A third party risk assessment is an attempt to quantify the risk associated with a third party vendor that’ll be providing a product or service to your organization. Sometimes referred to as vendor risk assessments, these are designed to assist you with analyzing new and ongoing vendor relationships. You always want to gauge the level of risk posed to your organization by both the third party vendor providing the product or service and the product or service itself.
A third party risk assessment evaluate all of the considerations in outsourcing a particular product or service to a third party. You must fully understand the risks associated with these outsourcing decisions. Every outsourced third party relationship comes with additional risk. It’s inevitable.
What Is a Third Party: Dissecting the Term
A third party is a company or entity with whom your organization has a written contract with to provide an outsourced product or service on behalf of your organization. Third parties present varying levels of risk to your organization. It could be an almost insignificant increase in risk, or a very large risk. As mentioned, a third party vendor is anyone you have a direct written contract with, so it could be vendors like the following:
- Landscaping company
- Shred provider
- Telephone company
- Core processor
- Office supplier
Risk Assessment: Digging Deeper into the Why
You may be wondering why all of this is important to your vendor management program. Why do third party risk assessments matter? First, it’s an excellent business practice! However, there are many other reasons. These are the top three:
1. It’s a regulatory requirement.
Regulators are requiring organizations acknowledge that there’s additional risk posed by doing business with an outsourced third party. In order to acknowledge and address the risk properly, a third party risk assessment must be completed on each vendor and on the product or service the vendor will provide. Notice I said product or service. Risk assessments aren’t done just on the vendor as a company. That’s a common misconception. Risk assessments are completed at the product and service level too, to complete the risk profile of the company and the product or service delivery.
Therefore, if you have three products with Vendor ABC, then there’ll need to a be a separate evaluation on each product and an assessment for the ABC Corporation. Guidance, such as FDIC FIL 44-2008 and OCC Bulletin 2013-29, helps with understanding the risk assessment process further and what should be included.
2. Third party risk assessments help you determine specific areas of risk you may want to monitor more thoroughly.
There may be certain areas that seem to have heightened risk as your complete the risk assessment. For example, it could be the third party’s cybersecurity, or business continuity and disaster recovery planning. When you discover facts in a third party risk assessment that require additional monitoring or a follow up conversation with the vendor, you may need to implement additional controls, or if you’re completing a third party risk assessment pre-contract, it’ll give you an opportunity to contractually commit the third party to doing something as an extra control to help mitigate the risk(s) present in the assessment.
3. It’s a best practice.
Third party risk assessments are your first step to identify potential unwanted risks. They’re the first indicator additional controls are needed to limit your organization’s exposure to risks.
Be sure to remember this takeaway. Risk changes over time. Third party risk assessments are not fire and forget activities; they need to be revisited regularly. Your critical and high-risk vendors should be reassessed at least annually and if you find a risk that may be more than the risk appetite of your organization then a more frequent schedule may be warranted. This is part of your ongoing due diligence, so when you’re doing your due diligence, risk assess your vendor and their products and services to evaluate if they’re appropriate for your organization’s risk appetite, meaning the amount of risk your organization is prepared to take on.
Third party risk assessments are a sound business practice that can help your organization avoid some costly and unanticipated surprises down the road by knowing the risk upfront. Not only do assessments show you’re adequately evaluating your third parties’ risk, but they also satisfy regulatory requirements and your senior management team and the board’s expectations.
Use this comprehensive checklist to guide you through third party risk management. Download the checklist.