9 Tips for Conducting Third-Party Risk Assessments
Risk assessment templates are nice, but they’re better as a starting point than a be-all and end-all questionnaire. Here are some surefire tips for conducting a more effective and thorough third-party risk assessment.

Understand your risk appetite

Regulatory bodies usually tell you who to assess and how often. However, determining questions to ask in the assessment is frequently left up to you. How do you decide? How might results impact company policies and procedures? Build and test your third-party assessment program internally using questionnaires that reflect your company’s risk appetite.

Risk Appetite
Classify Vendors

Classify your vendors

Develop a method for classifying vendors to identify third parties that are in-scope and require assessments. This helps ensure you don’t assess third parties unnecessarily or miss assessing third parties that pose a risk to your organization.

Improve the data collected

Obtaining data is one of the biggest challenges in managing third-party risk and a high quality assessment is key. To improve the quality of your questionnaires, start with a widely accepted assessment, like the Standard Information Gathering (SIG) questionnaire from Shared Assessments, and tailor it to your specific business needs and processes.  

Improve Data
Easier Assessments

Make assessments easier to manage

If you do business with a multitude of third parties, you need a way to make assessments easier to manage. Speed up the assessment process by giving all third parties a low threshold assessment with a few flagging questions. For all flagged third parties, send a higher level, deep-dive assessment for due diligence on risk. It’s an easier and often more thorough process for assessing third parties.

Pre-populate your assessment world

Assessments are something you do on a continuous basis and often with the same vendors. If your assessment engine pre-populates data, the entity you’re assessing only has to address changes. It’s less work for them and you, and may even improve the response rate.

Pre-Populate
For Performance

Assess for performance, not just risk

With the right platform, you can upload service level agreements (SLAs) and make them part of the assessment process. Compare assessment data to SLAs and then use the analysis to provide feedback to the third party, leverage it in contract renewal, or use it to support switching to another service provider.

Reassess based on third party’s expanded offering

When third parties expand their services to your company, it changes their risk profiles. One of the best ways to address this is to periodically assess third parties for changes and update risk profiles accordingly. This way, your third-party risk profile is always current.

Expanded Offerings
Look Beyond

Look beyond financial risks with third parties

Most organizations assess third parties to manage financial risk. There are other risks to be concerned about like service interruptions and upset customers. Sometimes small risks open the door to more serious consequences. Losing revenue can cause problems, but it is recoverable. Losing your reputation may not be.

Dependency creates a business continuity risk

Any third party can be a business continuity risk. The litmus test is if their service stopped, it would interrupt yours. Maybe it’s the provider of IT services or a supplier with a key role in the supply chain. Third parties that you’re greatly dependent on can pose business continuity risks that can be identified through a risk assessment.

LockPath assists companies with third-party risk management as part of an integrated risk management program in the Keylight Platform. Contact us to learn more.

Dependency
9 Tips for Conducting Third-Party Risk Assessments
Risk assessment templates are nice, but they’re better as a starting point than a be-all and end-all questionnaire. Here are some surefire tips for conducting a more effective and thorough third-party risk assessment.
Risk Appetite

Understand your risk appetite

Regulatory bodies usually tell you who to assess and how often. However, determining questions to ask in the assessment is frequently left up to you. How do you decide? How might results impact company policies and procedures? Build and test your third-party assessment program internally using questionnaires that reflect your company’s risk appetite.

Classify Vendors

Classify your vendors

Develop a method for classifying vendors to identify third parties that are in-scope and require assessments. This helps ensure you don’t assess third parties unnecessarily or miss assessing third parties that pose a risk to your organization.

Improve Data

Improve the data collected

Obtaining data is one of the biggest challenges in managing third-party risk and a high quality assessment is key. To improve the quality of your questionnaires, start with a widely accepted assessment, like the Standard Information Gathering (SIG) questionnaire from Shared Assessments, and tailor it to your specific business needs and processes.  

Easier Assessments

Make assessments easier to manage

If you do business with a multitude of third parties, you need a way to make assessments easier to manage. Speed up the assessment process by giving all third parties a low threshold assessment with a few flagging questions. For all flagged third parties, send a higher level, deep-dive assessment for due diligence on risk. It’s an easier and often more thorough process for assessing third parties.

Pre-Populate

Pre-populate your assessment world

Assessments are something you do on a continuous basis and often with the same vendors. If your assessment engine pre-populates data, the entity you’re assessing only has to address changes. It’s less work for them and you, and may even improve the response rate.

For Performance

Assess for performance, not just risk

With the right platform, you can upload service level agreements (SLAs) and make them part of the assessment process. Compare assessment data to SLAs and then use the analysis to provide feedback to the third party, leverage it in contract renewal, or use it to support switching to another service provider.

Expanded Offerings

Reassess based on third party’s expanded offering

When third parties expand their services to your company, it changes their risk profiles. One of the best ways to address this is to periodically assess third parties for changes and update risk profiles accordingly. This way, your third-party risk profile is always current.

Look Beyond

Look beyond financial risks with third parties

Most organizations assess third parties to manage financial risk. There are other risks to be concerned about like service interruptions and upset customers. Sometimes small risks open the door to more serious consequences. Losing revenue can cause problems, but it is recoverable. Losing your reputation may not be.

Dependency

Dependency creates a business continuity risk

Any third party can be a business continuity risk. The litmus test is if their service stopped, it would interrupt yours. Maybe it’s the provider of IT services or a supplier with a key role in the supply chain. Third parties that you’re greatly dependent on can pose business continuity risks that can be identified through a risk assessment.

LockPath assists companies with third-party risk management as part of an integrated risk management program in the Keylight Platform. Contact us to learn more.