Which of the following best describes the primary purpose of a third-party risk management (TPRM) program in a compliance context?