.gif?width=1920&name=Sample-Graphic-Animation%20(1).gif)
3 min read
When it comes to third-party risk management (TPRM), there is often confusion regarding the terms used to describe the types of relationships that need to be managed. "Third party" and "vendor" are the most common terms used to describe the business entities or individuals that provide products or services directly to an organization or its customers on the organization's behalf.
These days, the terms vendor and third party are often used interchangeably. Most organizations make no meaningful or substantial differentiation between the two terms and that's okay. How you refer to these relationships is not as important as understanding that third parties/vendors can expose your organization and customers to risk. The identification and management of those risks is the heart of an effective third-party risk management practice.
Examples of Third Parties/Vendors
Here are a few examples of entities that are considered third parties or vendors:
- Software as a Service (SaaS) providers
- Outsourced data centers
- Consultants
- Office Suppliers
- Janitorial services
- Marketing and advertising
- Computer hardware
- Software reseller (SaaS)
- Data centers
It’s also essential to understand that your organization's TPRM or vendor risk management (VRM) team is responsible for managing and mitigating the risk of those relationships. So, it’s important to closely inspect and monitor those business relationships that pose risks to your organization. You can think of this general idea as "knowing your vendor."
How to Know Your Third Party/Vendor
Knowing your vendor isn't just a concept; it’s an important business practice. How do you "know your vendor”? What exactly does this mean? In essence, it means that your organization should assess the vendor's operations and competence in providing prospective services and meeting their contractual obligations. This is especially true if the relationship falls under any regulatory supervision. This process is essential and helps you verify that your vendors don't pose any unnecessary risks to the organization or its customers.
3 Best Practices for Getting to Know Your Third Parties/Vendors
When it comes to knowing your vendors, you should keep these four best practices in mind:
- Perform due diligence during the vendor vetting stage. Due diligence involves validating that a vendor is a legitimate business entity with a solid reputation. This usually requires a background and OFAC check, a review of the Articles of Incorporation/business license, a Secretary of State check, etc.
Due diligence also requires gathering documentation and information from the vendor to verify that they have appropriate and satisfactory risk controls. It’s important to note that your due diligence process should be more rigorous for critical or high-risk vendors. - Establish ongoing monitoring. Ongoing monitoring is often forgotten but is essential to effective third-party risk management. As the relationship progresses, you must periodically conduct risk reviews and perform due diligence.
While many organizations heavily vet their vendors during the contract stage, failing to perform ongoing monitoring leaves your organization vulnerable to risk resulting from changes in the vendor's environment. These risks can come from leadership changes, internal software enhancements, data center migrations, or changes to regulations or the vendor's industry. These risks and changes can affect your vendor's risk posture and how well they can meet contractual commitments and may significantly impact your organization. Between formal risk reviews, it’s important to monitor the vendor for new or emerging risks
Signs of new risks may include:
- A decline in financial condition
- Proper security controls are no longer in place
- The third party is receiving many complaints from your customers due to poor service levels
- The vendor isn't meeting service-level requirements
- Check the news. Not surprisingly, the web can be a great resource for your ongoing monitoring efforts. Be sure to schedule web searches on your critical and high-risk vendors. You may be surprised to find how much you can learn about your third party with a simple news search.
It doesn't matter if your organization uses the term third party or vendor to describe the business entities that provide products and services. What is important is understanding and utilizing effective third-party or vendor risk management practices to minimize the risk in those relationships.
Infographic
Vendor risk management is a best practice, and for many organizations, it's also a regulatory requirement. Dive deeper into the process of vendor risk management in this infographic.
Related Posts
FFIEC Development, Acquisition, Maintenance Booklet TPRM Highlights
The Federal Financial Institutions Examination Council’s (FFIEC) Development and Acquisition...
Final Interagency Third-Party Risk Management Guidance: 4 Actions to Comply
Well, it’s official! The long-awaited Interagency Guidance on Third-Party Relationships: Risk...
4 Benefits of Outsourcing Third-Party Risk Management
Organizations outsource certain business functions for a variety of reasons. Maybe there’s a need...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.