Third-party management (TPM) enhances visibility across a company’s relationships with external entities like suppliers, vendors, and service providers. This practice aims to optimize value and mitigate risks associated with third parties.

In order to understand what comprehensive third-party management looks like, it’s important to understand where it begins and how it encompasses your entire business. 

Key figures in TPM:

• Suppliers: Provide raw materials or commodities early in the supply chain
• Vendors: Offer products or services later in the supply chain, sometimes including technology partners.
• Service Providers: Deliver services or technologies rather than products or raw materials.

All third parties have access to company systems and intellectual property, necessitating proactive risk management.

Learn more about the third-party management lifecycle with this downloadable ebook.

Evolution of third-party Risk Management:

• Expanding from risk management to comprehensive management: Traditional third-party risk management (TPRM) focused primarily on security. The field now emphasizes privacy, ethics, and operational resilience, including emerging risks like AI. This shift towards broader third-party management (TPM) integrates multiple business functions to address operational risks comprehensively.

What is the third-party management lifecycle?

Like any other relationship, your company’s relationships with its third parties will go through distinct stages over time. It’s important to have a third-party management strategy that properly accounts for each of the stages, and a software solution to help execute that strategy. The stages of the third-party management lifecycle include: 

1. Intake Third Parties: Create and maintain a comprehensive inventory of third parties using software integrations or questionnaires.
2. Define Risk Appetite: Align risk tolerance with organizational goals, involving key stakeholders to set thresholds for acceptable risk levels. Communicate these boundaries clearly to third parties.
3. Calculate Inherent Risk: Assess risks related to third parties based on factors like industry, location, and performance. Compare inherent risks to your organization’s risk appetite to decide if additional controls are needed.
4. Assessment Stages:
   • Screen Risk and Compliance Data: Utilize external data to identify red flags and ethical concerns. Due diligence checks are crucial for spotting potential issues such as regulatory violations or unethical practices
   • Evaluate Certifications and Attestations: Review third-party certifications (e.g., ISO 27001) to verify compliance with industry standards and security practices
   • Send Dynamic Questionnaires: Customize questionnaires to address specific risks and gather detailed information to assess alignment with your risk appetite
5. Risk Treatment and Control: Analyze questionnaire responses to interpret risk implications and implement appropriate controls. Integrate risk management with contracting to tailor protections based on identified risks
6. Monitor, Respond, and Re-assess: Continuously monitor third-party activities and reassess risks as relationships evolve. Implement alerts and regular reviews to address emerging risks and changes in third-party engagement
7. Report and Record: Track and visualize key metrics related to third-party management. Maintain automated records for transparency and compliance

Roles and responsibilities for different business units

The roles that different business units play within third-party management are primarily determined by which varieties of risk they’re most concerned with. In the case of the security team, for example, they’ll want to know if any third parties have ever fallen victim to a data breach, and if so, how they responded to that breach.

Each business unit is going to have their own needs for third parties, which means they’ll also need a defined role and responsibility system that secures their organization within the company.  

Roles of Key Business Units:

• Security: Focuses on cybersecurity risks associated with third parties, including breach history and protection measures. Ensures third parties have adequate security controls and compliance with continuity requirements

• Privacy: Manages risks related to data protection and regulatory compliance, particularly concerning sensitive personal data. Coordinates with security to protect data and ensure legal compliance

• Ethics and Compliance: Screens for regulatory and reputational risks, including unethical practices and policy violations. Utilizes due diligence and monitoring tools to identify potential issues

• Sourcing and Procurement: Handles vendor selection, competitive bidding, and contract negotiation. Plays a key role in the initial vetting of third parties and managing the onboarding process

The road ahead

Effective third-party management involves understanding and managing the lifecycle of relationships with external entities. It requires coordination across various business units to address risks related to security, privacy, ethics, and compliance. By systematically managing these relationships and integrating risk management processes, organizations can optimize value and safeguard against potential threats.

About OneTrust Third-Party Management 

OneTrust Third-Party Management enables greater risk visibility when managing third parties across the enterprise. The solution provides access to an array of functionalities, each built with automation and time-savings in mind. The solution includes Third-Party Due Diligence for entity screening, Third-Party Risk Management for risk mitigation and lifecycle management. Additionally, the solution offers out-of-the-box risk data on thousands of third parties through the Third-Party Risk Exchange, which features information from SecurityScorecard, RiskRecon, ISS Corporate Solutions (formerly FICO), and other sources. 

Together, these capabilities make it easier to confidently work with third parties by reducing blind spots across risk domains, simplifying compliance, enabling greater time to value when onboarding and assessing third parties, and enhancing business resilience with ongoing monitoring, all while surfacing data for faster decision-making throughout the third-party lifecycle. 

To learn more about how OneTrust Third-Party Management can help you understand and address risk across your business, request a one-on-one demo today.