The Importance of Third Party Risk Assessments (TPRAs)

As businesses grow and thrive in an industry, management might decide to outsource operations from third parties. Seeking out new and specific knowledge and expertise means to boost a business’s competitive advantage in the market, evolving and adapting to changes in the industry. By outsourcing, businesses can decrease expenditure, accelerate production and distribution and increase profits.

Outsourced goods and services come in the form of suppliers, manufacturers, distributors, partners, affiliates, sub-contractors, vendors etc.

By bringing in a third-party you also expose your business (and your clients) to any risks posed to the third party. Here is where a Third-Party Risk Assessment (TPRA) comes into play. TPRAs enhance the visibility surrounding the relationship between the business and the third-party: it identifies the risks (and level of risk) associated with the third-party and the services they provide. This relationship relies on the transfer of critical data, meaning the data needs to be protected at all fronts. Post assessment, it allows the business to take a risk-based approach to managing their third-party relationships.

The relationship may lead to risks such as data compromise, unauthorised access, non-compliance and potentially business disruption. Considering these, contract terms (SLAs) and regulations (such as The Privacy Act 1988 or APRA CPS234) can be breached, or further to reputational damage, fines and legal investigations.


  • Does the third-party comply with required regulations and standards?
  • Are the service operations satisfactory?
  • Does the third-party consider data Confidentiality, Integrity and Availability (CIA)?
  • Degree of physical and logical access the third-party will require to the business
  • Third-party business dependencies
  • Impact of loss of service
  • Relevant stakeholders
  • Supply chain dependencies.

The business has a duty to their clients to ensure client data is secured and protected; bringing in a third-party opens up a plethora of opportunities for data to be compromised. A TPRA can help recognise areas of concern and provide opportunities for improvement, placing data privacy at the forefront of the relationship.