A 6-step approach is used whereby every step will be an explanatory blog post:
- Capability setup
- Requirements overview (this blog post)
- Third-party catalogue
- Due diligence assessments
- Risk monitoring & follow-up
In the first blog post, we have defined our initial third-party risk management (TPRM) capability model; we have a clear vision with a scope, different stakeholders and spent some thoughts on the supporting technology layer. Whereby I hope that you carved out the spreadsheet approach. Just don't do that.
In this blog post, we will discuss the internal & external requirements that you have to take in consideration for your TPRM efforts. It is essential to start with identifying the relevant requirements as these will be the input for the next steps. E.g. if you take specific critical environmental requirements in scope, you probably want to apply these to the initial segmentation of your third-parties.
There are many forms of requirements that your organisation and its employees must uphold. On a high-level, we distinguish two types:
- Internal requirements
- External requirements
These are internal procedures and best practices set forth by your internal organisation, which can be very specific, e.g. entity-, country-, service- or grouplevel. The goal of internal requirements is to ensure that your organisation is operating according to your internal guidelines and policies. Examples are bookkeeping rules, ethic guidelines and security standards.
These are requirements that are set by external parties and expect you to govern and operate the organisation against a set of defined requirements or principles. Examples are the requirements to file an annual report, employment legislation and the ISO 9001 quality certification.
There are different types of external requirements:
- Regulatory requirements (e.g. GDPR)
- Sustainability requirements (e.g. SDG's from the UN)
- Compliance attestations / certifications (e.g. ISO 22301)
- Ecosystem / Industry requirements (e.g. US Department of Defense standards)
- External / Stakeholder requirements (e.g. a requirement from one of your shareholders)
Both the internal & external requirements can be audited by your internal audit department or external auditors like your accountant, regulators or certification bodies.
What is in scope
From a third-party risk perspective, it is essential to know which of these internal & external requirements are in scope. Whereby we look at:
Is it a requirement that applies to your third-party engagements?
E.g. the GDPR has extended the scope of responsibility when it comes to data protection and privacy and third-party engagements. So you should definitely consider this requirement within your TPRM efforts. On the other hand, you probably have internal requirements that are only applicable to your internal organisation.
Does the requirement fit within your vision and defined scope?
If you are primarily focussing on sustainability, then you want to make sure that you have the relevant sustainability requirements are covered.
Is there a regulatory need to include this requirement nonetheless?
Next to the requirements in scope, it advised having a look at requirements that you have to comply with from a legislation perspective. Suppose your industry is heavily monitored for trade sanctions, which is currently not really managed. In that case, you might want to reconsider the initial scope selection and extend it with these sanction regulations.
Establish a complete overview
The most straightforward way to get a complete overview of all these requirements, is to have conversations with departments like legal, compliance and the different other stakeholders.
Try to establish an overview of requirements, whereby you list per requirement the following characteristics:
- Requirement name
- Short description
- Requirement type
- Internal / organisation requirement
- External / sustainability requirement
- External / Compliance attestation / certification
- External / Regulatory requirement
- External / Ecosystem requirement
- External / Stakeholder requirement
- Scope (Applies this requirement for the entire organisation or only a specific area?)
- Applicability (Is only applicable for specific third-parties, countries, industries, type of contracts etc.)
- Internal contact person (always handy when you have any questions and for the potential involvement in a later stage)
You can use a tool like 3rdRisk.com to create such an inventory easily.
Setting up a TPRM program is complicated, but with a little guidance, you can implement TPRM within your organisation altogether. In the next blog post, we will set up and discuss the third-party catalogue. So keep following our social channels (LinkedIn, YouTube, Twitter) for the latest content updates.
If you have any questions during or afterwards this series, please feel free to e-mail at Bram@3rdRisk.com, and I am more than happy to provide some additional context or information.