Shared Assessments Third Party Risk Management CTPRP New Questions

TPRM compliance requirements are the rules and expectations that an organization must follow when engaging with third parties, such as vendors, suppliers, partners, or contractors. These requirements are derived from various sources, such as laws, regulations, standards, frameworks, contracts, policies, and best practices. However, relying solely on regulatory mandates to define and structure TPRM compliance requirements is a false statement, because123:

• Regulatory mandates are not the only source of TPRM compliance requirements. Organizations may also need to consider other factors, such as industry benchmarks, customer expectations, stakeholder interests, ethical principles, and social responsibility.
• Regulatory mandates are not always comprehensive, clear, or consistent. Organizations may face different or conflicting regulations across jurisdictions, sectors, or domains. Organizations may also need to interpret and apply the regulations to their specific context and risk profile, which may require additional guidance or expertise.
• Regulatory mandates are not always sufficient, effective, or efficient. Organizations may need to go beyond the minimum requirements of the regulations to achieve their business objectives, mitigate their risks, or enhance their performance. Organizations may also need to adopt more flexible, scalable, and innovative approaches to TPRM compliance, rather than following a rigid, one-size-fits-all, or check-the-box model.

Therefore, the correct answer is B. Organizations rely on regulatory mandates to define and structure TPRM compliance requirements, as this is a false statement regarding the risk factors an organization may include when defining TPRM compliance requirements. References:

• 1: Understanding TPRM Compliance: A Comprehensive Guide | Prevalent
• 2: What Is Third-Party Risk Management (TPRM)? 2024 Guide | UpGuard
• 3: Third-Party Risk Management and ISO Requirements for 2022 | Reciprocity

 Risk culture is the term used to describe the collective way that an organization thinks about, manages, and responds to risk. It is influenced by the organization’s values, beliefs, norms, and practices, as well as the external environment and stakeholders. Risk culture affects how employees perceive, communicate, and act on risk issues, and how they balance risk and reward in their decision making. A strong risk culture is one that supports the organization’s strategic objectives, fosters accountability and transparency, and promotes learning and improvement. A weak risk culture is one that undermines the organization’s risk management framework, creates silos and conflicts, and exposes the organization to excessive or unnecessary risks. References:

• Shared Assessments CTPRP Study Guide, page 13, section 2.1.1
• GARP Best Practices Guidance for Third Party Risk, page 5, section 2.1
• Organizational culture | Definition, Benefits and Challenges

The best approach to address the conflict between the vendor’s legal obligations to retain data for tax purposes and the company’s policy to require data return or destruction at contract termination is A. Determine if a policy exception and approval is required, and require that data safeguarding obligations continue after termination. This approach recognizes that the vendor may have valid reasons to retain some data for a certain period of time, and that the company may have flexibility to grant exceptions to its policy under certain circumstances. However, this approach also ensures that the company maintains oversight and control over the data that the vendor retains, and that the vendor continues to comply with the data safeguarding obligations, such as encryption, access control, audit, and breach notification, until the data is returned or destroyed. This approach balances the interests and risks of both parties, and minimizes the potential for data breaches, misuse, or loss.

The other approaches are not the best ways to address the conflict, as they may create more problems or risks for either party. B. Change the risk rating of the vendor to reflect a higher risk tier. This approach does not resolve the conflict, but rather shifts the responsibility to the company to manage the increased risk of the vendor retaining the data. Changing the risk rating may also affect the contract terms, such as pricing, service level agreements, or liability clauses, and may require renegotiation or termination of the contract. C. Insist the vendor adheres to the policy and contract provisions without exception. This approach is too rigid and may not be feasible or reasonable for the vendor, especially if they have legal obligations to retain the data. This approach may also damage the relationship and trust between the parties, and may lead to disputes or litigation. D. Conduct an assessment of the vendor’s data governance and records management program. This approach is too time-consuming and costly, and may not be necessary or relevant for the conflict. Conducting an assessment may provide some assurance about the vendor’s data practices, but it does not address the underlying issue of the conflicting data retention requirements. Moreover, conducting an assessment may not be possible or appropriate during the contract negotiation process, as it may require access to the vendor’s systems, data, or personnel. References:

• : Best Practices for Data Destruction - ed
• : CHALLENGES AND RISKS INVOLVED WITH DATA RETENTION - DataOlogie
• : Third-Party Risk Management: Final Interagency Guidance
• : Ensuring Data Protection for Third Parties: Best Practices | UpGuard Blog

 A regulation is a rule of order having the force of law, prescribed by a superior or competent authority, relating to the actions of those under the authority’s control. Regulations are issued by various government departments and agencies to carry out the intent of legislation enacted by the legislature of the applicable jurisdiction. Regulations also function to ensure uniform application of the law. A standard is a guideline established generally by private-sector bodies and that are available for use by any person or organization, private or government. The term includes what are commonly referred to as ‘industry standards’ as well as ‘consensus standards’. Standards are developed through a voluntary process of collaboration and consensus among stakeholders, such as manufacturers, consumers, regulators, and experts. Standards may reflect best practices, technical specifications, performance criteria, or quality requirements. Standards do not have the force of law unless they are adopted or referenced by a regulation. Therefore, a regulation must be adhered to by all companies subject to its requirements, but companies can voluntarily choose to follow standards that are relevant and beneficial to their operations, products, or services. References:

• The Difference Between Regulations and Standards
• Regulations vs Standards: Clearing Up the Confusion - AEM
• Standards vs. Regulations
• Certified Third Party Risk Professional (CTPRP) Study Guide