Answer: D - Organizations often rely on third-party vendors for data processing, management, and other services involving sensitive or personal consumer information. SOC (Service Organization Control) reports and custom risk assessments may be developed as part of a Third-party Risk Management (TPRM) Program to effectively evaluate, manage and mitigate risks.
In some cases, especially when an organization relies on many vendors to collectively process complex sets of data for a global database of consumers, SOC reports and custom risk assessments are not as scalable as necessary. A custom and more scalable TPRM Program is established.