Third-Party Risk Management

Managing Third-Party and Supply Chain Relationships

Vendor relationships, even trusted ones, create significant operational and data risks for an organization. Attackers can use vendors as a stepping stone to attack a company’s network. According to Gartner, more than 60 percent of companies work with more than 1,000 third parties during their course of business, and each one opens exponentially more vulnerabilities. Cyberattacks can disrupt the corporate supply chain, inhibit operations, and result in data breaches that originate from third parties, costing an average of $200,000 dollars, according to a recent IBM study 1 .

To address these challenges, companies need clear and comprehensive visibility into their vendors. MorganFranklin helps businesses develop scalable third-party relationship management (TPRM) programs that align to their business and regulatory needs. These programs leverage automation to enable rapid risk mitigation and data collection.

Tailored compliance

We look beyond checkbox compliance as we develop third party risk management programs that are customized for each company and offer tangible benefits.

Faster time to value

Our extensive knowledge of TPRM market tools and current vulnerabilities allow us to address serious concerns from the start.

Integration at the forefront

We build programs that integrate with and complement existing procurement, business, IT, risk management, audit and legal processes.


Learn more about how we can help you with your cybersecurity needs.

We are an active member of the Shared Assessments organization, which helps us stay current with the latest best practices, relevant training, and ongoing education in the field of third-party risk management. This enables us to stay informed about emerging trends and industry developments, allowing us to continuously improve our approach to managing third-party risks.

Supporting TPRM Readiness and Resiliency

MorganFranklin’s framework for third-party risk management (TPRM) aims to improve companies’ ability to effectively manage third-party risk by providing greater visibility into their extended enterprise. Our TPRM services cover the entire vendor lifecycle, from vendor selection and onboarding to monitoring and offboarding.

The following are the key components of our TPRM services:

  1. Planning and Risk Tiering – We help companies develop a strategic plan for supply chain risk management, including budgeting and defining risk tiers.
  2. Due Diligence and Selection – We utilize program metrics to assist in the classification and assignment of appropriate risk-based scoring for third-party vendors.
  3. Onboarding – We assist in contract review and negotiation, inherent risk rating/tiering/criticality, highlight residual risks, develop exit strategies, and capture appropriate metrics.
  4. Continuous Monitoring – We monitor security controls, identify and remediate issues, and track vendor risk profiles on a continuous basis.
  5. Offboarding – We terminate third-party digital identities, reclaim corporate property, destroy unnecessary data, and cease payments.

Third-Party and Supply Chain Risk Management Services

MorganFranklin Advisors support all aspects of an organization’s TPRM efforts by applying industry best practices and delivering optimal services tailored to each company’s specific needs. Our services include:

    • Strategy Development. We can help develop a TPRM strategy that aligns with existing processes and business needs and provides long-term scalability and manageability.
    • TPRM Roadmap Creation. We assess an organization’s current TPRM maturity level and target maturity level and create a roadmap for implementing the TPRM strategy that delivers quick wins and faster time to value.
    • Compliance Management Support. Our team can identify key regulations and compliance standards that apply to an organization’s environment and incorporate requirements into the TPRM roadmap.
    • Tool Selection, Configuration, and Deployment: We can help identify the best-suited tools for an organization’s needs and environment and provide support throughout the deployment process.
    • Vendor Risk Management Assessments. Our team can implement vendor risk assessments that promote partnership and shared security, rather than being a burden to third-party partners/vendors.
    • Metrics Development and Reporting. We identify key program metrics and develop tracking and reporting capabilities to ensure the TPRM provides tangible benefits and avoids checkbox compliance.
    • Managed Services Support. Our team can maintain the TPRM program through continuous risk monitoring, regular vendor assessments, targeted assessment campaigns, and ongoing evaluation of the dynamic threat environment.

Roadmap: Define where your security programs need to go

A 3-year security roadmap considers an organization’s implementation of security programs, aligned with its business objectives. The roadmap outlines existing security programs and their advancements, while remaining agile to include new tools and technologies.

When developing a security roadmap, MorganFranklin considers the organization’s business needs, objectives, and risk strategy. A well-planned roadmap can minimize risk exposure, define clear actions in the event of a compromise, and prevent confusion and panic during an attack, all while prioritizing the organization’s goals.

1IBM Security. (2020). Cost of a Data Breach Report.

The MorganFranklin Way™

MorganFranklin’s approach to cybersecurity strategy and GRC solutions allows our consultants to better protect your organization’s brand against threats of all kinds. We’ll tackle the broader issues associated with corporate governance, enterprise risk management, and corporate compliance with a simple, structured approach.

By aligning with your business objectives, you’ll reap benefits such as:

      • Improved decision-making
      • Optimal IT investments
      • Reduced fragmentation with the elimination of silos

You may have a thorough understanding of the need for a GRC strategy, but you may not have the team or resources to implement internally. MorganFranklin can connect you with one of our GRC experts to create a business-aligned strategy that improves your GRC and overarching cyber security decision-making abilities. From security strategy, planning, budgeting and delivery, our consultants have a strong background in IT leadership and organization design. Whether you need part-time, interim or fully outsourced help, MorganFranklin is your trusted source to define and implement an effective GRC strategy.


We are experienced, engaged professionals that are highly energetic and motivated to work in challenging, high stakes environments.