A third-party inventory is a critical tool to effectively manage third-party risks. Creating an inventory ensures your organization has visibility into its third parties and outsourced products and services. Your organization will be better positioned to identify, assess, manage, and mitigate third-party risks. This blog covers how to create and manage a third-party inventory.
Why a Third-Party Inventory Is Important
A third-party inventory provides invaluable insights into your organization’s external relationships, giving you better third-party risk management and protecting your organization from unknown risks.
Here’s three reasons why a third-party inventory is important:
- Provides a comprehensive view of third-party risks – You can’t manage third parties or their risks if you don’t know a third party exists. A third-party inventory provides information on your organization’s business relationships and the risks they pose. A detailed inventory identifies all third parties and their potential risks so you can address them more quickly. It prevents forgotten third parties from slipping through the cracks.
Related: 10 Types of Vendor Risks to Monitor
- Protects your organization from unknown risks – If your organization isn’t aware of third-party risks, you might be caught off guard when an issue or incident arises. A comprehensive third-party inventory uncovers these hidden risks and helps protect your organization. You can’t guard against a threat you don’t know about.
- Prevents shadow purchasing – Shadow purchasing is when an employee or department engages a third party without proper vetting and oversight. This can result in unmitigated risk, costly duplicate vendors, unmitigated risk, and compliance and ethics concerns. A third-party inventory provides a clear and accessible record of your third parties and ensures all third-party relationships are authorized and approved.
How to Create a Third-Party Inventory
Creating a comprehensive and accurate third-party inventory requires collaboration between different stakeholders and departments and a clearly defined process.
Let’s look at the steps to create a third-party inventory:
- Define third party – Before building a third-party inventory, define the term third party. Many organizations limit the definition of a third party to vendors, suppliers, and service providers that provide traditional products or services. However, banking regulators recently expanded the definition to “any business arrangement” with or without a contract. Even if your organization doesn’t fall under this regulation, using the term “third party” to refer to all business arrangements is a good starting point.
- Identify all third parties – Depending on the size of your organization, this might seem like an overwhelming task. Start with your accounts payable department. They can provide a list of products or services your organization has paid for and any third party your organization has a business relationship with. You may also want to request a list of any contractual relationships your organization has. Look for third-party software tools, as these can bypass your organization’s onboarding or procurement process.
Note: Don’t worry about which third parties should be in or out of scope for your third-party risk management program. As you create your inventory, all third parties should be included.
Related: Determining Third Parties or Vendors That Are In Scope and Out of Scope
- Gather key data points – A comprehensive third-party inventory includes details about the third party and its product or service. Tools and technology like third-party risk management software for data collection and management are helpful as you create the inventory. Here’s some data to consider adding:
- Contact details
- Products or services provided
- Contract terms
- Third party’s location
- Department or employee that owns the third-party relationship
- Inherent risk rating, if third party is in scope for TPRM
- Residual risk rating, if third party is in scope for TPRM
- Critical fourth parties, if third party is in scope for TPRM
- Categorize third parties – Not every third party in your inventory will be in-scope for third-party risk management activities. However, your scope typically includes most of your vendors, suppliers, and service providers. For in-scope third parties, categorize them in your inventory based on risk. This is typically on a scale of low, moderate, and high. Consider the third party’s criticality, which reflects the impact a third party would have on your business if it were to suddenly cease to exist or experience operational disruptions. Including this information in your third-party inventory helps you know what to prioritize.
- Keep the inventory updated – Your third-party inventory should never be a static document. Consistently update it to add new third parties and remove terminated relationships. Update for any changes in third-party relationships like new contracts, changes in products or services, and updates in risk ratings. Consider creating a review schedule to ensure the information remains current. This could be quarterly, bi-annually, or annually, depending on the size and complexity of your third-party relationships.
A third-party inventory is a critical part of effectively identifying, assessing, managing, and mitigating third-party risks. By creating and regularly updating the inventory, you can build stronger, more transparent third-party relationships.
What’s next after creating a third-party inventory? It’s time to identify and assess the risks with a vendor risk assessment.
Learn about the steps and elements in the process in this complementary eBook.
