As the third party risk management field continues to evolve, a growing number of practitioners are seeking guidance on how to best categorize the complex third party relationships they encounter throughout their organizations. For a practitioner to properly identify and reduce third party risks, it is important that they first define their third party population and determine scope for their key relationships.
Defining Your Population
When tasked with defining the population, third party risk professionals should first recognize what terms offer the best range of coverage for their specific organization. Commonly used population classifications such as supplier, contractor, and vendor, each allude to the population’s specialization, which may be acceptable when defining certain populations. But, due to their selectivity, practitioners are often unable to classify entire populations by these specialized terms. Similarly, circumstances in which organizations defy the traditional supplier-vendor relationship (ex. charities or affiliates) also require a more inclusive means of population definition.
In most cases, if terms such as supplier, contractor, and vendor do not suit the population, practitioners look to the expression “third party.” Unlike other population classifications in the risk management space, this term acts as an inclusive umbrella and applies to a diverse range of populations.
Furthermore, third party risk practitioners may find it worthwhile to define the business owners for third party relationships, at both executive and operational levels, to gain insight of where risks should flow within their populations. In the instance that an organization is engaged in an expansive third party relationship, with multiple engagements throughout their firm, it is crucial to be aware of who owns the relationship and how the risks should be dispersed. All organizations should take their unique populations into consideration when deciding upon a definition.
Determining Your Scope
In relation to risk management, scope refers to what aspects of an organization’s control environment are under the authority of their third party risk management program. Many organizations have individual criteria within each type of third party category. This reference point aims to define whether or not a set of the third party population will be in or out of their risk management program’s scope.
A main criterion that many organizations adhere to, in order to determine if a relationship is in or out of scope, is whether they will share data with the third party population or if the third party will host technology for the organization. In comparison, a third party that does not physically engage with an organization’s site, have access to data, and/or does not host a technology for the organization would likely be considered out of scope for a majority of third party risk management assessments.
Additionally, companies consider contractors or contingent workers, in addition to other non-employees, to be out of the scope for risk management activities. In the instance of contractors, organizations frequently struggle to outline a standard that can properly express whether issues of related risk are a human resource, information security, or third party risk management responsibility. An effective way to address this issue could be for a third party risk management program to look to the top level of the staffing organization that supplies their contractors, instead of attempting to mass manage the risks associated with every worker from the ground up. Rather than focus on the risk of the workforce provided by their arrangement with a third party, the organization should inspect the risk presented in the arrangement itself. This would also allow the organization to have more opportunities to drive the controls they require in their relationships.
It is important to define your third party population to better understand the risks and impacts of said risks to your organization. Defining your population also ensures you manage and monitor your third parties using a risk-based approach. If you apply the same risk management approach to all of your third parties, you run the risk of overstating the impact your relationships have to your organization. Once you understand a risk, you must take action to mitigate that risk. Reviewing all third parties using the same lens puts a strain on resources, as well as allows less time for you to focus on the higher-level risks. Defining your population and the scope of your program ensures you more accurately reflect the impact third party risk has to your organization, as well as allows you to effectively monitor said risk.