Description
The United Nations Joint Staff Pension Fund (UNJSPF), through its Office of Investment Management (OIM), seeks Expressions of Interest from qualified and experienced vendors for the provision of a Third Party Risk Management (TPRM) solution. The solution is expected to support the Fund’s third party ecosystem, including vendors, investment partners, inter agency service providers, and subcontractors, by enabling centralized governance, risk identification, assessment, monitoring, and mitigation across the full lifecycle of third party engagements. The objective is to enhance risk oversight through standardized methodologies, defined risk appetite thresholds, and integrated monitoring capabilities, while providing comprehensive visibility and audit trails to support informed decision making.
Summary of the requirement:
1. Support end to end third party risk management, including onboarding, assessment, approval, monitoring, and termination across all third party relationships.
2. Enable structured risk assessment processes, including inherent risk evaluation, control effectiveness, and residual risk scoring across key risk domains.
3. Provide configurable questionnaires and workflows, including conditional logic, automated notifications, and role-based review processes.
4. Facilitate due diligence and third party engagement, including secure data collection, document review, and identification of risk indicators or red flags.
5. Maintain a centralized inventory of third parties, including services, ownership structures, and associated risk and performance data.
6. Support ongoing monitoring and lifecycle management, including periodic reassessments, alerts, and document review tracking.
7. Provide third party performance management capabilities, including scorecards, performance metrics, and integration of results into vendor profiles.
8. Deliver reporting, dashboards, and audit trails to support governance, risk oversight, and decision making.
9. Enable integration with enterprise systems (e.g., ITSM, and GRC systems) and external data sources.
10. Ensure the TPRM system is compliant with relevant standards related to security, data protection, and access controls, authentication etc
Specific Requirements/Information
The proposed TPRM solution should, at a minimum, provide the following capabilities.
Inherent Risk Questionnaire (IRQ)
• Enable internal third-party service request by submitting a new IRQ.
• Data model supports both parent-child ownership structures of third-party entities and where the same legal entity has multiple third-party services/contracts.
• Support grouped questions and conditional (nested) logic where additional questions are triggered by earlier responses.
• Provide different types of question (e.g., free text, dropdowns, document upload).
• Calculate inherent risk scores (1–3 = Low, Medium, High) for each risk domain (e.g., information security, business continuity, sustainability, data privacy) based on IRQ responses.
• Determine service criticality/tiering (e.g. Tier 1, 2, 3) based on IRQ responses.
• Generate a high‑level summary of the new third‑party service, inherent risks for each risk domain, and tiering.
• Upon IRQ submission, create a new record for each third‑party service in a central inventory using information from the IRQ.
• Send notifications to relevant internal Risk SME teams upon IRQ submission to ensure awareness of the new request.
Due Diligence Questionnaire (DDQ)
• Issue the DDQ to the third-party via a secure portal showing only questions and the third-party own responses; support save‑progress and multi‑respondent input on the third-party side. Control effectiveness scores must not be visible to the third party.
• Send automated reminders to the third-party to respond to the DDQ before the pre-defined deadline.
• Organize DDQ by risk domains (e.g., information security, business continuity, sustainability, data privacy) with the ability to include or suppress specific risk domains based on the inherent risks from the IRQ.
• Support grouped questions and conditional (nested) logic where additional questions are triggered by earlier responses.
• Provide predefined field types (e.g., free text, dropdowns, document uploads).
• Once the third-party has submitted the DDQ, calculate control effectiveness scores (1–3 = Low, Medium, High) for each question and aggregate scores so there is a control effective risk score for each risk domain.
• Apply weightings to certain questions so they have a greater influence on the control effectiveness score for the risk domain.
• Enable internal SME review (e.g., InfoSec, BCM) to adjust/finalize control effectiveness scores as needed for their respective risk domain.
• Ability to leverage AI to review documentation (e.g. SOC2) provided by the third parties.
• Ability for the internal Risk SMEs to add a commentary at a risk domain level upon completion of the DDQ review.
• Trigger ‘red flags’ based on specific responses.
• Auto‑populate mitigation actions for certain responses.
Third-Party Risk Summary
• Calculate residual risk scores (1–3 = Low, Medium, High) for each domain by combining inherent risk with control effectiveness.
• Generate a high‑level summary of tiering, inherent risks, control effectiveness, residual risks, and identified red flags and mitigation actions.
• Populate additional data points for the third‑party service record in the central inventory initially created following the IRQ.
• Initiate the risk approval process with a clear audit trail of the individuals that have accepted the third-party service and risks.
Ongoing Monitoring
• Ability to trigger ongoing monitoring activities (e.g. reissuing the DDQ, performance reviews) at periodic frequencies based on pre-defined rules using the tiering and residual risks of the third-party service.
• If the third party has responded to the same DDQ questions in previous years, provide the last response with the ability to update the responses.
• Ability to upload documents (e.g. contracts, exit plans) and set ‘next review date’ which auto-generates notifications/reminders to the business owner leading up the review date.
Third-Party Performance Scorecard
• Auto-issue the performance scorecard to the OIM business owner to assess third-party performance at defined frequencies based on rules set in the system.
• Include sections representing performance themes (e.g., quality, communication, innovation).
• Provide five response options per question mapped to scores 1–5 (Unsatisfactory, Needs Improvement, Satisfactory, Good, Excellent).
• Calculate an overall average performance score (1–5).
• Update the third‑party service record in the inventory with additional data points captured through the performance scorecard.
Reporting, Governance & Workflows
• Configurable workflows, SLAs, escalations, approvals, and monitoring triggers.
• Exception/waiver management with ownership, rationale, expiry, and periodic review.
• Comprehensive audit trail of actions, changes, timestamps, and approvers.
• Visual dashboards (charts, graphs, tables etc.) for risk posture, red flags, aging tasks, mitigations, reassessments, and KPIs/KRIs.
• Exportable assessment packages and ready MI reporting.
Data & Integrations
• Data model supporting vendors, services, fourth parties, contracts, data categories, and hosting locations.
• APIs; and/or built in integration with other external technology integrations with procurement/CLM/ITSM/GRC/Incident management systems.
• Optional integration with external risk and compliance feeds (e.g. watchlists, legal entity checks, ownership data, security posture ratings, ESG ratings).
• Solution must support SSO integrations for user authentication and seamless access (e.g. Okta).
Security, Compliance and Data Privacy of the Software
• Role-Based Access Control (RBAC), to restrict access based on user roles and responsibilities.
• Segregation of Duties (SoD), to separate request, review, approval, administration and risk acceptance activities.
• Single Sign-On (SSO), with identity providers such as Okta, Microsoft Entra ID or equivalent.
• Multi-Factor Authentication (MFA), natively or through integration with the organization’s identity provider.
• Encryption and data residency, including encryption at rest and in transit, and configurable hosting location options.
• Security and privacy assurance, including certifications or reports such as SOC 2 Type II, ISO/IEC 27001, ISO 27701 or equivalent.
• Audit logging and traceability, including user, administrator and third-party portal activity, approvals, score changes, document access, configuration changes, timestamps and approvers.
• Incident response and breach notification, including detection, escalation, investigation, remediation and customer notification.
• Contractual and exit safeguards, including confidentiality, audit rights, data protection terms, data export, return, deletion and post-termination handling.