February 1, 2023
What is third-party management?
15 Min Read
Third-party management, also known as vendor management, is a business discipline that seeks to monitor and optimize all aspects of a company’s relationships with third parties such as suppliers, vendors, and service providers.
What is a third party?
A third party is any outside entity that a company does business with. It’s an all-encompassing term, and there are likely many different entities that make up an organization’s third-party ecosystem. For the purposes of this blog, we’ll use the following terminology:
- Suppliers: Third parties that offer goods. These are typically raw materials or commodities that your organization will subsequently consume or transform in some way to help make your own products or services. They typically occupy a spot early on in your supply chain.
- Vendors: Third parties that offer products, after manufacturing them or acquiring them from another business. Unlike suppliers, vendors don’t sell raw materials. They’re typically found later in your supply chain. In some cases, organizations refer to technology partners as IT vendors.
- Service Providers: As the name suggests, service providers are third parties that offer services or technologies to your business, rather than products or raw materials.
Whether it’s a one-person cleaning service hired to tidy up your office or a multinational corporation that’s a mission-critical supplier, all third parties contribute in some way to the success of your business operations. In addition, all third parties have some level of access to your company’s systems and intellectual property. For these reasons, all third-party relationships come with inherent risks, which you must proactively monitor and manage.
In a business world defined by increasing specialization, outsourcing to third parties gives companies a quick and cost-effective way to access the supplies and services they need, while freeing themselves to focus on what they do best. Third-party management is quite simply about making sure you get the value you expect from your use of third parties, while also mitigating the risks they pose to your business.
The shift to third-party management
As the security landscape has evolved, organizations have opened themselves to more risk vectors than ever before — and that number will only continue to climb. Traditionally, the corporate vendor ecosystem — the community of third parties a company shares information with — is analyzed under the lens of third-party risk management (TPRM). More recently, the third-party risk community has seen a major shift to emphasizing the criticality of Privacy, Ethics and ESG (environmental, social, and governance), pushing risk and security professionals to reconsider the way these implementations are managed. As a result, a fundamental shift from third-party risk management (which has traditionally focused mostly on security) to broader third-party management (TPM) has begun.
Third-party management extends across business units to truly encompass all the operational risks an organization may encounter as a result of working with third parties. This includes the four pillars of organizational trust:
- Ethics and compliance
- Environmental, social, and governance (ESG)
Each business has a different organizational structure, which means different teams may be involved with managing the four pillars in different ways.
Many organizations currently manage their third-party relationships in siloed business units, which is not ideal for a number of reasons. For one thing, it places an additional burden on the third parties. If you don’t have a holistic third-party management solution to consolidate data across silos, you’ll likely end up with multiple business units sending questionnaires. In turn, this means the third parties will likely end up answering the same questions multiple times.
This also makes things more confusing and difficult for leaders within your organization. At its most basic level, a third-party management system exists to help you answer one simple question: can I trust this third party? Without holistic visibility across all business units and all four pillars of trust, you won’t have the insights needed to accurately answer that question.
What is the third-party management lifecycle?
Like any other relationship, your company’s relationships with its third parties will go through distinct stages over time. It’s important to have a third-party management strategy that properly accounts for each of the stages, and a software solution to help execute that strategy. The stages of the third-party management lifecycle include:
- Intaking third parties
- Conducting due diligence
- Assessing third parties
- Reviewing and mitigating risks
- Reporting and visualization
- Monitoring third parties
Stage 1: Intaking third parties
When you’re first standing up your new third-party management strategy, you’ll need to create a baseline inventory of all third parties you currently work with. If your organization has manually tracked third parties using spreadsheets, then you may be able to export your records from the spreadsheets directly into your new third-party management software.
In addition, you may be able to integrate your third-party management software with Enterprise Resource Planning (ERP) platforms, contract lifecycle management or procure-to-pay solutions. These integrations provide a quick and easy way to leverage your existing solutions to build out a complete third-party inventory. However, if you’ve taken a more ad hoc approach to recordkeeping, you may need to distribute questionnaires to internal business owners to help manually complete your third-party inventory.
Once your third-party management solution is up and running, you’ll need to continue adding to your inventory anytime your organization onboards a new third party. You can create a portal in your software solution where internal stakeholders can go to create a request for a new third party, which will then automatically kick off the third-party management lifecycle.
At this stage, you’ll want to start classifying your third-party inventory based on inherent risk scoring. This can help you prioritize your approach to focus on your most mission-critical third parties. These are the third parties you’re placing the most trust in, which means they’ll require the most thorough assessment going forward.
Stage 2: Conducting due diligence
Due diligence is like a background check for new third parties. It’s about looking for potential ethical concerns that third parties typically wouldn’t be forthcoming about. For this reason, it relies on checking the third party against compliance data sets to see if any ethical red flags come up.
Things you’re looking for at the due diligence stage include potential involvement with money laundering, links to politically exposed persons, business interests in sanctioned nations, use of child and/or slave labor, or anything else that could show up in adverse media. These ethical concerns would all reflect poorly on your organization and leadership, which is why it’s important to catch them early on in the third-party management lifecycle.
Some third-party management solutions provide built-in risk scoring capabilities, which help automate the due diligence process. High risk scores can help you rule out certain third parties immediately, while intermediate scores can help you flag them for a more detailed assessment .
Stage 3: Assessing third parties
Based on your prioritized third-party inventory and the results of your due diligence, you can create tailored questionnaires for each third party you need to assess. You can’t take a one-size-fits-all approach to third-party assessments, because different questions will be relevant for different third parties. If you ask the same questions of a raw-material supplier as you do of a high-tech service provider, you’re going to end up wasting everyone’s time, and you’re going to get answers that don’t provide any value for your business.
It’s very important to conduct your assessments in a way that makes it as quick and easy as possible for third parties to complete them. Some third-party management solutions can help you apply AI-powered auto-complete capabilities to your assessments, which takes some of the burden off of your third parties and helps you get the responses you need faster.
Stage 4: Reviewing and mitigating risk
Getting answers to your questionnaires may take a significant amount of time, depending on how much information you need to gather and how responsive your third parties are. However, it’s important to remember that just getting responses is only the first part of the assessment. You also need to go through the responses and figure out what they mean in context.
For instance, if a third party indicates they don’t have a particular information security control in place, you may need to interpret how that impacts your organization’s risk exposure. Some third-party management solutions can help you build risk flagging logic into the background of your assessments, where the answers to the questionnaire are automatically interpreted for you. This helps streamline the risk review process. Then, you can feed the results of your assessments into automated risk mitigation workflows, tracking the progress of those workflows over time.
Stage 5: Reporting and visualization
Like any other aspect of your business operations, it’s very important to determine what metrics you’ll use to measure the success of your third-party management strategy. Which metrics you choose to track and visualize will be highly dependent on what your organization’s priorities are. For instance, if your organization views ESG as a top priority, you’ll likely use a dashboard that helps track things like supplier carbon emissions and renewable energy coverage.
In addition, your reporting should always include basic facts and statistics related to your third-party ecosystem. This includes things like total number of vendors and suppliers, number of assessments outstanding, number of assessments in progress, third-party performance as determined by service-level agreements (SLAs), and more.
Finally, you’ll want a third-party management solution that automates record keeping, so that you’ll always have detailed records you can refer back to any time a potential problem arises. This paper trail could be helpful for responding to specific queries from regulators or auditors, or even just addressing concerns from internal stakeholders.
Stage 6: Monitoring third parties
The third-party lifecycle is not a one-time effort, but rather an ongoing business process. Even after third parties have gone through the appropriate onboarding, due diligence, and risk assessment process, you’ll want to conduct regularly scheduled due diligence checks and reassessments to make sure no new issues have emerged.
You’ll also want to perform continuous monitoring for key indicators like performance and contract adherence. You can achieve this by integrating your third-party management solution with SLA monitoring tools. For instance, you could check to make sure a third-party software provider is providing uptime levels that are in line with the SLAs included in their contracts. If they continually fall short of their SLAs, you may choose to end the third-party relationship and begin the off-boarding process.
What is security’s role in third-party management?
The roles that different business units play within third-party management is primarily determined by which varieties of risk they’re most concerned with. In the case of the security team, they’ll want to know if any third parties have ever fallen victim to a data breach, and if so, how they responded to that breach. They’ll also want to know what steps third parties are taking to protect themselves against cyberthreats, such as remediation and business continuity strategies for ransomware or distributed denial-of-service attacks.
Ultimately, information security leaders want to know whether they can feel comfortable doing business with a specific third party. To answer that question, they’ll want to know what controls a third party has in place to mitigate cybersecurity risks. In addition, they may want to insert continuity clauses within their contracts for things like cybersecurity insurance or right to audit. This will help the organization be more proactive about mitigating third-party security risks.
What is privacy’s role in third-party management?
There is a clear overlap between the security function and the data privacy function when it comes to third-party management. After all, an organization must protect against data breaches in order to keep sensitive data safe from unauthorized exposure. For this reason, it’s especially important for the security team and the privacy team to share third-party management information across their respective organizational silos.
While the security team will be concerned with protecting all aspects of the company’s intellectual property, the privacy team will focus specifically on how third parties are handling sensitive personal data. As it is heavily regulated, the privacy pillar of your organization will have to be diligent to ensure it has the proper mechanisms in place to protect against the legal and reputational risks that go along with failing to meet regulatory requirements.
For instance, when the Privacy Shield framework protecting transatlantic data movement between the EU and the US was invalidated in 2020, thousands of businesses learned that it was now technically illegal for them to continue working with certain third parties. In order to continue exchanging data with those third parties without creating compliance risks, they had to amend their contracts with each individual third party to provide legal mechanisms that specifically cover intercontinental data transfers.
To protect against regulatory risks like the Privacy Shield example, privacy teams need to know some basic facts about their third-party data management practices:
- Who has access to the company’s personal data?
- Do they have a valid reason to access it?
- Where does the data reside, and will they be moving it?
- What measures do they have in place to protect it, both in transit and at rest?
By answering these questions, the privacy team can understand what regulatory risks they might be facing and take action to help mitigate them.
What is ethics and compliance’s role in third-party management?
The ethics team is involved across the entire third-party management lifecycle and is primary responsible for screening against all regulatory risk, reputational risk, and any risk of a third party violating your company’s specific policies. These risks are often uncovered during the questionnaire or due diligence process, as mentioned above, or may surface during boots-on-the-ground investigations. Examples include third-party involvement with money laundering, corruption, politically exposed persons, and unethical labor practices. The ethics team will attempt to identify these risks using due diligence screening and monitoring technologies that check third parties against compliance databases.
Learn more about the role of ethics and compliance in the third-party management process with this eBook.
What is ESG’s role in third-party management?
With businesses increasingly realizing that environmental, social, and governance issues pose a risk both to their reputations and to their ability to continue operating sustainably for years to come, ESG has emerged as the newest area of risk management. Because it is still unregulated in many jurisdictions, it’s still an aspirational goal for many businesses.
While the other pillars of third-party management involve tracking and mitigating downstream risks, ESG is more about pushing third parties in the direction you want to go. For example, if your goal is to become carbon-neutral within a specific timeframe, then you must also encourage your third parties to become carbon-neutral. You can do this by assessing their current emissions and setting emission reduction targets that you expect them to meet.
In addition, ESG is different from other areas of third-party management because it’s more likely to be public facing. Many businesses release annual ESG reports, which they use as an opportunity to share their progress toward their sustainability goals.
What is sourcing and procurement’s role in third-party management?
Sourcing and procurement are closely aligned with third-party management lifecycle described above, and the work they do is still helpful in identifying risk across each of the four trust pillars.
Any time a mature business needs to find a new vendor, supplier, or service provider, the sourcing department will be responsible for putting together the request for proposal, accepting competitive bids, doing research on the most promising candidates, conducting cost negotiations, and reviewing initial contracts.
After a third party passes through the sourcing phase, it would go to the procurement team, which will be responsible for creating the invoicing process and setting up payment processing. The procurement team will also register the third party in relevant internal systems.
Essentially, sourcing and procurement handle everything that has to happen before a third party can reach the onboarding stage discussed above. Although formal risk assessment and due diligence are not technically within their remit, they know the business and its third-party relationships as well as anybody. This means they may be able to serve as the first line of defense, raising potential red flags before a third party even reaches the onboarding stage.
Additionally, many businesses are moving toward a Source-to-Pay program model where employees can drive intelligent spending and decision making through a Third-Party Management software toolset to speed time to market. This would give those employees and their departments the opportunity and responsibility to individually vet that third-party’s risk level without having to wait for a separate line of business to conduct the same tasks.
About OneTrust Third-Party Management
OneTrust Third-Party Management enables greater risk visibility when managing third parties across the four critical trust domains: security, privacy, ethics, and ESG. The solution provides access to an array of functionalities, each built with automation and time-savings in mind. The solution includes Third-Party Due Diligence for entity screening, Third-Party Risk Management for risk mitigation and lifecycle management, and Supplier Sustainability and Responsibility for ESG target tracking.
Additionally, the solution offers out-of-the-box risk data on thousands of third parties through the Third-Party Risk Exchange, which features information from SecurityScorecard, RiskRecon, ISS Corporate Solutions (formerly FICO), and other sources. Together, these capabilities make it easier to confidently work with third parties by reducing blind spots across risk domains, simplifying compliance, enabling greater time to value when onboarding and assessing third parties, and enhancing business resilience with ongoing monitoring, all while surfacing data for faster decision-making throughout the third-party lifecycle.
To learn more about how OneTrust Third-Party Management can help you understand and address risk across your business, request a one-on-one demo today.