Setting the Scene
As one of the world’s leading cruise companies, Norwegian Cruise Line Holdings (NCLH) operates a vast global network of partners, suppliers, and technology providers that keep its fleet sailing smoothly. But behind the scenes, that scale also introduces complexity — especially when it comes to managing vendor and IT risk.
The Challenge
Eighteen months ago, NCLH recognized the need for a more unified and resilient approach to third-party oversight for its corporate operations. Disparate processes across IT, Legal, and Supply Chain teams made it difficult to gain a complete picture of vendor risk exposure. To safeguard operations and ensure compliance in an increasingly digital ecosystem, the company set out to build a comprehensive third-party risk management (TPRM) program from the ground up.
The Opportunity
Before this initiative, vendor risk management across NCLH was largely ad hoc. Different teams conducted elements of due diligence and risk assessment, but without a centralized framework or consistent standards. With thousands of vendors supporting business operations, the challenge was clear: establish a formal, scalable program focused on the company’s most critical and high-risk IT vendors. That meant defining ownership, standardizing assessments, and ensuring transparency across departments — all while laying the groundwork for future automation and analytics.
The Solution: Mitratech TPRM
Under the leadership of John Kolich, the IT Compliance team began developing a comprehensive IT program from a blank slate. The first step was to narrow the scope to roughly 200–250 critical IT vendors, ensuring that the most impactful relationships received immediate attention.
To enable this new program, NCLH sought technology that could centralize vendor data, automate assessments, monitor cybersecurity risks, and simplify collaboration across departments. After evaluating multiple tools, the team selected the Mitratech Third-Party Risk Management platform for its ability to:
- Centralize vendor intelligence – Consolidating data from IT, Legal, and Supply Chain teams into a single source of truth for full visibility into critical vendor relationships.
- Automate onboarding – Replacing manual intake forms and spreadsheets with standardized digital workflows that improved speed, accuracy, and consistency.
- Support ongoing reassessment and continuous monitoring – Enabling scheduled, automated reviews of vendor performance and risk posture, ensuring the program stays current and compliant.
- Track remediation and performance – Leveraging automated alerts and dashboards to follow up on risk findings, monitor issue resolution, and demonstrate program improvement over time.
- Adapt as the program matured – Providing configurable workflows and analytics that scaled alongside NCLH’s evolving TPRM framework, from initial rollout through enterprise-wide adoption.
Together, these capabilities gave NCLH a structured, scalable foundation for third-party oversight — one that could support both its immediate priorities and its long-term risk management goals.
Norwegian also uses the Mitratech ROC managed services team to offload the manual work of tracking down vendor responses and ensuring that surveys are loaded and scored. Removing this manual component of assessment empowers Norwegian to focus on the most critical risks in the vendor relationship, further streamlining their TPRM program.
The Results
Early in the rollout, NCLH’s IT Risk team began using the platform’s cyber-monitoring features to track vendor-related alerts and potential vulnerabilities in real time. For the first time, teams across IT and other departments could see and respond to risk indicators simultaneously, instead of relying on fragmented updates from different systems. Kolich noted that the ability to receive timely visibility into vendor cyber posture has already improved how the organization prioritizes vendor reviews and coordinates follow-up actions.
The Results At a Glance
Within the first year, the NCLH IT Risk team successfully partnered with Mitratech to:
- Establish a formal, enterprise-level third-party risk framework aligned with corporate governance.
- Standardize assessments and reviews across high-risk IT vendors, improving efficiency and consistency.
- Enhance collaboration among Legal, IT, and Supply Chain teams through enhanced visibility of TPRM cyber risk.
- Lay the foundation for continuous improvement, with upcoming roadmap enhancements in cyber monitoring, breach detection, and AI-driven automation.
Looking Forward + Next Steps
With the foundation for a formal third-party risk management program firmly in place, Norwegian Cruise Line Holdings is now focused on scaling and deepening its capabilities. Having successfully brought all of its shore-based facilities and systems under consistent oversight, the IT Risk team is now turning its attention to the maritime environment — extending third-party monitoring to the operational technologies and vendors that power its fleet at sea.
The team continues to partner closely with Mitratech to enhance automation, broaden visibility, and align vendor oversight with the company’s enterprise risk and compliance strategy.
By transforming early success into long-term maturity, NCLH is charting a course toward truly connected, data-driven vendor risk management — one that spans from headquarters to every ship in its global fleet.
The NCLH case effectively illustrates why Mitratech Third Party Risk Management (TPRM) is so well-suited for large, complex organizations. By shifting from fragmented spreadsheets to a unified “single source of truth,” Mitratech gives NCLH full visibility into its critical vendor relationships. That visibility, combined with automated onboarding, scheduled reassessments, real-time cyber-risk monitoring, and standardized workflows, transforms a previously ad-hoc, siloed process into a mature, scalable risk management framework.
Laura Jacobus
Vice President, Strategic Advisory Services | Mitratech
TPRM 
