Which Third Parties Should Be Out of Scope in Third-Party Risk Management?
By: Hilary Jewhurst on May 28 2024
6 min read
It's no secret that for many organizations, the time and resources for third-party vendor relationship management are stretched thin. This is especially true when third-party vendor inventory numbers are in the hundreds or even thousands, so it’s best to determine which of your vendors (or other third parties) can be safely excluded from third-party risk management (TPRM) activities.
However, it may not always be obvious which of these relationships should be in or out of scope. The good news is that organizations can use some tried and true guidelines to determine what type of third parties can be out of scope for TPRM. Read on to learn more and help ease the burden of your TPRM responsibilities.
Regulatory Considerations for Third-Party Exemptions
Those in regulated industries know they must meet the requirements of established TPRM guidance, such as the Interagency Guidance on Third-Party Relationships: Risk Management. This guidance became effective in June 2023 and dramatically expanded the definition of a third party to "any business arrangement between a banking organization and another entity, by contract or otherwise."
Under this guidance, entities such as professional service providers, maintenance and custodial service companies, independent consultants, and cloud computing services would be considered in scope for TPRM. However, the guidance also states that not all third-party relationships will require the same level of oversight and risk management.
While this guidance is specific to the financial industry, those regulations greatly influence and shape all TPRM best practices. It’s important to develop a sound (and defensible) methodology to define why certain third-party relationships are out of scope for your TPRM activities.
How to Determine Exempt Third Parties
Although many organizations must now expand their scope of third-party relationships, this may not extend to all oversight and risk management activities. There may still be circumstances in which certain third parties can be exempt from following each activity within the TPRM lifecycle.
To determine exempt or out of scope third parties from the TPRM lifecycle, the first step is to prepare a complete list of all individuals or organizations that are paid by or have a written agreement with your organization. Your accounts payable department should be able to furnish much of this information. It’s essential to include the product/service provided or the other nature of the relationship as part of the list. Truthfully, this can be a time-consuming, but necessary process.
Once your list is complete, you can use the following questions as a starting point to help determine whether a third-party vendor should be in scope or out of scope for your organization:
- Is this a government entity? You can eliminate any state, provincial, or similar government and any body, board, department, commission, court, tribunal, authority, agency, or other organization exercising any executive, legislative, judicial, administrative, or regulatory functions. This also includes any organization providing safety or emergency services, such as police and fire departments.
- Is this a public utility? Public utilities such as your local power, water, trash collection services, and the like are out of scope. Keep in mind that the key word here is public, as in it’s available to everyone. Don't assume that because it’s water or power, it's automatically out of scope. Services meant to serve your specific organization, such as confidential document destruction, bottled or filtered water services, internet or backup power generation, are decidedly in scope for TPRM.
- Is this a sponsorship or donation? Sponsorships and donations are out of scope for third-party or vendor risk management. For example, sponsoring the company team for a charity walk, helping a nonprofit with an event, or placing an ad for the program for a high school musical doesn’t count as third-party or vendor relationships. And, other types of donations, such as political donations, should be managed through other internal governance mechanisms and policies.
- Is this a covered travel or entertainment expense? You can exclude hotels, airlines, restaurants, transportation, etc. However, you should pay attention when a payment to an organization is classified as travel and entertainment (T&E) to ensure the type of product, service, or relationship falls within T&E norms. In organizations with less stringent or mature T&E expense policies and programs, third parties are sometimes engaged under the guise of T&E to avoid time-consuming or rigorous TPRM processes. It happens! Be on the lookout for this scenario.
- Is this a subscription? Many types of subscriptions will be out of scope for your third-party or vendor risk management program, including one-off subscriptions for magazines, books, newspapers, digital content (stock photography, music, etc.), industry news, or social media websites. Keep in mind that some subscriptions should be included in your program, especially those that provide non-public data or risk alert and monitoring services that help you make sound business decisions.
- Is this a payee? Payees usually represent payments for non-product or service expenses. Examples include payments for a legal settlement or payments to board members or investors. These types of third parties are out of scope.
- Is this a professional association or conference? Annual dues for professional memberships and conferences should be excluded from your third-party or vendor risk management program activities.
- Is this a product or service offered as an employee perk? It’s becoming commonplace for organizations to offer employee discounts on various products and services—everything from tickets to the amusement park, gym memberships, and even automobile purchases. Relationships where the employee directly initiates the purchase or transaction are out of scope. Keep in mind that if your organization collects payment from employees for the products or services or distributes the third party's products or services to employees, that third party should be in scope. Your health insurance providers, for example, should be in scope for TPRM.
Many of these exempt or out of scope third-party vendors share some common characteristics, which make them less relevant to include in your TPRM activities.
Example: Your organization may have little or no choice in engaging with some of these third-party vendors, which would exclude them from the third-party selection process. Similarly, a third-party relationship with a government entity would not undergo any type of formal risk assessment, due diligence, contracting, or monitoring. Some of the previous third-party relationships might also be considered transactional, in which the third party's product or service is purchased once or sold “as-is” and wouldn’t be subject to oversight activities or ongoing monitoring.
Considerations for Choosing Out of Scope Third Parties
If you choose to exclude the third-party vendors above from your third-party risk management program activities, and deem them out of scope, proceed with caution for the following reason:
There is at least some risk with any third-party relationship and not every organization is as it appears. For example, small, cash-based businesses may be vulnerable to certain risks, including money laundering, health and safety violations, and even human trafficking.
Example: Suppose you aren't evaluating the risk associated with buying hardware because it’s a one-time purchase. In that case, you may be missing something important, such as the hardware manufacturer purchases components from China’s Xinjiang Uyghur Autonomous Region (XUAR), which is forbidden under the Uyghur Forced Labor Prevention Act due to known human rights violations in this area.
It’s important to recognize that all third-party relationships carry some risk, and your TPRM efforts and activities should always demonstrate this principle. To ensure the risk of each third-party engagement is identified and understood, it’s recommended that at a minimum you complete an inherent risk assessment. The results of the risk assessment can help you determine what will be necessary to manage that relationship safely and soundly.
Your organization may determine that other third-party or vendor types should be out of scope, and that’s okay. But always make sure that you can articulate and document your rationale for any out of scope decision.
Even though the Interagency Guidance on Third-Party Relationships has broadened the definition of a third-party relationship, the same guidance also emphasizes the importance of taking a risk-based approach when managing those relationships. Not every relationship will require the same risk management activities.
It’s important to remember that regulators expect that you can articulate and defend your methodology for determining what TPRM activities will be applied to each relationship.
Determining which third parties will be in or out of scope is crucial for optimizing your third-party or vendor risk management program. It will allow you to direct your efforts toward third-party relationships that deserve your focus and resources.
Related Posts
Low and High-Value Vendors
While third-party risk management (TPRM) doesn't usually generate revenue, it does enhance the...
Defining Certain Third Parties as Out of Scope
You’ve heard time and time again about requests regarding your inventory of actively managed...
12 Ongoing Monitoring Best Practices for Third-Party Risk Management
The third-party risk oversight process doesn't end when the contract is signed. Your third parties’...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.