Starting with third-party risk management (4): How to segment your third parties?

A 6-step approach is used whereby every step will be an explanatory blog post:

1. Capability setup
2. Requirements overview
3. Third-party catalogue
4. Segmentation (this blog post)
5. Due diligence assessments
6. Risk monitoring & follow-up

In the previous blog post, we have created a third-party- and contract catalogue for our new TPRM capability. In this new blog post, we will discuss the importance and implementation of a segmentation strategy.

Third-party segmentation

Not all your third-parties carry the same amount of risk or compliance requirements. With segmentation, you can prioritise your TPRM efforts and decide how a third-party should be managed from a risk perspective. You can do this by assigning risk profile to your third-party engagements. This is especially useful when the number of third parties is large, growing and compliance requirements are demanding.

Methodology

Scope

Existing and new engagements

We will apply this process to both your existing third-party population as well as new future engagements. When you have assessed all your third-parties at the end of this blog post, it is advised to use the model to segment new third-parties during the contractual phase.

Third-party- / contract level

You can segment on both the third-party as contract level. The contract level is more granular and allows you to distinguish the different kind of contracts that third-parties have with your organisation. You might want to assign risk profiles on a contract level when you have to comply with strict compliance requirements or contracts of your third-parties really differ. This allows you to monitor the most critical contracts and differentiate on compliance requirements. My advice is to have a look at your contract catalogue and discuss this level with the procurement department. If you have a lot of third-parties with multiple and different contracts, then I would advise you to do both, if not just start with the third-party level.

Design

When the level is clear, it is time to define a segmentation process to determine a risk profile. This process needs to be well-defined, repeatable (try to leave out any subjectivity, your colleague should get the same result) and allows you to segment your third-party relationships.

The goal is to get up to a dozen questions (preferably a handful) that help you to determine the risk profile. There is not a best-practice questionnaire template to do this, as it differs per organisation and TPRM scope. To give some guidance on how to create a segmentation questionnaire that is tailored to your organisation:

1. Start with the identified requirements in the second step and the involved stakeholders in your scope.

2. Create the segments that you want to use, e.g:

• Low
• Medium
• High
• Critical

Try to limit the number of segment levels (3-4), especially when just start.

3. Identify the criteria that you will use for segmentation. Have a look at your scope and requirements to identify these. As input you can use:

• The type of business
• Your dependency on critical processes/activities
• Accessibility of sensitive information
• Critical VPN/remote network access
• Compliance requirements
• Business continuity
• Spend size
• Sustainability goals
• Replaceability

4. If you have identified the criteria, you can define a list of closed questions. You want to use closed questions as that will make it easier (and repeatable) to calculate a risk score or define rules (more about that in step 6).

Some examples of questions:

• Is the third-party service related to an area of regulatory scrutiny or requirements?
• Does the third party have access to client, employee or other sensitive data?
• Does this third-party service support a critical business process or critical function?
• Does this third-party store data in the cloud?
• What is the contract size?
• Is this third-party located outside the European Union?
• Does the third-party interact with your clients?

Advice is to keep it limited. So do not create an exhaustive list of dozens of questions. The goal is to assign an initial risk profile and not to perform a complete due diligence assessment (we will do that in a later stage).

5. Define the response options.

6. Decide if you take a score-based approach or a rules-based approach:

Score-based approach

With a score-based approach, you conduct due diligence across different dimensions and use the results to develop a composite risk score.

Although very thorough, this approach can be cumbersome and resource-intensive for many organisations.

Rules-based approach

With the rules-based approach, you identify specific rules or criteria for each segment and thereby streamline the process of assigning third-parties to risk categories.

This rules-based approach is about 50-60 per cent faster than the score-based one.

6. Setup a table whereby you list the questions (rows) and assign answers to the different segments (columns).

Add weight factors on the answer- and question-level if you go for the score-based approach. Define the formula to calculate the risk composite score and add thresholds for the different levels. E.g. a third-party gets a medium risk profile when it scores between 12-20.

It is pretty straightforward if you use the rules-based approach; if you take for e.g. the question: Does this third-party service support a critical business process or critical function? and you placed the answer 'yes' to the critical segment, then all third-parties that support a critical business process or critical function get a critical risk profile automatically.

7. Reach out to the relevant Business owners and Third-party managers to (collaboratively) fill-in the segmentation questionnaire and record the risk profile.

8. Implement the segmentation within the contractual process of new third-parties.

Responsibility

It is important to note that a centralised (to-be) TPRM team can execute the segmentation activities, but the business is still accountable for final segmentation. So you should definitely also involve the business owners that you identified in the previous step.

In the next blog post, I will dive into due diligence assessments and show you how you can confidently assess your third-parties and get actionable results.

You can use a technology solution like 3rdRisk to segment both your third-parties as contracts easily.

Next steps

Setting up a TPRM program can sometimes be complicated, but with a little guidance, you can implement TPRM within your organisation altogether. In the next blog post, we will set up and discuss the third-party catalogue. So keep following our social channels (LinkedIn, YouTube, Twitter) for the latest content updates.

Further reading

Starting with third-party risk management (5): How to send due diligence assessments?