Skip to content

How to implement third-party risk management? (Part 1)

In this tutorial, you learn a 6-step approach for implementing third-party risk management (TPRM) within your organization.

In this tutorial, you learn a 6-step approach for implementing third-party risk management (TPRM) within your organization. This approach can be used to manage any risks introduced to your organization by third parties, ranging from cyber to fraud and compliance risks.

What is third-party risk management?

Third-party risk management is defined as the management process of managing risks introduced to your organization by your organization’s vendors, suppliers, contractors, business partners, alliances, joint ventures, agents, etc. Basically, any outside actor that plays a significant part in your organization's ecosystem or supply chain is considered a third-party.

What does this mean in practice? Consider the following example. You make use of a third-party supplier for several HR services. The HR service provider has access to the personal information of your employees. This introduces several potential (information security and reputation) risks, such as the risk that the third-party will get breached by a cyber threat actor. Third-party risk management is included in many ISO standards, such as the ISO2700x.

What are the drivers for third-party risk management?

There are several reasons why you want to implement a third-party risk management capability and start with assessing risks introduced by third parties:

What is the 6-step approach for managing third-party risks?

The following 6 steps can be followed in order to start and implement third-party risk management within your organization:

  1. Establish foundation
  2. Define requirement scope
  3. Create an inventory of third-parties
  4. Prioritise third parties
  5. Perform due diligence assessments
  6. Monitor and follow-up

Step 1: Establish foundation for third-party risk management

In this step, the foundation is laid for third-party risk management within your organization. It all starts with assigning a leader who will be responsible for the TPRM implementation program. After a leader is assigned, the TPRM capability needs to be built. This includes the following activities:

Formulate a vision: This step is about defining the vision around third-party risk management within your organization. In the vision statement, you state what you want to achieve with third-party risk management. It is key to link the TPRM vision with the business strategy of the organization.

Define scope: Defining the scope of your TPRM capability relates to the risk domains that will be taken into account. Third-parties can expose your business to different risks such as technology risks, financial risks, continuity risks, privacy risks, anti-bribery and corruption, and cyber security risks. The risk domains that you take into scope determine the internal stakeholders that need to be involved (e.g., risk and compliance, CISO, and procurement).

Assign capability ownership: Strong governance is key to ensuring an effective third-party risk management capability. Organizations differentiate between accountability and responsibility for TPRM. As third-party risks could be significant for the reputation and continuity of the organization, the accountability for TPRM typically lies at board level (e.g., CEO, CFO, or CRO). The operational responsibility for TPRM can be assigned to a dedicated team or integrated into an existing team such a risk and compliance, security, or procurement.

Develop operating model: There are basically three different operating models for third-party risk management: A distributed model, a centralized model, and a mixed model. We focus on the first two models. In a distributed model, the business relationship manager will coordinate all risk assessment activities. Alternatively, in a centralized model risk assessment activities are carried out by a central team. Both models have advantages and disadvantages.

Establish policy and standard: The mandate for third-party risk management should be captured in a policy and minimum standards. Usually, this requires a governance change and the change or creation of a TPRM policy and minimum standard.

Implement tooling: It is widely acknowledged that technology is key for the effectiveness of a third-party risk management capability. As the third-party ecosystem is in constant flux, using spreadsheets that are hard to maintain and do not scale is not a preferable solution. Alternatively, there are several types of technology that can be used to manage third-party risk properly. As an example, 3rd Risk is providing a neat SaaS-solution that is specifically designed to meet the needs of third-party risk managers.

Step 2: Define requirement scope for third-party risk management

The second step is to determine the requirements that your organization and employees must uphold. Defining the requirement scope is vital as it drives steps 3 to 6. Two types of requirements can be distinguished:

Internal requirements: Internal requirements may come from internal policies, minimum standards, and baseline documents that define how the organization is supposed to work. These requirements can vary per country, entity, location, or service.

External requirements: External requirements are set by external parties such as regulators, labor unions, or professions. Furthermore, there are different types of external requirements like regulatory requirements (GDPR), sustainability requirements, compliance attestations, industry requirements, and external stakeholder requirements.

After you have defined the requirement scope, the next step is to set up an inventory in which all requirements are documented and maintained. The best and most efficient way to establish such an inventory is to obtain input from departments like legal, compliance, security, and others.

Step 3: Create an inventory of third-parties

The aim of this step is to establish an inventory of all your third parties. Some organizations can leverage existing overviews from procurement or strategic buying. Other organizations do not have a single source of truth and need to start from scratch.

Assign owners and contact person: After you have made an inventory of all the third parties within your organization, you need to assign internal owners to the third party. If a third party provides several services with for each a separate contract, the internal owners may change per service/contract. Usually, organizations assign two roles: the third-party manager (person responsible for the procurement relationship with the third party) and the business owner (person responsible for the business relationship with the third party). Finally, you also might want to add the contact person of the third-party to the inventory.

Identify contracts per third-party: Your organization may use several services from a single third party. Often, there will be different contracts for each of the services that your organization consumes. Therefore, the next step is to make an inventory of all third-party contracts. Adding the contact layer allows you to associate risks and incidents to a specific contract. It also provides the opportunity to perform targeted due diligence assessments.

Read more

Click here to go to part 2 of this tutorial.


Cyber Crisis Management: 5 Good Practices

10 good practices for implementing third-party risk management