The primary objective of a third party risk assessment is to validate that the vendor/service provider has adequate controls in place based on the organization’s risk posture. A third party risk assessment (also known as supplier risk assessment) quantifies the risks associated with third-party vendors and suppliers that provide products or services to your organization1. This assessment is useful for analyzing both new and ongoing supplier relationships. The growing risk of supply chain attacks makes it critical to conduct thorough and regular risk assessments of your third parties. A third party risk assessment helps you identify, measure, and mitigate the potential risks that your third parties pose to your organization, such as data breaches, cyberattacks, compliance violations, operational disruptions, reputational damage, or financial losses. A third party risk assessment also helps you align your third party risk management (TPRM) program with your organization’s risk appetite, policies, standards, and procedures. A third party risk assessment typically involves the following steps1:
Scoping: Define the scope of the assessment based on the type, nature, and criticality of the third party relationship. Determine the relevant risk domains, such as security, privacy, compliance, business continuity, etc.
Data collection: Gather information from the third party using various methods, such as questionnaires, surveys, interviews, audits, tests, or evidence reviews.
Analysis: Analyze the data collected and compare it with your organization’s risk criteria, benchmarks, and best practices. Identify any gaps, weaknesses, or issues in the third party’s controls, processes, or performance.
Reporting: Document the findings and recommendations of the assessment in a clear and concise report. Communicate the results to the relevant stakeholders, such as senior management, business owners, or regulators.
Remediation: Follow up with the third party to ensure that they implement the necessary actions to address the identified risks. Monitor and track the progress and effectiveness of the remediation plan.
Review: Review and update the assessment periodically or whenever there are significant changes in the third party relationship, the risk environment, or the regulatory requirements.
The other statements are not the primary objective of a third party risk assessment, although they may be related or secondary objectives. Assessing the appropriateness of non-disclosure agreements regarding the organization’s systems/data is a legal objective that may be part of the contract negotiation or review process. Determining the scope of the business relationship is a strategic objective that may be part of the vendor selection or due diligence process. Evaluating the risk posture of all vendors/service providers in the vendor inventory is a holistic objective that may be part of the vendor risk management or governance process. References:
1: Third-Party Risk Assessment: A Practical Guide - BlueVoyant
: What Is Third-Party Risk Management (TPRM)? 2024 Guide | UpGuard
: What is Third-Party Risk Management? | Blog | OneTrust
