Skip to content

3 Key Takeaways on Creating Alignment Between TPRM and the Business

Third-party risk management (TPRM) touches every part of the organization, which should make TPRM the most popular person or team in the company. Of course, that’s not always how things play out in the real world. 

Great TPRM is a business driver—it ensures your organization can leverage the solutions and partnerships it needs, safely and efficiently. But TPRM also thrives on alignment with a diverse group of stakeholders: Procurement, InfoSec, Sales, Legal, and (of course) vendors.

In our most recent webcast, The Life of the Party: How to Make TPRM a Connector Across the Business”, we tackled the challenges of alignment with your peers across the business. The conversation was lead by two seasoned TPRM veterans: Tom Garrubba, Director of Third-Party Risk Management Services at Echelon Risk+Cyber; and John Finizio, Vice President of Security, Risk, and Compliance at Whistic. 

Between them, Garrubba and Finizio have decades of TPRM and risk experience from organizations like JPMorgan Chase, HJ Heinz, and CVS. In today’s blog, we’ve captured 3 key takeaways from their conversation that can help you on your alignment journey. You can also view the entire webcast on demand!

1. Alignment is based on strategic goals—and strategy comes from the top

According to Tom Garrubba, “You have to make sure you’re operating within the mission statement for your third-party risk program.” Alignment begins with understanding the strategic intent of your program. This is important because, as Garrubba says, “We are starting to see third-party risk management programs taking on more than just cyber(security).” 

There are several aspects of alignment that might be impacted by the evolving role of the TPRM team, including:

  • Scope of responsibilityThird-party risk management may be involved in a host of new or shared duties in addition to InfoSEc like contract review, sourcing, procurement, and overall business risk. 
  • Lines of reporting and communicationThe strategic intent of your program will determine who “owns” third-party risk management, and thus determine team and reporting structures. While reporting through the CISO and InfoSec is still common, TPRM may now also report to a Chief Procurement Officer, Chief Privacy Officer, or Chief Risk Officer. 
  • Relationships with other business unitsTPRM’s position within the larger organization will also impact whom you need to align with (or at least help you prioritize within the broader context). More on this in a moment. 
  • Availability of resourcesDepending on your strategic priorities, you may need to review or reallocate your existing resources to ensure you can deliver what the business needs. When you’re aligned on strategy, the case for increased resources is also easier to make. 

As always, the strategic priorities of your organization must come from the senior leadership level. As Garrubba puts it, “You need someone from on high to plant the strategic flag for TPRM.” This kind of clarity from the executive level creates better alignment from key partners and stakeholders, and it also ensures you have the right policies, procedures, and policies documented and aligned to the right priorities. 

2. To be a connector for the business, TPRM must understand the business

“Spending time with the business is the most interesting and exciting part of TPRM,” says John Finizio. “You get to kind of see the guts of how things work and dig into all the processes that support it.” Graphic? Sure, but Finizio underscores the critical importance of educating yourself and your team on the needs and perspectives of your potential partners across the organization. 

To be clear, this doesn’t mean TPRM is some kind of support function or order-takers. Instead, it suggests that to be a consultant and a steward of better business outcomes, you have to speak the language of the business and convey your needs in language stakeholders understand. When you understand the business drivers for your counterparts, it opens up several opportunities for TPRM, including: 

Better Documentation

It can be very beneficial to incorporate business requirements from your stakeholders into your documented TPRM policies and procedures. This allows you and your team to better track strategic details as well as give leadership and cross-functional governance teams a reference tool for making decisions. 

More Proactive Approach

By staying more connected to business stakeholders, you don’t have to react at the last minute to changes or feel bombarded by requests. Take the example of periodic reassessments. By working closely with business units, you can better understand:

  • What reassessments are coming up in the next few quarters
  • The complexity of the assessment (e.g. Is there an international component and a domestic component? Will I need additional resources to execute?)
  • Whether you need to adjust your schedule/approach to meet upcoming need

Business Gets Proactive, Too

Hey, we aren’t just talking about alignment for fun here—or only for the benefit of others. Alignment is important because it helps you and your TPRM team excel as much as it empowers the rest of the business. By demonstrating great partnership yourself, you’ll start to see the business come to you for input earlier in the process and viewing you as the business enabler you are. And, as Tom Garrubba notes, “This kind of positive feedback makes its way up to the C-suite, as well.” 

Shared Ownership of Risk 

Another benefit to the partnership approach is that business units will start to have some skin in the game when it comes to risk. In some companies, TPRM is left out of the decision-making because they are seen as a blocker or as the team that always says “no.” But by helping them to say “yes” to third-party solutions they need to achieve their objectives, they’ll take greater ownership of risk. 

3. Alignment looks different for every stakeholder

For better and for worse, TPRM must be the agent of alignment for it to really take hold amidst seemingly competing priorities and stakeholders. “You have to allow for flexibility and fluidity to make adjustments for different alignment purposes,” says Garrubba.

Luckily, Garrubba and Finizio did sketch out what alignment looks like when you get there for several different groups across the organization. Here’s what it looks like with…


  • Clear frameworks on how to apply internal policies/controls to third parties
  • Clear connection between third-party risks and broader business risks and risk tolerance
  • Shared risk among InfoSec, TPRM, and business units


  • Accurate, updated data mapping so you know where data is and where it goes
  • Clear understanding of both international and domestic privacy-compliance requirements
  • Visibility into customer and client data, but also internal privacy data (such as employee PII)

Business Units

  • Vendor information before contracts are signed—not after
  • TPRM engagement during the selection or RFP process
  • Consultative oversight—The ability to say “here’s how to do it safely” instead of saying “no”

Risk Team

  • Unified standards of risk classification applied across the business
  • Opportunities to share resources where there are overlapping priorities
  • More effective vendor assessments that account for additional third-party risks (such as financial, geopolitical, or ESG risks)


  • No surprises late in the procurement process
  • Clear understanding of TPRM requirements–create a checklist for Procurement so they know what you need


  • Consultative relationships with high-risk vendors
  • Helping vendors to mature their security posture to your standards
  • Open lines of communication and better responsiveness

Whistic Makes it Easier for Teams to Achieve TPRM Alignment

Whistic’s dual-sided TPRM platform is already an easy, secure, and efficient way to connect vendors and customers to accelerate the security review process. But it can also be an effective solution for building alignment in your own organization:

  • AI-powered Whistic Trust Center with Smart Response automates questionnaire responses while maximizing control, so InfoSec can empower sales teams to respond to prospects
  • Whistic Assess with SOC 2 Summarization makes it faster and easier to review hundreds of pages of security documentation according to the controls and exceptions that matter. It also packages the info into executive reports, so you can communicate key findings to senior leadership or partners across the business. 
  • Key integrations with tools like Salesforce, Slack, and DocuSign mean you can more easily communicate and share information, maintain visibility into status, maintain important controls, and document shared goals in the systems your collaborators already use. 

Be sure to check out the full webcast for more takeaways on alignment. If you’d like to learn more about how the Whistic Platform can help you achieve better alignment and better business outcomes, schedule a brief, hassle-free consultation and find out if it’s a fit!

Third-Party Risk Management Sales Enablement