Third-Party Risk Management FAQs

  • What is a third party?
  • Any non-University, outside entity, including non-profit groups and non-registered student organizations on campus (e.g., vendors, service providers, grant providers, unregistered fan clubs, unregistered student groups, and unregistered interest/support groups), can be classified as a third party.
  • Why is managing third-party risk important?
  • It is important to manage third-party risks to make informed risk decisions and comply with regulatory requirements. Failure to adequately manage third-party risk may increase UCLA’s exposure to operational risks, major personal data loss, financial losses, and significant, and adverse reputational impact.
  • Who is accountable for managing third-party risk?
  • The Department/Unit engaging with the third party is accountable for managing the third-party relationship and associated risks. UCLA stakeholders such as OCISO, Campus Purchasing, Privacy, Accessibility Office, CRE, etc. perform additional risk assessment activities to assist the Unit with risk identification and mitigation.
  • Why is it important to provide accurate responses in the UCLA Triage Form?
  • The responses to the UCLA Triage Form questions help to identify applicable risks and drive the subsequent risk management activities and third-party oversight requirements. 
  • What is the Third-Party Risk Assessment?
  • The Third-Party Risk Assessment is used to review a third party’s ability to comply with UCLA’s data security expectations. The assessment reviews the third party’s controls related to data security, business continuity & disaster recovery, application security, network security, vulnerability management, etc. and identifies control gaps, as appropriate.
  • Why is the Third-Party Risk Assessment important?
  • When outsourcing services/products to a third party, it is important that risks arising from the outsourced activity are managed to prevent harm to UCLA.
  • Who should be involved in the third-party contracting process?
  • The Department/Unit should ensure that the OCISO, Data Privacy and Accessibility Offices, OGC, and Insurance are included during the contract negotiations and discussions of any material deviations to UCLA’s standard terms and conditions, as applicable.
  • When is it required to involve the CRE in the TPRM process?
  • When there is a seemingly unresolvable, internal dispute between Department/Unit leaders and UCLA’s risk assessors about whether or how to manage critical third-party risks, the CRE can be called upon to make a final determination. 
  • What is the expected timeline to complete the TPRM process before proceeding with contracting?
  • From the time of initiating a third-party request, it may take up to nine weeks to conduct triage, assess the third party, and review third-party contracts.
  • What does TPRM Triage mean?
  • TPRM Triage is an approach to assess the risk a third party (suppliers, consultants, or business partners) poses to UCLA and mitigating the identified risk before and after establishing a business relationship. 
  • Has the excel version of the TPRM form been automated within the new version of the TPRM instance on ServiceNow?
  • Yes, and included are the vendor questionnaires (e.g., Full, Lite and Ultra-Lite) used for all domestic and international vendors. 
  • When will the new version of the TPRM process be ready for use?
  • The new TPRM process has been released to a smaller test group and will eventually be released to UCLA and Non-Mednet departments early Q1/February. (Note: TPRM assessments for Mednet departments are handled through a separate process by UCLA Health).