Table of Contents
Ask five people what third-party management means and you’ll likely get five different answers. Not because the profession lacks definition, but because the discipline is expanding and maturing rapidly.
The scope of third-party management is broadening beyond its traditional risk-focused roots, with organizations recognizing that managing vendors well touches procurement, contracting, performance, and the full lifecycle of the relationship. And within that broader discipline, subspecialties are emerging to handle the most complex and consequential risk domains with the depth they require.
Organically, this is creating a new hierarchy for how third-party management is being structured and how work is getting done. It’s also creating opportunity for leaders who understand where this is headed, because they’re the ones who will build programs that get taken seriously with customers, regulators and executives.
Here’s what’s starting to take shape.
The Three-Level Hierarchy

Level 1: Third-Party Management (TPM), the Enterprise Umbrella
At the top of the hierarchy is Third-Party Management (TPM), or simply Vendor Management. It establishes the organization-wide strategy for three things: the scope of the program, the operating structure, and the regulations, frameworks, and standards the program must align to.
TPM serves as the quarterback for managing third parties across the enterprise. It answers the questions no single team owns: which vendors are in scope, who can approve a new one, and which frameworks the program must align to. And it puts the infrastructure, enablement, and governance in place so that procurement, risk, legal, information security, and business owners are all operating from the same playbook across the full lifecycle of the relationship, start to finish.
Level 2: Third-Party Risk Management (TPRM), the Risk Function
Beneath that sits Third-Party Risk Management (TPRM), the risk-focused discipline that operates as a sub-function within the broader TPM framework. TPRM is responsible for overseeing the management of third-party risk across all risk domains applicable to an organization’s specific operating environment. What that looks like in practice can vary depending on industry and breadth of operations.
The new IIA Third-Party Topical Requirement, developed by the Institute of Internal Auditors, does a nice job of laying out the primary risk domains organizations should consider incorporating into their TPRM program. The third-party topical requirements are global standards, not industry-specific regulations, so they apply broadly across sectors and serve as a useful baseline regardless of where your program sits. They cover eleven domains: strategic, reputational, ethical, operational, financial, compliance, cybersecurity and data protection, information technology, legal, sustainability, and geopolitical.
It’s a wide net, and that’s the point, as it reflects the full breadth of risk that third parties can introduce into an organization. In practice, most TPRM programs cover only a handful of these domains, which means the gaps aren’t accidental, they’re structural. The full scope should be the starting point for every organization, tailored from there to fit the operating environment and risk appetite, not built up incrementally from regulatory pressures or whatever risks felt urgent at the time.
Level 3: Domain Specialties Like TPCRM
Some risk domains are critical enough to an organization’s operations that they develop into subspecialties of their own, with dedicated teams, dedicated tools, and a depth of focus that a generalist TPRM program can’t consistently deliver. Those teams may sit within the TPRM function or in other parts of the business, whether information security, operations, or compliance, depending on how the organization is structured. Either way, they operate as a distinct discipline within the broader TPRM umbrella.
The clearest example emerging right now is Third-Party Cyber Risk Management (TPCRM). In 2025, Gartner included TPCRM in its Hype Cycle for Cyber-Risk Management for the first time, recognizing it as a defined market with growing adoption. The analyst community is treating it as a legitimate standalone discipline within broader third-party risk management.
Cyber risk has always been a critical domain within TPRM, but what I’m seeing more and more is organizations treating it as its own specialized function, with its own terminology, its own standards, and increasingly its own career track. And for good reason.
Vendor cyber risk is not a line item you can assess once a year and move on. It’s technically complex, it changes constantly, and the consequences of getting it wrong are severe. A single vendor incident can bring operations to a standstill, as organizations learned through events like SolarWinds and CrowdStrike. As vendors embed AI into their products and workflows, you’re dealing with systems that update continuously and produce outputs you can’t fully anticipate. The traditional model of point-in-time, pre-deployment validation simply doesn’t translate to that environment.
What Third-Party Management Leaders Should Be Doing
Most third-party management programs weren’t designed for today’s environment. Without a unified and fully aligned operating model, organizations end up with more splintering and more silos, each function running its own process, with its own tools, and no shared view of the full third-party relationship.
Here’s where to focus.
Update your strategy at the TPM level. This is the foundation for everything, and most organizations lack a defined, enterprise-wide strategy for managing third parties. Now’s the time to take a fresh look and set it. Revisit program scope, operating structure, and all of the regulations, standards, and frameworks it needs to align to. Everything flows better once this is set.
Align TPRM to the strategy. This is where things get operationalized. Re-examine risk domains and risk appetites, the infrastructure around policies, procedures, and systems, and cross-functional roles and responsibilities for third-party risk management. Get everyone aligned and rowing in the same direction.
Integrate specialized functions. For the risk domains that already have, or warrant, dedicated teams and deeper processes, make sure those functions are explicitly connected back to your TPRM program. Specialized doesn’t mean siloed. Each function should have a defined scope, the right skills and capacity to do the work, and clear coordination with the broader TPRM framework.
Leading the Function, Not Just Managing Third Parties
Third-party management is evolving because it has to. Relationships are more complex, new risks keep emerging, and vendor networks keep growing.
The leaders who treat that evolution as an opportunity to mature their strategies and sharpen their operations will be the ones running programs with actual visibility across the full third-party relationship. Understanding where the discipline is headed, and structuring your program accordingly, is what separates the ones who are managing third parties from the ones who are leading the function.
If you want a quick read on where your own program sits today, our vendor risk management self-assessment tool is a simple place to start.
Frequently Asked Questions
What is the difference between third-party management (TPM) and third-party risk management (TPRM)?
Third-party management is the enterprise-wide discipline that sets strategy, structure, and governance for every vendor relationship across its full lifecycle. Third-party risk management is the risk-focused function inside it, responsible for the risk domains that apply to your operating environment. TPM is the broader umbrella; TPRM is one discipline operating underneath it.
What is third-party cyber risk management (TPCRM)?
TPCRM is a specialized discipline focused on the cybersecurity risk that vendors introduce: how exposed a third party is to attack, how prepared it is to respond, and what the impact would be on your operations if it failed. It is emerging as its own function because vendor cyber risk is too complex and too fast-moving for a generalist program to manage once a year.
What is the difference between TPRM and TPCRM?
Third-party risk management oversees every risk domain a vendor can introduce, from financial to legal to operational. Third-party cyber risk management is a specialized sub-discipline focused only on the cybersecurity slice, with its own tools, standards, and often its own team. TPCRM sits inside TPRM, not beside it.
What are the risk domains in the IIA Third-Party Topical Requirement?
The IIA’s Third-Party Topical Requirement points to eleven risk domains organizations should consider: strategic, reputational, ethical, operational, financial, compliance, cybersecurity and data protection, information technology, legal, sustainability, and geopolitical. They are global standards rather than industry-specific regulations, which makes them a useful baseline for scoping a TPRM program in any sector.
Where should third-party risk management sit in an organization?
There is no single place that is always right. We have seen TPRM sit in several different departments, so the real question is where it aligns best to your organization’s structure and unique operating environment. Where it does not belong is buried inside a subspecialty like information security. That gets TPRM too narrow, because it should be managing every applicable risk domain, not just one or two.


















Tom is a trusted advisor on procurement and third-party management to organizations across the United States. Having worked with over 120 organizations over his 30-year career, he has a unique ability to bring creativity and discipline to finding solutions for even the most complex challenges his clients face.