One of the questions I get asked frequently is “who qualifies as a third-party?” It’s a great question because the third party ecosystem encompasses a lot more than just suppliers.
A third-party is any company or individual with which or whom you have entered into a business relationship to:
Provide goods and services for your own use
Perform outsourced functions on your behalf
Provide access to markets, products and other types of services
Companies often have more third parties than they realize. Depending on the industry you’re in, examples of third parties can include:
Consultants and independent contractors
HR and payroll companies
IT hardware, services and support
Accountants and auditors
Credit card processors
Agents and brokers
Software and software hosting companies
Fulfillment and mail houses
Managing Risks with Third Parties
Identifying your third parties is important. But what’s even more critical is identifying and managing your risks with them.
Third-party risk management is the process whereby an organization monitors and manages the potential exposure to problems, harm or loss that arise from interactions with all external parties with which it has a relationship. This may include both contractual and non-contractual parties. In other words, you don’t need to have a contract with a vendor for them to have risks that need to be managed.
Five-Step Process for Assessing Third-Party Risk
There are a variety of risks that you need to assess and manage with your third parties. Here’s a five step process for identifying and managing yours.
Identify and classify the third parties with whom you work
Understand your risk exposure
Identify gaps in policies and controls
Prioritize activities to close gaps
Establish process for ongoing risk monitoring
If you need help getting your arms around your third-party risks, we’re here to help.