This article is the third in a series of blog posts where we will discuss and explain how to start and implement third-party risk within your organisation.
A 6-step approach is used whereby every step will be an explanatory blog post:
Segmentation (This blog post)
Due diligence assessments
Risk monitoring & exit
In the previous blog post, we have created a third-party- and contract catalogue for our new TPRM capability. In this new blog post, we will discuss the importance and implementation of a segmentation strategy.
Not all your third-parties carry the same amount of risk or compliance requirements. With segmentation, you can prioritise your TPRM efforts and decide how a third-party should be managed from a risk perspective. You can do this by assigning risk profile to your third-party engagements. This is especially useful when the number of third parties is large, growing and compliance requirements are demanding.
Existing and new engagements
We will apply this process to both your existing third-party population as well as new future engagements. When you have assessed all your third-parties at the end of this blog post, it is advised to use the model to segment new third-parties during the contractual phase.
Third-party- / contract level
You can segment on both the third-party as contract level. The contract level is more granular and allows you to distinguish the different kind of contracts that third-parties have with your organisation. You might want to assign risk profiles on a contract level when you have to comply with strict compliance requirements or contracts of your third-parties really differ. This allows you to monitor the most critical contracts and differentiate on compliance requirements. My advice is to have a look at your contract catalogue and discuss this level with the procurement department. If you have a lot of third-parties with multiple and different contracts, then I would advise you to do both, if not just start with the third-party level.
When the level is clear, it is time to define a segmentation process to determine a risk profile. This process needs to be well-defined, repeatable (try to leave out any subjectivity, your colleague should get the same result) and allows you to segment your third-party relationships.
The goal is to get up to a dozen questions (preferably a handful) that help you to determine the risk profile. There is not a best-practice questionnaire template to do this, as it differs per organisation and TPRM scope. To give some guidance on how to create a segmentation questionnaire that is tailored to your organisation:
2. Create the segments that you want to use, e.g:
Try to limit the number of segment levels (3-4), especially when just start.
The type of business
Your dependency on critical processes/activities
Accessibility of sensitive information
Critical VPN/remote network access
4. If you have identified the criteria, you can define a list of closed questions. You want to use closed questions as that will make it easier (and repeatable) to calculate a risk score or define rules (more about that in step 6).
Some examples of questions:
Is the third-party service related to an area of regulatory scrutiny or requirements?
Does the third party have access to client, employee or other sensitive data?
Does this third-party service support a critical business process or critical function?
Does this third-party store data in the cloud?
What is the contract size?
Is this third-party located outside the European Union?
Does the third-party interact with your clients?
Advice is to keep it limited. So do not create an exhaustive list of dozens of questions. The goal is to assign an initial risk profile and not to perform a complete due diligence assessment (we will do that in a later stage).
5. Define the response options.
6. Decide if you take a score-based approach or a rules-based approach:
With a score-based approach, you conduct due diligence across different dimensions and use the results to develop a composite risk score.
Although very thorough, this approach can be cumbersome and resource-intensive for many organisations.
With the rules-based approach, you identify specific rules or criteria for each segment and thereby streamline the process of assigning third-parties to risk categories.
This rules-based approach is about 50-60 per cent faster than the score-based one.
6. Setup a table whereby you list the questions (rows) and assign answers to the different segments (columns).
Add weight factors on the answer- and question-level if you go for the score-based approach. Define the formula to calculate the risk composite score and add thresholds for the different levels. E.g. a third-party gets a medium risk profile when it scores between 12-20.
It is pretty straightforward if you use the rules-based approach; if you take for e.g. the question: Does this third-party service support a critical business process or critical function? and you placed the answer 'yes' to the critical segment, then all third-parties that support a critical business process or critical function get a critical risk profile automatically.
7. Reach out to the relevant Business owners and Third-party managers to (collaboratively) fill-in the segmentation questionnaire and record the risk profile.
8. Implement the segmentation within the contractual process of new third-parties.
It is important to note that a centralised (to-be) TPRM team can execute the segmentation activities, but the business is still accountable for final segmentation. So you should definitely also involve the business owners that you identified in the previous step.
In the next blog post, I will dive into due diligence assessments and show you how you can confidently assess your third-parties and get actionable results.
You can use a solution like 3rdRisk.com to segment both your third-parties as contracts easily. If you want to know more, have a look at our docs page for more in-depth information regarding this activity.
Setting up a TPRM program is complicated, but with a little guidance, you can implement TPRM within your organisation altogether. In the next blog post, we will set up and discuss the third-party catalogue. So keep following our social channels (LinkedIn, YouTube, Twitter) for the latest content updates.
If you have any questions during or afterwards this series, please feel free to e-mail at Bram@3rdRisk.com, and I am more than happy to provide some additional context or information.