nexalign

Glossary term

TPRM

Also: Third-Party Risk Management

Discipline and tool category for governing risks from external providers (SaaS, cloud, outsourcing, advisory). Mandatory under DORA Art. 28-30 for financial entities and NIS2 Art. 21 (d) for essential/important entities.

Core processes: onboarding review (eligibility, compliance, security posture), continuous monitoring, risk assessment per contract (critical/important/supporting), contract clauses, exit planning, concentration risk steering, audit trail.

Tools: stand-alone leaders: OneTrust GRC, ServiceNow GRC, MetricStream, ProcessUnity, Prevalent, Aravo, BitSight, SecurityScorecard, Panorays. Differentiation: GRC platforms with TPRM module vs stand-alone TPRM with GRC integrations.

Practice: many companies underestimate the depth of DORA Art. 28-30. Information register, mandatory clauses (Art. 30), tested exit strategy, concentration-risk analysis are all audit-bound. TPRM tools alone are not enough; per-contract decision documentation (decision memo) is a mandatory companion artefact.

Related terms

DORA

EU regulation on digital operational resilience in the financial sector. Directly applicable since 1

NIS2

EU directive on network and information security. Replaces NIS1, widens scope to around 30,000 Germa

Supply Chain Risk

Risks from the software and hardware supply chain: compromised open-source packages, build-pipeline

ICT Third-Party Risk

Sammelbegriff für Risiken aus dem Einsatz externer ICT-Lieferanten: Cloud-Provider, SaaS-Anbieter, M

TCO modelling

A structured estimate of the full lifetime cost of a vendor decision, including licence, implementat

TIA

Assessment of the protection level in the recipient country for data transfers to third countries af

TISAX

Audit standard and exchange platform of the German automotive association (VDA) for information secu

Trade-off analysis

The explicit documentation of what each option gives up to deliver its strengths. Good trade-off ana

← All termsBook a demo →