Which Vendors Should Be Out of Scope in Third-Party Risk Management?

It's no secret that for many organizations, the time and resources for third-party vendor relationship management are stretched thin. This is especially true when third-party vendor inventory numbers are in the hundreds or even thousands, so it’s best to determine which of your vendors (or other third parties) can be safely excluded from third-party risk management (TPRM) activities.

However, it may not always be obvious which of these relationships should be in or out of scope. The good news is that organizations can use some tried and true guidelines to determine what type of third parties can be out of scope for TPRM. Read on to learn more and help ease the burden of your TPRM responsibilities.

Regulatory Considerations for Third-Party Exemptions

Those in regulated industries know they must meet the requirements of established TPRM guidance, such as the Interagency Guidance on Third-Party Relationships: Risk Management. This guidance became effective in June 2023 and dramatically expanded the definition of a third party to "any business arrangement between a banking organization and another entity, by contract or otherwise." 

Under this guidance, entities such as professional service providers, maintenance and custodial service companies, independent consultants, and cloud computing services would be considered in scope for TPRM. However, the guidance also states that not all third-party relationships will require the same level of oversight and risk management.

While this guidance is specific to the financial industry, those regulations greatly influence and shape all TPRM best practices. It’s important to develop a sound (and defensible) methodology to define why certain third-party relationships are out of scope for your TPRM activities.

How to Determine Exempt Third Parties

Although many organizations must now expand their scope of third-party relationships, this may not extend to all oversight and risk management activities. There may still be circumstances in which certain third parties can be exempt from following each activity within the TPRM lifecycle. 

To determine exempt or out of scope third parties from the TPRM lifecycle, the first step is to prepare a complete list of all individuals or organizations that are paid by or have a written agreement with your organization. Your accounts payable department should be able to furnish much of this information. It’s essential to include the product/service provided or the other nature of the relationship as part of the list. Truthfully, this can be a time-consuming, but necessary process.

Once your list is complete, you can use the following questions as a starting point to help determine whether a third-party vendor should be in scope or out of scope for your organization:

• Is this a government entity? You can eliminate any state, provincial, or similar government and any body, board, department, commission, court, tribunal, authority, agency, or other organization exercising any executive, legislative, judicial, administrative, or regulatory functions. This also includes any organization providing safety or emergency services, such as police and fire departments.
• Is this a public utility? Public utilities such as your local power, water, trash collection services, and the like are out of scope. Keep in mind that the key word here is public, as in it’s available to everyone. Don't assume that because it’s water or power, it's automatically out of scope. Services meant to serve your specific organization, such as confidential document destruction, bottled or filtered water services, internet or backup power generation, are decidedly in scope for TPRM.
• Is this a sponsorship or donation? Sponsorships and donations are out of scope for third-party or vendor risk management. For example, sponsoring the company team for a charity walk, helping a nonprofit with an event, or placing an ad for the program for a high school musical doesn’t count as third-party or vendor relationships. And, other types of donations, such as political donations, should be managed through other internal governance mechanisms and policies.
• Is this a covered travel or entertainment expense? You can exclude hotels, airlines, restaurants, transportation, etc. However, you should pay attention when a payment to an organization is classified as travel and entertainment (T&E) to ensure the type of product, service, or relationship falls within T&E norms. In organizations with less stringent or mature T&E expense policies and programs, third parties are sometimes engaged under the guise of T&E to avoid time-consuming or rigorous TPRM processes. It happens! Be on the lookout for this scenario.
• Is this a subscription? Many types of subscriptions will be out of scope for your third-party or vendor risk management program, including one-off subscriptions for magazines, books, newspapers, digital content (stock photography, music, etc.), industry news, or social media websites. Keep in mind that some subscriptions should be included in your program, especially those that provide non-public data or risk alert and monitoring services that help you make sound business decisions.
• Is this a payee? Payees usually represent payments for non-product or service expenses. Examples include payments for a legal settlement or payments to board members or investors. These types of third parties are out of scope.
• Is this a professional association or conference? Annual dues for professional memberships and conferences should be excluded from your third-party or vendor risk management program activities.
• Is this a product or service offered as an employee perk? It’s becoming commonplace for organizations to offer employee discounts on various products and services—everything from tickets to the amusement park, gym memberships, and even automobile purchases. Relationships where the employee directly initiates the purchase or transaction are out of scope. Keep in mind that if your organization collects payment from employees for the products or services or distributes the third party's products or services to employees, that third party should be in scope. Your health insurance providers, for example, should be in scope for TPRM.

Many of these exempt or out of scope third-party vendors share some common characteristics, which make them less relevant to include in your TPRM activities. 

Considerations for Choosing Out of Scope Third Parties

If you choose to exclude the third-party vendors above from your third-party risk management program activities, and deem them out of scope, proceed with caution for the following reason:

There is at least some risk with any third-party relationship and not every organization is as it appears. For example, small, cash-based businesses may be vulnerable to certain risks, including money laundering, health and safety violations, and even human trafficking. 

Your organization may determine that other third-party or vendor types should be out of scope, and that’s okay. But always make sure that you can articulate and document your rationale for any out of scope decision. 

Even though the Interagency Guidance on Third-Party Relationships has broadened the definition of a third-party relationship, the same guidance also emphasizes the importance of taking a risk-based approach when managing those relationships. Not every relationship will require the same risk management activities. 

It’s important to remember that regulators expect that you can articulate and defend your methodology for determining what TPRM activities will be applied to each relationship.

Determining which third parties will be in or out of scope is crucial for optimizing your third-party or vendor risk management program. It will allow you to direct your efforts toward third-party relationships that deserve your focus and resources.