Published

9 Tips Best Practices for Third-Party Risk Assessments

Third-party contractors, especially technology vendors, are becoming increasingly integrated in every business function and industry, including core business functions. Outsourcing work makes it possible for business to be responsive and agile in a disruptive environment. But third parties also introduce risk, up and down the supply chain.  

Third-party risk is unique, and a third-party risk assessment is required to ensure due diligence is met – not just at the time of onboarding, but continually on an ongoing basis. Additionally, new compliance regulations require ongoing documentation to justify the renewal of the contract relationship.  

A risk assessment template is helpful to guide the audit process. We compiled the following nine-step template using lessons learned from our experience helping successful customers set up and run risk assessment programs.  

To produce more effective third-party assessments and streamline the assessment process, it’s helpful to apply the lessons of other organizations. 

Here are nine experience-based ways to stand up a streamlined third-party assessment program. 

  1. Understand your risk appetite: Regulatory bodies usually tell you who to assess and how often. However, determining questions to ask in the assessment is frequently left up to you. How do you decide? How might results impact company policies and procedures? Build and test your third-party assessment program internally using questionnaires that reflect your company’s risk appetite.  
  2. Classify your vendors: Develop a method for classifying vendors to identify third parties that are in-scope and require assessments. This helps ensure you don’t assess third parties unnecessarily or miss assessing third parties that pose a risk to your organization. 
  3. Improve the data collected: Obtaining data is one of the biggest challenges in managing third-party risk and a high quality assessment is key. To improve the quality of your questionnaires, start with a widely accepted assessment, like the Standard Information Gathering (SIG) questionnaire from Shared Assessments, and tailor it to your specific business needs and processes. 
  4. Make assessments easier to manage: If you do business with a multitude of third parties, you need a way to make assessments easier to manage. Speed up the assessment process by giving all third parties a low threshold assessment with a few flagging questions. For all flagged third parties, send a higher level, deep-dive assessment for due diligence on risk. It’s an easier and often more thorough process for assessing third parties. 
  5. Pre-populate your assessment world: Assessments are something you do on a continuous basis and often with the same vendors. If your assessment engine pre-populates data, the entity you’re assessing only has to address changes. It’s less work for them and you, and may even improve the response rate. 
  6. Assess for performance, not just risk: With the right platform, you can upload service level agreements (SLAs) and make them part of the assessment process. Compare assessment data to SLAs and then use the analysis to provide feedback to the third party, leverage it in contract renewal, or use it to support switching to another service provider. 
  7. Reassess based on third party’s expanded offering: When third parties expand their services to your company, it changes their risk profiles. One of the best ways to address this is to periodically assess third parties for changes and update risk profiles accordingly. This way, your third-party risk profile is always current. 
  8. Look beyond financial risks with third parties: Most organizations assess third parties to manage financial risk. Sometimes small risks open the door to more serious consequences. Losing revenue can cause problems, but it is recoverable. Losing your reputation may not be. 
  9. Dependency creates a business continuity risk: Any third party can be a business continuity risk. The litmus test is if their service stopped, it would interrupt yours. Maybe it’s the provider of IT services or a supplier with a key role in the supply chain. Third parties that you’re greatly dependent on can pose business continuity risks that can be identified through a risk assessment. 

Use these nine tips as you roll out or fine-tune your risk assessment program to make it more effective and satisfy requirements.

Download the Third-Party Guide to Risk Management for more details.

View the 9 Tips for Conducting Third-Party Risk Assessments Infographic.


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.


What Compliance Needs to Know About IRM
What is Integrated Risk Management?

Relationships are Important, Now More than Ever

It’s times like these that we realize how meaningful our relationships are to our well-being and health. As the COVID-19 crisis continues, we must continue to rely on each other for strength and support. At NAVEX Global, and with this in mind, we keep the following guidance front and center as we navigate this trying time.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Finding Your Footing in a Sea of Regulations and Guidance

There was a time when compliance officers clamored for more specific regulations and guidance. During the past several years, however, what used to be a dearth of specific enumerated expectations has become a sea of guidance that can be hard to track. What’s a compliance officer to do? Try out the following to find your sea legs.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Subscribe Now!