, complexity, and change dynamics of any Global 2000 organization, can often lead to false starts with technology implementations.

It’s important to get enterprise software purchase decisions right – they are the fulcrum of successful third-party risk programs for the business, they impact on the adoption and performance of many internal users across the enterprise, and they can have an impact on the careers of those selecting them.


But it’s not easy. As we discussed in our White paper: Third-Party Risk Management in the Dynamic of Scale, Complexity, and Change, many organizations first try and default to their legacy ERP or Generic GRC technology platforms to manage their third-party risk programs. Yet, ultimately most fail. The scale, complexity and change requirements of the Global 2000 enterprise cripples them. The result: lost money, time and opportunity. And, naturally, a loss of trust in technology and what vendors can solve for.

This makes it all the more important to understand what capabilities you should be looking for and what questions you should be asking when you are assessing TPRM providers. RFI and RFPs can often become a catch all, with hundreds of questions, but missing the crux of the requirement: is the solution scalable, agile and adaptable.

This often happens because the strategic vision of why the organization needs to purchase a third-party risk management solution is lost amongst the lists of tactical questions from various internal stakeholders.

A new white paper from Aravo solutions outlines some of the key questions that organizations should be asking – within the context of an overarching vision of what a good third-party risk management platform should be delivering, and why.


The white paper looks at the strategic underpinnings of a best practice approach to third-party risk management, including:

  • The TPRM life-cycle
  • TPRM-related compliance programs
  • Core TPRM functionality
  • Important “30,000 feet high” questions

The white paper then provides a deep-dive into the seven key areas for review in any RFP or RFI for a third-party risk management solution, including:

  • Configuration: How easy is it to change elements of the solution as your organization grows and evolves? What do you need to do to reconfigure workflows? What kinds of templates does the solution provide out-of-the-box? How often are new templates introduced? Can the solution provide conditional workflows to adapt to third-party responses?
  • Integration: What will you have to do to integrate the third party risk management solution with content feeds from external providers? Or with your own internal systems?
  • Usability: How attractive and easy to use is the solution? Will the look-and-feel of the solution help or hinder adoption within your own organization and by third parties? Can the solution easily display in multiple languages and currencies?
  • Third party engagement: Does the solution provide a third party portal? How easy is it to create new forms and assessments to collect information from third parties? How quickly can third parties update their catalog information?
  • Management: How flexible and robust are the solution’s risk scoring capabilities? Are there strong role-based approvals processes and alerts capabilities? How proactive is the escalation/incident management functionality? Does the solution support regular relationship reviews? Does it make managing projects simple? And how easy is it to pull information for audits out of the solution?
  • Analysis: Transparency and oversight is an essential part of any third party risk management program. The white paper lists more than 20 key reports a good third-party risk management solution should be able to produce quickly and easily. Organizations should also explore the way dashboards look, feel, and interact with stakeholders.
  • Technical: The IT department is always a critical stakeholder in any purchase of new software. This list of questions explores specific issues IT teams may wish to explore for third-party risk management software.

Solutions that are adaptable – whether that means integrating new information sources or creating new workflows – are resilient because they are able to change with new requirements as they present themselves. Solutions that go one step further – that actually help organizations manage change better – help make the organizations they are a part of more resilient.

The white paper – with more than 120 questions and points of evaluation – will help organizations keep a strong focus on both their strategy for third-party risk management as well as their tactical requirements when exploring the purchase of a new solution.

Aravo White Paper - A Buyer's Guide to Third-Party Risk Management Solutions


Share with Your Friends:

Subscribe to Blog Updates

Our Expertise
Who We Help

Ready to get started?

Get in touch for a better approach to third-party risk management