Latest White PaperThird Party GRC Maturity Model – A New Paradigm in Governing Third Party Relationships
Latest White PaperThird Party GRC Maturity Model – A New Paradigm in Governing Third Party Relationships
Anti-bribery and corruption (ABAC) – A global movement to disrupt bribery and corruption – a form of financial crime – particularly within procurement practices and supply chains. TPRM programs should assess the ABAC risks within the organization as well as within third parties.
Audit trail – An audit trail is a source of records that provides evidence of the sequence of activities that have affected a specific operation, procedure, or event. Audit trails are important in third-party risk management to provide evidence of the activities taken in the assessment, due diligence, monitoring, and management of third parties. They are important to demonstrate compliance to management, auditors, and examiners.
Cloud services – Services and infrastructure, provided by a third party, that are accessed remotely.
Concentration risk – Operational risk and/or other risk types can increase significantly when third-party relationships result in concentrations, either at the organizational or industry level. For example, concentrations can occur when an organization relies on one third party for multiple activities. This can be particularly acute if one third party is used for several activities that are essential to the organization’s ongoing operations.
Continuous monitoring – Within TPRM, this is the proactive reviewing of third-party relationship information, metrics, and data for significant changes in relevant areas that would impact the ability of a third party to meet its contractual obligations to the organization. Examples include continuous monitoring of social media, key risk indicators, or financial information.
Credit risk – The risk to an organization’s financial condition and resilience arising from an obligor’s failure to meet the terms of any contract with the organization or failure to perform as agreed. Credit risk is a particularly important consideration when third parties are engaging in some form of financial services activity for an organization, i.e. originating loans or financing or engaging in some forms of customer services activities, account management, or collections activities.
Compliance risk – The risk to the financial condition and resilience of an organization, which can arise from violations of regulations or laws, as well as from the failure to conform with required practices, internal policies and processes, or ethical standards. Compliance risk can happen within third-party relationships when the third party’s operations are not consistent with the applicable laws, regulations, ethical standards, or the organization’s policies and procedures.
Critical activities – Significant organizational functions, significant shared services, or other activities that could cause an organization to face significant risk if a third party fails to meet expectations. Such functions, services, or activities could be those which:
Critical third parties – These are third parties that perform critical activities for an organization.
Contract negotiation – Often the third stage in the third-party risk management life cycle. This stage involves the development of a contract that clearly defines the expectations and responsibilities of both the third party and the organization. Some of the purposes of the contract’s language include helping to ensure the contract’s enforceability, limiting the organization’s liability and mitigating disputes about performance.
Contractor risk management – Your contractors are a type of third party. Contractor risk management is the process of identifying, assessing, and controlling the risks an organization is faced with as a result of its relationship with its contractors.
Country risk – This is the risk of exposure to the economic, social, and political conditions and events in another country that could negatively impact the ability of the foreign-based third party to provide the products or services required by contractual arrangement, resulting in harm to the organization.
Cyber risk – This is the risk of financial or reputational damage due to a failure of an organization’s technology systems. In recent years, there has been significant focus placed on cyberattacks, which are criminal disruptions of organizational technology systems. Within TPRM, organizations need to be aware not just of their own cyber risks, but the cyber risks presented by third-party relationships.
Data privacy – Also known as information privacy or data protection. Data privacy focuses on the ability of an organization to protect data from unauthorized access or misuse and the ability to share data according to the organization’s policies and procedures. This may include compliance with applicable data privacy regulations. In TPRM, there is particular attention given to when and how data is shared with third parties and how third parties protect an organization’s data.
Documentation – These are materials that can be produced as evidence to key stakeholders, such as the board of directors, senior management, regulators, and auditors. Examples include TPRM policies and procedures, evidence that specific third-party GRC tasks have been completed, as well as the materials used to perform those tasks (such as assessments).
Due diligence – Often the second stage in the third-party risk management life cycle. Due diligence involves conducting a review of a potential third party prior to signing a contract. This review should involve developing a deeper understanding of the third party’s ownership, operations, resources, financial status, relevant employees, risk and control framework, business continuity program, third-party risk management program, and other factors important to the third-party relationship. Due diligence helps ensure the organization selects an appropriate third party to partner with, and that the organization understands both the inherent and residual risks posed by the relationship. These residual risks should be within the organization’s risk appetite.
Fourth parties – These are your third parties’ subcontractors and their own third parties. It is important to understand who your critical fourth parties are and the level of risk they may pose (e.g. Do they have access to data and systems? Would their failure would have a significant impact on your business operations?). They are increasingly being connected to concentration risk.
Impact tolerances – A description of the tolerance, or level of acceptance, that an organization will have for disruption to its business activities. Impact tolerance is usually described using outcomes and metrics and should be created in relationship with the organization’s risk appetite. It differs from risk appetite because it is assuming that a particular risk event has happened.
Impact tolerance statement – A policy document that explains how impact tolerances are created and justified within an organization.
Independent reviews – Independent reviews involve having an independent party – such as a consultant or an auditor – review some aspect of the TPRM program. This could be a single relationship or the entire framework. Periodic independent reviews enable the board and management to assess whether the aspect of the TPRM program being reviewed aligns with the organization’s business strategy, overall risk appetite, and compliance objectives.
Information security – Also called cybersecurity, this discipline focuses on mitigating cyber risks, including the prevention and mitigation of external cyberattacks, as well as keeping technology safe from internal threats, such as rogue employees. Within TPRM relationships, organizations are generally responsible for their own information security, as well as the quality of the information security at their third parties.
Inherent risk – The risk to an organization in the absence of any actions management might take to alter either the risk’s likelihood or impact. It’s the level of risk before any action is taken to manage it.
Inherent risk assessment – This is a short questionnaire that helps you understand the inherent risk associated with the third-party engagement. Typically, these will seek to understand the type of engagement (e.g. Will the third-party have access to customer data or interact with customers?), the criticality of the third party, whether the third party operates in sanctioned countries, whether they will be dealing with government officials on your organization’s behalf, the financial status of the company, and so on. The answers to the questionnaire drive the inherent risk score, which measures the level of risk.
Key risk indicators – These metrics, also known as KRIs, provide organizations with insight into the likelihood or impact of a risk event taking place by measuring a specific aspect of the risk and control environment. In third-party risk, KRIs can be from either the organization or the third party.
Nth parties – These are your third, fourth, fifth, sixth parties and so on. Depending on your supply chain, you could have risk exposure at levels seemingly far removed from your business. For instance, human slavery practices could be an issue with a supplier’s supplier’s supplier – your fifth party.
Offboarding – When a relationship with a third party is terminated, it is important that you manage their exit in accordance with policy and procedures – which may include relevant notifications to the business, terminating system and location access, ensuring compliance with data destruction policies, and termination of payments.
Onboarding – Third-party onboarding is the process of registering, qualifying, assessing, and collecting all the documentation and data required to successfully conduct business with that third party, including managing their risk and performance.
Ongoing monitoring – Often the fourth stage in the third-party risk management life cycle. This involves supervising and scrutinizing the third-party relationship in a systematic way, on a regular basis. For example, regular assessments can be used, as well as continuous monitoring through electronic data feeds of information associated with the third party. Ongoing monitoring is essential to the organization’s ability to manage the third-party risk within the relationship.
Operational resilience – This refers to the ability of organizations and their industries as a whole to prevent, adapt and respond to, recover, and learn from operational disruption. Operational disruption could include production or service disruptions or degradation resulting from natural disasters, human error, or intentional physical or cyber attacks, for example. The UK Financial Conduct Authority (FCA) focuses in on the continued delivery of business services or economic functions.
Operational risk – The risk of loss from inadequate or failed processes, people, or systems or from external events. According to the US Office of the Comptroller of the Currency (OCC), operational risk is present in all products, services, functions, delivery channels, and processes. Specifically, an organization’s exposure to operational risk may be increased by third-party relationships because the organization may not have direct control over the activity performed by the third party.
Oversight and accountability – Within third-party risk management, this involves assigning clear roles and responsibilities for managing third-party relationships to the relevant employees. This governance framework should sit within the organization’s overall approach to governance, risk, and compliance (GRC) and align with its enterprise risk management framework. The board of directors and senior management team should have key roles of responsibility for the oversight of third-party risk management.
Physical security – The physical and environmental controls needed to ensure the safety and security of an organization’s (or third party’s) facilities, technology systems, and employees.
Reputation risk – The risk to the organization’s financial condition and resilience arising from negative public opinion. Third-party relationships that do not meet the expectations of an organization’s customers, shareholders, regulators, local community, or other external stakeholders can expose the organization to reputation risk. For example, when an organization is offering products and services actually originated by third parties as its own, the organization can be exposed to substantial financial and reputational damage if it does not maintain adequate quality control over those products and services as well as adequate oversight over the third party’s activities.
Residual risk – Residual risk is the risk remaining after risk treatment. It’s the level of risk after action is taken to manage it.
Responsible sourcing – Part of corporate responsibility, responsible sourcing supports the understanding, managing, and mitigating the reputational and sustainability risks posed by an organization’s third-parties and their activities. Organizations need to be sure that their third parties are operating in compliance with environmental, health and safety, and human rights requirements – as well as ethical standards.
Risk appetite – An organization’s risk appetite is the amount and type of risk an organization is willing to accept, or avoid, in order to achieve its business objectives. These decisions are usually aggregated together into a single document, known as a risk appetite statement.
Risk assessment – Sometimes called “risk and control self-assessments” or RCSAs, this risk management tool was originally developed for the operational risk discipline. RCSAs are conducted in questionnaire form and ask an individual about the organization’s risks and controls in a particular area of the business. Within TPRM, risk assessments can be used internally to help the organization assess its third-party risks and controls from within, or RCSAs can be sent to third parties for them to complete to help the organization to better understand the risk and control environments in their business partners.
Planning – In the third-party risk management life cycle, this first stage involves the development of a plan to manage the third-party relationship. This stage is particularly essential when an organization is considering outsourcing critical activities to a third party. It is supported by registration and qualification processes.
Third-party risk management (TPRM) – TPRM is the process of identifying, assessing, and controlling the risks an organization is faced with as a result of its relationship with another organization (the third party).
Third-party risk management life cycle – A framework of the natural stages that the relationship between an organization and a third party evolves through over time. The stages often include:
Third-party risk management programs are usually constructed to manage each stage within this life cycle in the context of the organization’s overall risk appetite and resilience objectives.
Third-party relationship – Any business arrangement between an organization and another entity, contractual or otherwise. Third-party relationships involve a wide range of activities, including:
Fourth parties refer to the third parties of third parties. So-called “nth” parties continue the cascade of this relationship – a fifth party is the third party of a third party’s third party, and so on.
Third-party performance management – The proactive oversight of the functional and business success of third-party relationships, with a view to assessing the relationship based on quantitative and qualitative metrics. Metrics can track elements such as efficiency, cost savings, quality, and innovation.
Reporting – Reporting involves conveying important information to stakeholders to help them better understand both how well the TPRM program is performing and what the organization’s third-party risk and control environment looks like. Good reporting enables the oversight, accountability, monitoring, and risk management associated with third-party relationships. Reporting can take the form of dashboards as well as compiled reports in document form.
Strategic risk – The risk to an organization’s financial condition and resilience arising from adverse business decisions, poor implementation of those decisions, or failure to respond to changes in the organization’s industry or operating environment. For example, an organization could be exposed to strategic risk if it engages with third parties to provide products or services that are not compatible with the organization’s strategic goals, if the third party’s activities associated with the organization cannot be effectively monitored and managed, or if they do not provide an adequate return on investment. An organization can also encounter strategic risk if it does not use third parties when it makes sense to do so – for example, if third parties have greater expertise or efficiency in providing a product or service than the organization does internally.
Supply chain management – The active management of supply chain activities to mitigate risk, maximize customer value, and achieve a sustainable competitive advantage for an organization. Most usually applied to production processes, in some models supply chain management covers the entire value chain, from raw materials to sale of the finished goods and beyond.
Termination – Usually the last stage in the third-party risk management life cycle. This involves planning for what will happen when the third-party relationship comes to an end under a variety of circumstances. Organizations should have a contingency plan to ensure that they can transition the activities being performed by that third-party to another third-party. Alternatively, the organization can plan to bring the activities in-house or discontinue the activities. Organizations also need to ensure that the third party complies with any policies such as data destruction and return of devices upon termination and off-boarding.
Supplier risk management – Often used interchangeably with TPRM, supplier risk management is the process of identifying, assessing, and controlling the risks an organization is faced with as a result of its relationship with its direct and indirect suppliers.
Vendor risk management – Often used interchangeably with third-party risk management. However, vendor risk management is a slightly narrower term. Third-party risk management includes a variety of other third-party relationships apart from vendors, such as services provided by affiliates and subsidiaries.