Starting with third-party risk management (3): How to create your catalogue?

A 6-step approach is used whereby every step will be an explanatory blog post:

1. Capability setup
2. Requirements overview
3. Third-party catalogue (this blog post)
4. Segmentation
5. Due diligence assessments
6. Risk monitoring & follow-up

In the previous blog post we have identified the different internal and external requirements that we need to take in consideration for our new TPRM capability. In this blog post, we will discuss the third-party- and contract catalogue. An essential element in TPRM.

Third-party catalogue

The third-party catalogue is an inventory of all your third-parties. It is key to first have a complete overview of all your third-parties in order to manage the related risks and requirements effectively.

Where to start

The most common departments that might have this inventory are procurement and strategic buying, and in some rare cases, the compliance and legal departments.

Missing a single source of truth

It is (sadly) not uncommon that organisations do not have a complete third-party inventory. Often this data is spread across multiple systems and departments, or the formal registration is not on par. In that case, you can leverage existing third-party data that departments such as procurement, strategic buying, compliance/legal or business units maintain. These can be invoices, payment data (strong indicator), ERP systems with supplier tables, contract management databases or you can even use your firewall logs/CASB to start identifying third-party services that are actively used by the organisation.

Ownership

The second step, after you have identified the different third-parties within your organisation, is to assign accountable ownership. You will need this information in the next steps but also during the different activities that you are about to perform with the new TPRM capability. E.g. it is advised to inform the different internal & external stakeholders upfront before you initiate different assessments.

My advice is to assign at least the following internal roles:

Third-party manager

This is the colleague that is responsible for the procurement relationship with this organisation.

Business owner

The colleague that is responsible for the business relationship with this organisation.

Optionally you can already assign a risk officer to the third-party. You can also decided to do this on a later stage, whereby you automatically assign third-parties to risk officers based on, e.g. business units, type of services or location.

External ownership/contact person

When you have identified the internal owners, you can easily identify with them the accountable relationship owners from the third-party organisation.

List and confirm all these assigned ownerships in your third-party inventory.

Contract catalogue

As a third-party can have multiple contracts, it is good practice to also maintain a contract catalogue next to your third-party catalogue. The reason is that for some contracts the type of services and level of criticality can differ, e.g. one of your third-parties is providing both workplace support as payment processing services. You probably want to make a distinction between those two.

Contract details

By adding the contract layer, you will be able to differ on:

• Start and end dates of contracts.
• Service description details
• Internal & external ownership
• Geographical location
• Internal scope
• Applicability of requirements

The granularity of the contract layer allows you to associate risks and incidents to a specific contract. In addition, it will also allow you to create specific assessments that are customised to a relevant contract. Try to fill in all those details with your identified stakeholders from the previous step.

You might want to start small

That is it for today. If you were able to leverage a good single source of truth for your third-parties and contracts, you probably finished this step in a few hours. If you weren't able to identify an internal inventory, which is sadly probable, then this step can take you several days, up to a few weeks. In that case you might want to start with a smaller and specific scope, e.g. one business unit or operating company.

In the next blog post, I will dive into the subject of segmentation. Segmentation will help you to determine how to utilise your third-party risk management activities strategically.

You can use a tool like 3rdRisk to create such a third-party inventory easily.

Next steps

Setting up a TPRM program is complicated, but with a little guidance, you can implement TPRM within your organisation altogether. In the next blog post, we will set up and discuss the third-party catalogue. So keep following our social channels (LinkedIn, YouTube, Twitter) for the latest content updates.

Further reading

Starting with third-party risk management (4): How to segment your third parties‍