The solution

Why we started 3rdRisk

Bram Ketting | Founder & Managing director

In this blog post, I would like to spend some words on the vision of why we started Especially why we are not the next Governance, Risk & Compliance (GRC) provider or a purely European alternative for all those US-based Vendor Risk Management (VRM) solutions.

The structure of this blog post is as follows, feel free to jump right into one of these sections:

  1. Situation

  2. Complication

  3. Resolution

  4. 3rdRisk

1. The situation

The past few years, we have seen that organisations are increasingly adopting more collaborations with third-parties. There are different business drivers for this, to name a few:

  • Specialised knowledge and expertise

  • Business agility and scalability

  • Process improvement

  • Innovation

  • Cost reduction

  • Compliance

2. The complication

Those drivers caused the following significant changes:

The amount of third-parties

The last decade we have seen continuous and enormous growth in the number of third-parties. Where an average organisation used to work with a couple of hundred third-parties, we see that most public listed companies work these days with thousands of different third-parties.

The result is that an organisation has more interconnections and dependencies on externals than ever before. This makes it more complicated for internal risk & compliance teams to be in control.

Responsibilities of third-parties move from speciality to critical core services

Organisations have long relied on third parties for speciality services, operational efficiency, competitive advantage, and cost-savings. 

The last few years, a significant shift has taken place as third-parties are becoming more and more responsible for executing core activities that are critical to operations, business models, and value propositions of organisations. 

The result is that the potential impact of an incident at one of the third-parties will result in a more significant exposure to the organisation than it used to be. 

While in the meantime:

Risk & compliance teams have a strong focus on the internal organisation

The average organisation has a lot of risk & compliance professionals that have a primary focus on the internal organisation with a strong emphasis on activities with a direct risk reduction, e.g. vulnerability scans, pen tests, security awareness, compliance assessments. These are all activities whereby a risk team can directly identify & measure the risk and is able to act on the remediation. With third-party risks, it is an entirely different ball game as organisations have to rely on third-parties for most of the identification and remediation part.

Current risk technology is designed for internal risk & compliance teams

Current processes and technology to manage third-party risks and compliance are often ad-hoc, stand-alone, labour-intensive and primarily driven by spreadsheets or isolated and Governance, Risk & Compliance (GRC) solutions. The GRC trend was an excellent maturity step for managing an internal risk & control landscape. It was beneficial for most risk & compliance teams. Nonetheless, when we look at the current situation whereby some organisations are spending up to 80% of their operational costs to third-parties, the practical question should come to mind whether a stand-alone point solution is an answer for such a scattered control environment. 

Complexity and size of the organisation 

Most risk teams start implementing a GRC solution when they have about a dozen or more risk professionals. One of the reasons is the yearly costs, but merely it is to complex for smaller risk teams and organisation to work with a GRC suite. 

Financial costs 

We should also have a look at the financial costs of the currently available technology. According to Blue Hill Research the average price of a GRC implementation is roughly $458.000 and yearly licence fees can add up to $160.000 and more per year. Over three years it will cost you $480.000 on licence fees and about $458.000 on implementation.

These are not particularly acceptable costs for the smaller organisations in an ecosystem that works with the most modest margins in their core business.

3. Resolution

Risk professionals should make a focus shift

The internal risk & compliance teams should shift their focus from solely internal to the extended enterprise. Third-party risk management should be part of the operating model, whereby different risk professionals are hired or current staff is trained as you need a different kind of capabilities to manage a third-party lifecycle.

Also, risk teams are currently differentiated based on their expertise or domain. So you have a privacy team who has a strong focus on privacy risks, a cyber team who is dealing with cyber risks. But in the area of third-party risk, there is not always a clear distinction between the different types of threats, especially since they can also evolve to a different kind. E.g. a small cyber incident in the supply chain, can lead to a continuity risk, which can eventually end up as a significant financial and reputation exposure. Especially within supply chains, risk teams should work with a more integrated approach, collaborate or even better: break down silo's and work as one integrated risk & compliance team.

We need standardisation and best-practices

There is a lack of standardisation within ecosystems. Everyone is currently using their own spreadsheets, custom questionnaire templates and have their unique way of assessing. To streamline activities we must standardise our approaches, techniques and start creating best-practices.

Stop with technology point solutions

The existing market solutions are staggering, but these are primarily driven from a technology stack and are not fit for current organisations: 

The average organisation is nowadays a distributed environment that is working and depending on multiple third-parties to deliver their market propositions.

In contrast, the most dominant market players are promoting a stand-alone (on-premise) GRC solution or they are pushing a vendor risk management (VRM) SaaS solution to create your own advanced survey tool. Imagine that most of your third-parties will drop their error-prone spreadsheets and all select their own standalone GRC solution or one of the dozens VRM SaaS solutions? Although they can look fancy and are backed by major VC's, they are simply not providing a future-proof solution. The primary and solely reason is that they are driven by technology but do not have a full understanding of where we are heading.

In addition, their autonomous approach and foundational technology decisions will never enable them to create a solution that is fit-for-the-new-purpose. Creating a CRM or ITSM platform is something completely different than a risk & compliance solution.

4. 3rdRisk

As we did not find a player in the market that had this understanding and strategy, while we do see an increasing market need, we decided to pick up the glove and started to built

Design principles

To create this solution, we first defined the following core principles to meet the fit-for-purpose:

Principle 1: Accessibility enables control

To effectively manage supply chains risks and compliance requirements in an ecosystem, all the different parties should have access to the same technology stack, content and work with the latest available information. This is the only way for all parties to be actually in control.

Principle 2: Collaboration is the only solution

Collaboration is the primary answer to stay on top of the different risk- and compliance requirements in an ecosystem. Both third-parties and internal risk disciplines should (eventually, you do not need to do this by day 1) break down the walls and start working together to stay on top of these. 

Principle 3: Content and experience are driving technology design decisions

Tailor the technology stack to the needs and requirements that are driven by content and expertise. Not the other way around. 

Principle 4: Open innovation

Supply chains are complex global structures with a massive societal impact. That is why our clients and we should be able to work with universities, big4 companies, NGO's and other stakeholders to improve the current content and technology to make the biggest impact.

Principle 5: The interface and setup must be intuitive and self-explaining

As we want to support organisations of all sizes all over the world, whereby not everyone has access to implementation consultants, it is required to ship the platform with best-practice blueprints and an implementation that is intuitive and self-explaining. 

These five principles are now at the core of the 3rdRisk solution

Principle 1: Accessibility enables control
Community-tier and Ecosystem packages

Within our pricing portfolio, we offer Community-tier and Ecosystem packages. The Community-tier is available for everyone and allows you to use our platform at no further costs.

The ecosystem package is an extended Community-tier licence that a large corporation can hand-out to its smaller third-parties so they can use our platform at no costs.

These packages include ALL platform functionalities and content like questionnaire templates, requirements and configuration blueprints that also come with the premium packages. 

We will provide all organisations on this planet with the same technology and content no matter if you have an HQ in the business district or if you are running a small fish operation in Turkey that works for a major global corporation.

To accommodate the Community-tier and Ecosystem packages approach from a cost perspective, we are providing commercial packages that are specifically designed for the corporates which are on top of the business ecosystems. We offer them the option to roll-out our technology throughout their complete supply chain. We ask them a premium fee (which is btw far cheaper than an average GRC licence) while we provide them with the unique feature to standardise their risk & compliance approaches throughout their supply chain and enable collaboration on a global scale. From a risk perspective, this is the only effective way to manage risks as you early identify an evolving threat and give everyone the tools to manage/remediate these adequately. From a compliance perspective, you are now finally able to implement integrated reporting throughout your complete ecosystem. 

Principle 2: Collaboration is the only solution
Integrate all your different risk & compliance teams and efforts

Our platform is designed in such a way that all different internal risk disciplines, from sustainability to privacy or continuity, can (eventually) work together in the same platform. They can integrate different assessment templates, message each other and use one integrated single source of truth for all their third-parties, risks and incidents. So no more stand-alone solutions, different approaches and distributed (spreadsheet) risk registers.

Network approach

Organisations can use our platform as a stand-alone risk instance but they also have the option to connect and collaborate with third-parties on our platform. They can exchange questionnaires, compliance requirements and showcase their profile.

Principle 3: Content and experience are driving technology design decisions
BIG4 and hands-on experience

Our platform is designed and built from the ground and is based on professional big4 and hands-on third-party risk experience. We are not an ITSM provider that is leveraging their underlying architecture to create a risk solution or have to wait for generic architectural platform updates to accommodate your new reporting needs.

Since day one, we also introduced, whereby we enable clients to provide feedback and feature suggestions. We just released the first version of our platform but we are currently also adding our initial ideas, whereby any user on the platform, can vote for a specific idea or add their own.

The customer voice and feedback is driving our roadmap not the underlying platform. 

Our roadmap is really transparent as it is publicly available for everyone; unlike the GRC providers, you don't need to sign an NDA to get an insight. Just contact me (

Principle 4: Open innovation
3rdRisk community

Together we can reshape & rethink the current third-party risk management approaches, that is why we are looking for individuals and organisations (profit and non-profit) to work with us on:


With the expertise and experience of our community, we want to standardise and open-source assessment questionnaires.

Platform features

Community members can take an active role in the design and prioritisation of new platform functionalities.


Complementary to the technology we would also like to standardise and create best-practices for third-party risk approaches.

Let's make an impact!

During the design and creation of our platform, we had several discussions with NGO's, BIG4's and academics about our approach. It is entirely new, but we also got an understanding of the potential impact that we can make with our technology. Whereby we first had a strong focus on security, privacy and continuity in the supply chain, we also started to realise the potential impact that we could make in the areas of humanity and sustainability. That is why we are currently working on different sustainability initiatives within the platform. If you are in this area of expertise, please do contact me (

Principle 5: The interface and setup must be intuitive and self-explaining
No clutter but a visually attractive and calm interface

Since the start of creating the 3rdRisk platform, we have worked closely with designers and UX-professionals to ensure that we create an intuitive and visually attractive B2B application that can be easily implemented and adopted.

As we also want to support those who cannot afford to hire implementation consultants and we want to be transparent and open, we created an extensive documentation portal. This documentation is publically available and can be found at It contains all implemented concepts explained, how-to tutorials and best practices. 

Final words

Thanks for reading the complete post. Feel free to reach out to us for more information about our platform, strategy and the 3rdRisk community. We are a small tech-startup and are always interesting in setting up new connections and exploring new ideas.

Kind regards,

Bram Ketting



We’d love to hear
from you


We’d love to hear
from you

Send Us a Message