Third Party Risk Management

Tools & Services

As part of Third-Party Risk Management, GRC will review the privacy and security risk posture of all contracts and purchases related to university data.

Our aim is to serve as a “concierge” service to help you navigate the myriad of compliance requirements that might apply to your project.

  • If your project will result in a purchase that will store, collect, access, create, manage, process, or transmit university data, engage the GRC process at the beginning of the project to help avoid implementation delays.
  • To begin, click the Risk Assessment Tool button below to fill out the Lightweight Risk Assessment (LRA) to provide information about your project/purchase.

To aid in preparing to complete the online LRA form, a document version of the questionnaire to use offline can be downloaded HERE
Please note – The offline document is only for your convenience in preparing to complete the online LRA form.  Your answers must be submitted in the online form; we have no way to process the offline document.

Vendor cooperation is by far the primary determining factor as to how long a review takes. You may be able to speed things up by taking an active role to ensure your vendor is responsive to the needs of the process.

You may be able to “jump the line” and speed up the process even more, if you select a vendor that has already been reviewed recently, for a use case similar to yours.  Each vendor is reviewed for the use case specified by the unit (data classification and process criticality). If your use case has a different risk level than the one reviewed for previously, another review may be necessary, but this gives you a much better opportunity to cut down on the time necessary for a review. See the list of recently reviewed vendors at

Offered by
Governance, Risk and Compliance

Free, available upon request; required for purchases involving university data