Monitoring third-party elements
Summarize
Summary of Monitoring Third-Party Elements
The Third-party Risk Management application enables customers to monitor third-party elements through scalable scoring models, relationship analysis, and due diligence workflows. This monitoring aids in conducting informed risk assessments vital for effective third-party risk programs.
Show less
Key Features
- Third-party Elements Definition: These elements represent external organizations providing goods, services, or support, such as suppliers or contractors, and are linked to a single third party.
- Collecting and Reviewing Elements: TPR managers can collect and review TP elements after completing the Inherent Risk Questionnaire. This involves creating a collection task, sending questionnaires, and manually creating records based on responses.
- Adding Elements to Engagements: Approved TP elements can be added to the Engagement elements tab, initiating the due diligence process with assigned questionnaires for external assessments.
- Scoring and Classification: Each TP element can be classified (e.g., Facility, Product) to facilitate assessment and scoring based on the average risk ratings from assessments, ensuring current evaluations are reflected.
Key Outcomes
By effectively monitoring and scoring third-party elements, customers can enhance their risk assessments and overall third-party risk management processes. This leads to better-informed decisions, improved risk visibility, and tailored classifications that align with specific risk program needs.
You can monitor third-party elements through scalable scoring models, relationship analysis, and due diligence workflow integration by using the Third-party Risk Management application. Monitoring third-party elements and leveraging that information can help with conducting more informed risk assessments as part of your third-party risk program.
Third-party elements overview
Third-party elements (TP elements) are the external organizations that an engagement relies on to provide goods, services, or support. These organizations can include the suppliers, contractors, facilities, individuals, or any other external organization that can access the engagement's systems, data, or facilities. Each third‑party element is linked to a single third party. Third‑party elements can be associated with multiple engagements for the same third party but cannot be shared or reused across different third parties.
Let's look at some TP element class and risk examples:- Datacenter
- A facility or location where an engagement or third party outsources the storage, processing, and management of their data and IT infrastructure. A datacenter could potentially experience a data breach, downtime, or compliance violation that exposes their engagements to unexpected risk. This example would be classified as a Facility TP element.
- Manufacturing facility
- A facility or location where an engagement or third party outsources the production or assembly of their products. A manufacturing facility could potentially experience a supply chain disruption, a counterfeit part, or regulatory compliance issue that exposes their engagements to unexpected risk. This example would be classified as a Facility TP element.
- Beneficial owner
- An individual who owns or controls an organization that is involved in a business relationship or transaction. These individuals may not be the registered or legal owners of the organization but have significant influence or control over its operations, decision-making, or financial affairs. This example would be classified as a Principal TP element.
The following infographic shows the TP element collection process.
For more information on Third-party (TP) elements and examples of their associated controls and potential risks, see Terminology.
Collecting and reviewing third-party elements
Collecting and reviewing third-party elements is optional. If you have the Third-party risk (TPR) assessor [sn_vdr_risk_asmt.vendor_assessor] role and are the due diligence request owner or TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] role, you can start this process after your due diligence request has completed the Inherent Risk Questionnaire (IRQ) process.
- In the Vendor Management Workspace, if TP elements are needed, the Third-party risk (TPR) manager or due diligence request owner selects Start collection and a collection task is created.
- The TPR manager or owner opens the external assessment for collecting elements and adds the relevant TP element collection questionnaires.
- The TPR manager or owner reviews and approves the questionnaires and they’re sent to the engagement. For more information on assessments, see Assessing your third-party risk.
- In Vendor Management Workspace, the TPR manager or owner opens the questionnaires and verifies that all the required information was provided.
- The TPR manager or owner then navigates to the list of TP elements and manually creates a TP element record for each set of responses in each questionnaire.
- After all TP elements are created, the TPR manager or owner closes the collection task assessment. The system changes the state of the request from Collection in progress to Collection in review.
- The internal stakeholders (TPR assessor, TPR approver, TPR manager, or TPR administrator) review and approve the element records.
Adding third-party elements to engagements
After the TP elements are reviewed and approved by the TPR manager and internal stakeholders in Vendor Management Workspace, the TPR manager or owner opens the engagement and manually adds the reviewed and approved TP elements to the Engagement elements tab of the engagement for that third party. For more information, see Add a third-party element record to an engagement. After you add all TP elements to an engagement, you can start the due diligence process. During the due diligence process, you must select and assign a questionnaire as part of an external assessment for each TP element that you created. The third-party contact completes the TP element questionnaires. For more information, see Assessing your third-party risk.
Third-party element scoring
You can categorize each TP element into one of the following types: Facility, Product, Principal, or Other. This classification helps you with organizing the assessment criteria and subsequent scoring. Scoring on a TP element is determined by averaging the risk ratings from its associated third-party risk assessments. If you conduct multiple assessments for the same TP element, the system considers only the latest assessment for each engagement for scoring, disregarding duplicates. This process helps to ensure that the TP element's risk rating reflects the most current evaluation. For example, if a TP element has assessments with risk ratings of very high and very low, the average of these ratings leads to the overall risk being moderate.
After an element is assessed and a risk rating is determined, this rating is first aggregated into a component score that is based on its classification, such as Facility. For example, all Facility-type elements are aggregated into a single component score, which contributes to the overall score of the engagement. The engagement score is then compiled by aggregating the scores from all relevant component scores within that engagement. If multiple assessments or TP elements are within an engagement, each is scored individually and then combined to form the overall engagement score. The engagement score is then rolled up to the third-party level by aggregating the scores from all the engagements that are associated with a particular third party. The aggregation at this level could be based on different rules, such as averaging, taking the minimum, or maximum scores, depending on the scoring rules set within the system. This rolled-up score represents the overall risk or performance score of the third party and reflects all the engagements and elements that are associated with it.