Question 3
Domain 3 — Risk Response and ReportingWhat is third-party risk management?
Correct answer: B
Explanation
Third-party risk management is the process of "identifying, assessing, and managing risks from vendors and service providers." It focuses on risks created by outside parties that support an organization, including operational, security, compliance, and financial risks.
Why each option is right or wrong
A. Eliminating all third-party relationships
B. Identifying, assessing, and managing risks from vendors and service providers
No specific statute, code section, or regulatory citation is available in the source material for this definition question. In standard risk-management usage, the term refers to the control process applied to outside parties that provide goods or services to an organization, with the examiner looking for the three core actions: identify the exposure, assess its impact and likelihood, and manage it through controls, monitoring, and remediation. The correct choice matches that accepted definition by focusing on vendors and service providers rather than internal risks or one-time due diligence.
C. Only managing financial relationships
D. A type of insurance coverage