This article is the third in a series of blog posts where we will discuss and explain how to start and implement third-party risk within your organisation.
A 6-step approach is used whereby every step will be an explanatory blog post:
Third-party catalogue (This blog post)
Due diligence assessments
Risk monitoring & exit
In the previous blog post we have identified the different internal and external requirements that we need to take in consideration for our new TPRM capability. In this new blog post, we will discuss the third-party- and contract catalogue. An essential element in TPRM.
The third-party catalogue is an inventory of all your third-parties. It is key to first have a complete overview of all your third-parties in order to manage the related risks and requirements effectively.
The most common departments that might have this inventory are procurement and strategic buying, and in some rare cases, the compliance/legal departments.
It is (sadly) not uncommon that organisations do not have a complete third-party inventory. Often this data is spread across multiple systems and departments, or the formal registration is not on par. In that case, you can leverage existing third-party data that departments such as procurement, strategic buying, compliance/legal or business units maintain. These can be invoices, payment data (strong indicator), ERP systems with supplier tables, contract management databases or you can even use your firewall logs/CASB to start identifying third-party services that are actively used by the organisation.
The second step, after you have identified the different third-parties within your organisation, is to assign accountable ownership. You will need this information in the next steps but also during the different activities that you are about to perform with the new TPRM capability. E.g. it is advised to inform the different internal & external stakeholders upfront before you initiate different assessments.
My advice is to assign at least the following internal roles:
This is the colleague that is responsible for the procurement relationship with this organisation.
The colleague that is responsible for the business relationship with this organisation.
Optionally you can already assign a risk officer to the third-party. You can also decided to do this on a later stage, whereby you automatically assign third-parties to risk officers based on, e.g. business units, type of services or location.
External ownership/contact person
When you have identified the internal owners, you can easily identify with them the accountable relationship owners from the third-party organisation.
List and confirm all these assigned ownerships in your third-party inventory.
As a third-party can have multiple contracts, it is good practice to also maintain a contract catalogue next to your third-party catalogue. The reason is that for some contracts the type of services and level of criticality can differ, e.g. one of your third-parties is providing both workplace support as payment processing services. You probably want to make a distinction between those two.
By adding the contract layer, you will be able to differ on:
Start and end dates of contracts.
Service description details
Internal & external ownership
Applicability of requirements
The granularity of the contract layer allows you to associate risks and incidents to a specific contract. In addition, it will also allow you to create specific assessments that are customised to a relevant contract. Try to fill in all those details with your identified stakeholders from the previous step.
That is it for today. If you were able to leverage a good single source of truth for your third-parties and contracts, you probably finished this step in a few hours. If you weren't able to identify an internal inventory, which is sadly probable, then this step can take you several days, up to a few weeks. In that case you might want to start with a smaller and specific scope, e.g. one business unit or operating company.
In the next blog post, I will dive into the subject of segmentation. Segmentation will help you to determine how to utilise your third-party risk management activities strategically.
Setting up a TPRM program is complicated, but with a little guidance, you can implement TPRM within your organisation altogether. In the next blog post, we will set up and discuss the third-party catalogue. So keep following our social channels (LinkedIn, YouTube, Twitter) for the latest content updates.
If you have any questions during or afterwards this series, please feel free to e-mail at Bram@3rdRisk.com, and I am more than happy to provide some additional context or information.