Third Party Risk Assessment
What is Third Party Risk Assessment ?
A third party risk assessment is an attempt to quantify the risk associated with a third party vendor that’ll be providing a product or service to your organization. Sometimes referred to as vendor risk assessments, these are designed to assist you with analyzing new and ongoing vendor relationships. You always want to gauge the level of risk posed to your organization by both the third party vendor providing the product or service and the product or service itself.
A third party risk assessment evaluate all of the considerations in outsourcing a particular product or service to a third party. You must fully understand the risks associated with these outsourcing decisions. Every outsourced third party relationship comes with additional risk. It’s inevitable.
The SOC 1 standard requires that service organizations implement and describe their vendor management practices for third-party service organizations.
Third-party management is the process whereby companies monitor and manage interactions with all external parties with which it has a relationship.
A third-party is typically a company that provides an auxiliary product not supplied by the primary manufacturer to the end-user (the two principals). Countless third-party add-on and plug-in products keep the technology industry advancing at a rapid pace.
A service organization is an entity that provides services to a user organization that is part of the user organization’s information system.
A user organization is an entity that has engaged a service organization and whose financial statements are being audited.
Why is third party risk management important?
Third parties engaged to enable your mission critical services can increase your business exposures. Heightened regulatory expectations require you to continuously monitor and manage your third party risk and performance.
Types of Risks that need to be addressed:
- Reputational risk—Whether a third party provider deals directly with customers or offers a service that can indirectly impact customers, it’s your reputation on the line if the third party drops the ball.
- Operational risk—When a third party provider is integrated into internal processes, such as through the use of a cloud-based, customer relationship management solution, it increases operational complexity and risk.
- Transactional risk—From insufficient capacity that prevents transactions from being completed to security lapses that lead to unauthorized access and misuse of data, transaction risk is one of the most commonly encountered—and highly publicized— risks a financial institute faces.
- Credit risk—While credit risk is most frequently considered in terms of a third party’s own financial condition, credit risk also stems from the use of third parties for loan origination, underwriting, or business solicitation.
- Compliance risk—As more laws, rules, and regulations are put into place to protect consumers, the level of compliance risk also increases. Non-compliance due to lapses by a third party provider does not indemnify a financial organization against penalties.
- Strategic risk—If a third party provider fails to meet the terms of a contract or return on investment.
- Country risk—Whenever a financial institution engages a third-party provider based in a foreign country, it is exposed to potential economic, social and political conditions related to the provider location.
- Legal risk—The activities of a third party provider can expose a financial institution to legal expenses and possible lawsuits.
Vendor Management Best Practices
- Develop a plan. Make sure that clear roles and responsibilities have been established within your organization regarding who will obtain documents from vendors, monitor vendor performance, etc.
- Perform due diligence. An example of this is determining if your vendors are audited or assessed by an outside party.
- Pull Reports. Identify reports that you should be receiving from vendors to monitor their performance on a periodic basis.
- Keep monitoring. Good vendor management requires ongoing monitoring procedures to make sure that the vendor continues to meet expectations.
- Review risk. Consider what types of data is accessible by your third-parties, what types of transactions they perform, etc., to determine the risk associated with each vendor.
- Be resilient. Know what you would do if the vendor terminated their relationship with you or if you find it necessary to terminate your relationship with them.
Vendor Management Recommendations
- Communicate: Hold regular discussions with subservice organizations to ensure that you are aware of changes in the environment, and make regular visits when possible to gain a better understanding of operations.
- Monitor: Monitoring can include reviewing and reconciling output reports, testing controls at the subservice organization by members of the service organization’s internal audit function, or monitoring external communications like customer compliance that are relevant to the services provided by the subservice organization.
- Review: Review existing audit and assessment reports, such as Type 1 or Type 2 SOC reports on the subservice organization’s system.
Our third-party risk assessment services include:
- Program assessment, evaluating current programs to identify gaps and provide recommendations for improvement while also evaluating current program maturity levels.
- Program development, with services to assist in building new third-party risk assessment programs or refining existing programs.
- Discovery and categorization services, helping clients begin to identify and classify all the various third-party relationships and identifying which vendors pose the greatest risk.
- Security risk assessment services, determining whether vendors meet industry and corporate security standards through assessment options that range from remote questionnaire-based assessments to on-site, in-depth assessments aligned to current methodology or to methodology developed with our team.