Third Party Risk Matrix

Last updated on January 29, 2026

Description

A Third-party risk management (TPRM) matrix is the process of identifying, assessing, and mitigating the risks associated with engaging external third parties such as vendors, suppliers, contractors, and business partners.

It involves thorough due diligence to address potential risks that could affect an organization’s operations, financial health, cybersecurity, legal standing, or ability to serve its customers. These risks may encompass cybersecurity incidents, supply chain disruptions, labor shortages, financial instability, political factors, and regional conflicts.

This guideline can assist in walking teams through a clear, repeatable process for identifying inherent risk, reviewing vendor security controls, and managing any gaps—supporting safer procurement and better cyber resilience across the supply chain.

Output

A TPRM program enables organizations to evaluate vendors and third parties they may engage with for future work, helping them proactively manage risks and prepare for potential issues before they occur. By assessing third parties early—during procurement—and on a regular basis thereafter, organizations can strengthen business continuity and protect key stakeholders.

Conducting these reviews is essential for reducing exposure to cyber risks such as sensitive data leaks, compliance failures, and supply‑chain vulnerabilities. A well‑implemented TPRM process provides visibility into a vendor’s security posture and ensures risks are identified and addressed before they can impact operations.

Key activities in third‑party risk management include identifying the risk drivers that influence a vendor’s inherent risk, conducting due diligence reviews, and evaluating control gaps and residual risk based on vendor responses.

Who Should Participate?

Any organization using third-party services who need to develop or maintain a cybersecurity third-party risk management program. Vendors and third-party providers are distinct. Vendors offer specific, transactional services, whereas third-party providers are more like strategic partners, deeply integrated into your operations. Any staff member engaging or contracting with third party service will benefit.

Recommended participants include:

Cybersecurity and IT teams
Procurement and contract managers
Privacy and compliance officers
Risk management and governance teams
Business owners engaging the vendor

Optional: Legal, communications, and executive sponsors for higher‑risk vendors.

Resources

Guidelines for Cyber Third Party Risk Matrix
This model is illustrative and not meant to be used verbatim; organizations, including the B.C. Government, may choose to adopt only the portions that align with their internal frameworks.

For more examples of third‑party risk management materials, please see the additional resources from other jurisdictions below.

Third-Party Risk Management Guideline - Office of the Superintendent of Financial Institutions

G-7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector

Did you find what you were looking for?

The B.C. Public Service acknowledges the territories of First Nations around B.C. and is grateful to carry out our work on these lands. We acknowledge the rights, interests, priorities, and concerns of all Indigenous Peoples - First Nations, Métis, and Inuit - respecting and acknowledging their distinct cultures, histories, rights, laws, and governments.

More topics

Third Party Risk Matrix

Description

Output

Who Should Participate?

Resources