SlideShare a Scribd company logo

Do you really know your third party providers?

J
Jay Crossland

How to identify and evaluate third-party providers

Business
1 of 4
Download to read offline
Page 1 of 4 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2020 Do You Really Know Your Third-Party Providers? Almost every organization has at least one if not a multitude of third-party vendors providing various services or goods that are critical to daily operations. Does your organization know: • All of the third-party providers being used? • The services or products being provided? • Key provider contacts? • Key organization liaisons for each provider? • Contractual obligations with each provider? • Service level agreements for each provider? • The financial viability of each provider? • The controls implemented by each provider and the operating effectiveness of those controls? • The risks to the organization? The Definition The simple definition of a third-party provider is any vendor that is performing a service or providing a product that could be performed or produced internally if the required resources were available. Examples would be consultants, contractors, IT services, claims processing, and other outsourced production or services. Products and services such as office supplies and utilities are not considered third-party providers. The Population While it may seem easy to identify all of the third-party providers being used throughout the organization, it can be a challenge. Initially, request a list of third-party providers (using the established definition) from each area of the organization. To make sure all third-party providers are identified, request a listing of all vendor payments for the past twelve (12) months from Accounts Payable. Using the established third-party provider definition, confirm the population of third-party providers being used throughout the organization. Filling in the Details Using the verified population of third-part providers, create a database listing the details for each, such as: • Products or services being provided • Provider contacts • Assigned organization liaison
Page 2 of 4 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2020 • Contract terms • Service level agreements • Last risk assessment • Required provider documentation (e.g. SOC reports, Shared Assessment/SIG, Agreed Upon Procedures) • Evaluation frequency The Risk Assessment An effective third-party provider management process includes each provider being evaluated based on a number of key categories. Common risk categories are: • Operational • Financial • Reputational • Regulatory • Security and Privacy • Business Continuity • Geographic Each provider should be assigned a risk ranking based on these categories. A weighted scoring process is typically used to assign a risk ranking. The weighted scoring will vary based on the type of organization and industry. Smaller organizations may be highly dependent on third-party providers and therefore may assign more weight to certain risk categories such as operational and business continuity. Organizations in healthcare and finance will most likely need to assign more weight to regulatory risk, security and privacy. The risk ranking should be used to determine the frequency of subsequent evaluations and required provider documentation (e.g. SOC reports, Shared Assessment/SIG, Agreed Upon Procedures). The risk assessment should result in each third-party provider being assigned to a risk tier. Common risk tiers are: • Critical • High • Medium • Low Since the products or services being provided by the third-party are an extension of the organization, there should be an expectation that the third-party provider will have at least the
Page 3 of 4 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2020 same level of controls (operational, financial, reputational, regulatory, security/privacy, business continuity) as if those products or services were produced or performed internally. Re-Evaluation Frequency and Procedures The risk tier assignment from the risk assessment normally determines the re-evaluation frequency; however, unplanned events could accelerate or delay a re-evaluation. Typical re- evaluation frequencies are: • Critical – quarterly or semi-annually • High – semi-annually or annually • Medium – annually or every two years • Low – every two or three years The re-evaluation process should include: • Confirming the products or services being provided • Confirming provider contacts • Confirming the assigned organization liaison • Confirming contract terms and service level agreements • Analyzing financial viability • Obtaining and reviewing required provider documentation (e.g. SOC reports, Shared Assessment/SIG, Agreed Upon Procedures) • Performing a new risk assessment • Reviewing the controls implemented by each provider and the operating effectiveness of those controls New Third-Party Providers The new third-party evaluation process should be rigorous to make sure the organization is not taking unnecessary risks; due diligence is crucial. Ideally, the new third-party evaluation process should be completed before any contractual agreements are executed. Each new third-party provider should be added to the population database along with all pertinent information. A risk assessment and all re-evaluation procedures listed above should be completed as part of the evaluation process and prior to executing any contracts. This provides the organization with the information needed to make a final decision.
Page 4 of 4 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2020 While it may be a prudent to use third-party providers, always remember that YOU OWN THE RISK! Therefore, identifying, understanding and evaluating the third-party provider risks is critical to the organization. Related article: Evaluating Service Organization Control Reports https://www.slideshare.net/JayCrossland/evaluating-service-organization-control-reports-76805927 Crossland Advisors provides IT risk and control services to a number of industries, including: • Manufacturing • Pharmaceuticals • Healthcare • Financial Services • Insurance • Government • Retail • Utilities Our extensive experience allows us to develop real world solutions to complex challenges. We use a process-focused risk-based approach and are able to relate leading practices and improvements to understand, anticipate and address a wide variety of information system risk and process issues. Crossland Advisors is ready to work with you to satisfy your IT risk and control needs.

Recommended

Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
 
Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Deloitte UK
 
Third Party Risk Management Introduction
Third Party Risk Management IntroductionThird Party Risk Management Introduction
Third Party Risk Management IntroductionNaveen Grover
 
Third-Party Risk Management
Third-Party Risk ManagementThird-Party Risk Management
Third-Party Risk ManagementMark Scales
 
Third-Party Oversight & Governance
Third-Party Oversight & GovernanceThird-Party Oversight & Governance
Third-Party Oversight & GovernanceEDR
 
Third Party Risk Assessment Due Diligence - Managed Service as Best Practice
Third Party Risk Assessment Due Diligence - Managed Service as Best PracticeThird Party Risk Assessment Due Diligence - Managed Service as Best Practice
Third Party Risk Assessment Due Diligence - Managed Service as Best PracticeDVV Solutions Third Party Risk Management
 
Third-Party Risk Management: A Case Study in Oversight
Third-Party Risk Management: A Case Study in OversightThird-Party Risk Management: A Case Study in Oversight
Third-Party Risk Management: A Case Study in OversightNICSA
 
FSI_Third Party Risk Management_Deloitte PoV
FSI_Third Party Risk Management_Deloitte PoVFSI_Third Party Risk Management_Deloitte PoV
FSI_Third Party Risk Management_Deloitte PoVFrederic Girardeau-Montaut
 

Recommended

Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
 
Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Deloitte UK
 
Third Party Risk Management Introduction
Third Party Risk Management IntroductionThird Party Risk Management Introduction
Third Party Risk Management IntroductionNaveen Grover
 
Third-Party Risk Management
Third-Party Risk ManagementThird-Party Risk Management
Third-Party Risk ManagementMark Scales
 
Third-Party Oversight & Governance
Third-Party Oversight & GovernanceThird-Party Oversight & Governance
Third-Party Oversight & GovernanceEDR
 
Third Party Risk Assessment Due Diligence - Managed Service as Best Practice
Third Party Risk Assessment Due Diligence - Managed Service as Best PracticeThird Party Risk Assessment Due Diligence - Managed Service as Best Practice
Third Party Risk Assessment Due Diligence - Managed Service as Best PracticeDVV Solutions Third Party Risk Management
 
Third-Party Risk Management: A Case Study in Oversight
Third-Party Risk Management: A Case Study in OversightThird-Party Risk Management: A Case Study in Oversight
Third-Party Risk Management: A Case Study in OversightNICSA
 
FSI_Third Party Risk Management_Deloitte PoV
FSI_Third Party Risk Management_Deloitte PoVFSI_Third Party Risk Management_Deloitte PoV
FSI_Third Party Risk Management_Deloitte PoVFrederic Girardeau-Montaut
 
Crossland Advisors Services
Crossland Advisors ServicesCrossland Advisors Services
Crossland Advisors ServicesJay Crossland
 
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk ManagementProtect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk ManagementDevOps.com
 
GRC-Xrev
GRC-XrevGRC-Xrev
GRC-XrevDavid Roe
 
A compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementA compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementSALIH AHMED ISLAM
 
Key Challenges Facing Vendor Risk Management Programs
Key Challenges Facing Vendor Risk Management ProgramsKey Challenges Facing Vendor Risk Management Programs
Key Challenges Facing Vendor Risk Management ProgramsColleen Beck-Domanico
 
How to Evaluate a Managed Services Firm
How to Evaluate a Managed Services FirmHow to Evaluate a Managed Services Firm
How to Evaluate a Managed Services Firmoneneckitservices
 
Cloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management PerspectiveCloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management PerspectiveArgyle Executive Forum
 
TI Managing Third Party Risk
TI Managing Third Party RiskTI Managing Third Party Risk
TI Managing Third Party RiskThe Business Council of Mongolia
 
Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19 Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19 DVV Solutions Third Party Risk Management
 
CAEs speak out: Cybersecurity seen as key threat to growth
CAEs speak out: Cybersecurity seen as key threat to growthCAEs speak out: Cybersecurity seen as key threat to growth
CAEs speak out: Cybersecurity seen as key threat to growthGrant Thornton LLP
 
GP_for_Third_Party_Anti-Corruption_product_sheet
GP_for_Third_Party_Anti-Corruption_product_sheetGP_for_Third_Party_Anti-Corruption_product_sheet
GP_for_Third_Party_Anti-Corruption_product_sheetMarco Villacorta Olano
 
The Future of Effective Governance
The Future of Effective GovernanceThe Future of Effective Governance
The Future of Effective GovernanceInformation Services Group (ISG)
 
Mitigating Physician Contracting Risk
Mitigating Physician Contracting RiskMitigating Physician Contracting Risk
Mitigating Physician Contracting RiskMD Ranger, Inc.
 
Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRCTranscendent Group
 
An industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsAn industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsGrant Thornton LLP
 
Acfe bangalore pdm 2 fraud risk - parag deodhar
Acfe bangalore pdm 2 fraud risk - parag deodharAcfe bangalore pdm 2 fraud risk - parag deodhar
Acfe bangalore pdm 2 fraud risk - parag deodharParag Deodhar
 
Cloud x traditional outsourcing dis similarities in risk management
Cloud x traditional outsourcing dis similarities in risk managementCloud x traditional outsourcing dis similarities in risk management
Cloud x traditional outsourcing dis similarities in risk managementAlfredo Saad
 
Why Outsource Application Management?
Why Outsource Application Management?Why Outsource Application Management?
Why Outsource Application Management?oneneckitservices
 
[Webinar] Contractor Management: What is the Return on Investment (ROI)?
[Webinar] Contractor Management: What is the Return on Investment (ROI)?[Webinar] Contractor Management: What is the Return on Investment (ROI)?
[Webinar] Contractor Management: What is the Return on Investment (ROI)?browzcompliance
 
Vendor Management Best Practices: Is Your Program Up to Par?
Vendor Management Best Practices: Is Your Program Up to Par?Vendor Management Best Practices: Is Your Program Up to Par?
Vendor Management Best Practices: Is Your Program Up to Par?EDR
 
Account Right SOC Services brochure.pptx
Account Right SOC Services brochure.pptxAccount Right SOC Services brochure.pptx
Account Right SOC Services brochure.pptxGaneshMeenakshiSunda4
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyNICSA
 

More Related Content

What's hot

Crossland Advisors Services
Crossland Advisors ServicesCrossland Advisors Services
Crossland Advisors ServicesJay Crossland
 
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk ManagementProtect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk ManagementDevOps.com
 
A compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementA compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementSALIH AHMED ISLAM
 
Key Challenges Facing Vendor Risk Management Programs
Key Challenges Facing Vendor Risk Management ProgramsKey Challenges Facing Vendor Risk Management Programs
Key Challenges Facing Vendor Risk Management ProgramsColleen Beck-Domanico
 
How to Evaluate a Managed Services Firm
How to Evaluate a Managed Services FirmHow to Evaluate a Managed Services Firm
How to Evaluate a Managed Services Firmoneneckitservices
 
Cloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management PerspectiveCloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management PerspectiveArgyle Executive Forum
 
CAEs speak out: Cybersecurity seen as key threat to growth
CAEs speak out: Cybersecurity seen as key threat to growthCAEs speak out: Cybersecurity seen as key threat to growth
CAEs speak out: Cybersecurity seen as key threat to growthGrant Thornton LLP
 
GP_for_Third_Party_Anti-Corruption_product_sheet
GP_for_Third_Party_Anti-Corruption_product_sheetGP_for_Third_Party_Anti-Corruption_product_sheet
GP_for_Third_Party_Anti-Corruption_product_sheetMarco Villacorta Olano
 
Mitigating Physician Contracting Risk
Mitigating Physician Contracting RiskMitigating Physician Contracting Risk
Mitigating Physician Contracting RiskMD Ranger, Inc.
 
An industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsAn industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsGrant Thornton LLP
 
Acfe bangalore pdm 2 fraud risk - parag deodhar
Acfe bangalore pdm 2 fraud risk - parag deodharAcfe bangalore pdm 2 fraud risk - parag deodhar
Acfe bangalore pdm 2 fraud risk - parag deodharParag Deodhar
 
Cloud x traditional outsourcing dis similarities in risk management
Cloud x traditional outsourcing dis similarities in risk managementCloud x traditional outsourcing dis similarities in risk management
Cloud x traditional outsourcing dis similarities in risk managementAlfredo Saad
 

What's hot (17)

Crossland Advisors Services
Crossland Advisors ServicesCrossland Advisors Services
Crossland Advisors Services
 
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk ManagementProtect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
 
GRC-Xrev
GRC-XrevGRC-Xrev
GRC-Xrev
 
A compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementA compliance officer's guide to third party risk management
A compliance officer's guide to third party risk management
 
Key Challenges Facing Vendor Risk Management Programs
Key Challenges Facing Vendor Risk Management ProgramsKey Challenges Facing Vendor Risk Management Programs
Key Challenges Facing Vendor Risk Management Programs
 
How to Evaluate a Managed Services Firm
How to Evaluate a Managed Services FirmHow to Evaluate a Managed Services Firm
How to Evaluate a Managed Services Firm
 
Cloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management PerspectiveCloud Securiy: A Vendor Risk Management Perspective
Cloud Securiy: A Vendor Risk Management Perspective
 
TI Managing Third Party Risk
TI Managing Third Party RiskTI Managing Third Party Risk
TI Managing Third Party Risk
 
Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19 Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19
 
CAEs speak out: Cybersecurity seen as key threat to growth
CAEs speak out: Cybersecurity seen as key threat to growthCAEs speak out: Cybersecurity seen as key threat to growth
CAEs speak out: Cybersecurity seen as key threat to growth
 
GP_for_Third_Party_Anti-Corruption_product_sheet
GP_for_Third_Party_Anti-Corruption_product_sheetGP_for_Third_Party_Anti-Corruption_product_sheet
GP_for_Third_Party_Anti-Corruption_product_sheet
 
The Future of Effective Governance
The Future of Effective GovernanceThe Future of Effective Governance
The Future of Effective Governance
 
Mitigating Physician Contracting Risk
Mitigating Physician Contracting RiskMitigating Physician Contracting Risk
Mitigating Physician Contracting Risk
 
Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRC
 
An industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsAn industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessments
 
Acfe bangalore pdm 2 fraud risk - parag deodhar
Acfe bangalore pdm 2 fraud risk - parag deodharAcfe bangalore pdm 2 fraud risk - parag deodhar
Acfe bangalore pdm 2 fraud risk - parag deodhar
 
Cloud x traditional outsourcing dis similarities in risk management
Cloud x traditional outsourcing dis similarities in risk managementCloud x traditional outsourcing dis similarities in risk management
Cloud x traditional outsourcing dis similarities in risk management
 

Similar to Do you really know your third party providers?

Why Outsource Application Management?
Why Outsource Application Management?Why Outsource Application Management?
Why Outsource Application Management?oneneckitservices
 
[Webinar] Contractor Management: What is the Return on Investment (ROI)?
[Webinar] Contractor Management: What is the Return on Investment (ROI)?[Webinar] Contractor Management: What is the Return on Investment (ROI)?
[Webinar] Contractor Management: What is the Return on Investment (ROI)?browzcompliance
 
Vendor Management Best Practices: Is Your Program Up to Par?
Vendor Management Best Practices: Is Your Program Up to Par?Vendor Management Best Practices: Is Your Program Up to Par?
Vendor Management Best Practices: Is Your Program Up to Par?EDR
 
Account Right SOC Services brochure.pptx
Account Right SOC Services brochure.pptxAccount Right SOC Services brochure.pptx
Account Right SOC Services brochure.pptxGaneshMeenakshiSunda4
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyNICSA
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsSkoda Minotti
 
Outsourcing GIA Accounting whitepaper 2016
Outsourcing GIA Accounting whitepaper 2016Outsourcing GIA Accounting whitepaper 2016
Outsourcing GIA Accounting whitepaper 2016Rich Lawrence
 
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to KnowWhat the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to KnowChris Mullins
 
it outsourcing.pdf
it outsourcing.pdfit outsourcing.pdf
it outsourcing.pdfVograce
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesCorporater
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
Accounts Payable Outsourcing: Streamlining Financial Processes Introduction
Accounts Payable Outsourcing: Streamlining Financial Processes IntroductionAccounts Payable Outsourcing: Streamlining Financial Processes Introduction
Accounts Payable Outsourcing: Streamlining Financial Processes IntroductionMYND Solution
 
Senior In-Home Care Service Market is expected to offer significant growth at...
Senior In-Home Care Service Market is expected to offer significant growth at...Senior In-Home Care Service Market is expected to offer significant growth at...
Senior In-Home Care Service Market is expected to offer significant growth at...RinsuAnnaSinu
 
Supply chain risks
Supply chain risksSupply chain risks
Supply chain risksNeik Lee
 
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016CBIZ, Inc.
 

Similar to Do you really know your third party providers? (20)

Why Outsource Application Management?
Why Outsource Application Management?Why Outsource Application Management?
Why Outsource Application Management?
 
[Webinar] Contractor Management: What is the Return on Investment (ROI)?
[Webinar] Contractor Management: What is the Return on Investment (ROI)?[Webinar] Contractor Management: What is the Return on Investment (ROI)?
[Webinar] Contractor Management: What is the Return on Investment (ROI)?
 
Vendor Management Best Practices: Is Your Program Up to Par?
Vendor Management Best Practices: Is Your Program Up to Par?Vendor Management Best Practices: Is Your Program Up to Par?
Vendor Management Best Practices: Is Your Program Up to Par?
 
Account Right SOC Services brochure.pptx
Account Right SOC Services brochure.pptxAccount Right SOC Services brochure.pptx
Account Right SOC Services brochure.pptx
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a Strategy
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 
Vendor Management Buyers Guide
Vendor Management Buyers GuideVendor Management Buyers Guide
Vendor Management Buyers Guide
 
It62015 slides
It62015 slidesIt62015 slides
It62015 slides
 
My slides
My slidesMy slides
My slides
 
Outsourcing GIA Accounting whitepaper 2016
Outsourcing GIA Accounting whitepaper 2016Outsourcing GIA Accounting whitepaper 2016
Outsourcing GIA Accounting whitepaper 2016
 
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to KnowWhat the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
 
it outsourcing.pdf
it outsourcing.pdfit outsourcing.pdf
it outsourcing.pdf
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance report
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report
 
Accounts Payable Outsourcing: Streamlining Financial Processes Introduction
Accounts Payable Outsourcing: Streamlining Financial Processes IntroductionAccounts Payable Outsourcing: Streamlining Financial Processes Introduction
Accounts Payable Outsourcing: Streamlining Financial Processes Introduction
 
Solvency II Offering
Solvency II Offering Solvency II Offering
Solvency II Offering
 
Senior In-Home Care Service Market is expected to offer significant growth at...
Senior In-Home Care Service Market is expected to offer significant growth at...Senior In-Home Care Service Market is expected to offer significant growth at...
Senior In-Home Care Service Market is expected to offer significant growth at...
 
Supply chain risks
Supply chain risksSupply chain risks
Supply chain risks
 
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
 

Recently uploaded

Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756
Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756
Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756dollysharma2066
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...Khaled Al Awadi
 
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCRsoniya singh
 
A.I. Bot Summit 3 Opening Keynote - Perry Belcher
A.I. Bot Summit 3 Opening Keynote - Perry BelcherA.I. Bot Summit 3 Opening Keynote - Perry Belcher
A.I. Bot Summit 3 Opening Keynote - Perry BelcherPerry Belcher
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailAriel592675
 
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...lizamodels9
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfOrient Homes
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...lizamodels9
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingShawn Pang
 
CATALOG cáp điện Goldcup (bảng giá) 1.4.2024.PDF
CATALOG cáp điện Goldcup (bảng giá) 1.4.2024.PDFCATALOG cáp điện Goldcup (bảng giá) 1.4.2024.PDF
CATALOG cáp điện Goldcup (bảng giá) 1.4.2024.PDFOrient Homes
 
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 
Islamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in IslamabadIslamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in IslamabadAyesha Khan
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis UsageNeil Kimberley
 
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckPitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckHajeJanKamps
 
Non Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptxNon Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptxAbhayThakur200703
 
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...lizamodels9
 

Recently uploaded (20)

Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756
Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756
Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
 
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
 
A.I. Bot Summit 3 Opening Keynote - Perry Belcher
A.I. Bot Summit 3 Opening Keynote - Perry BelcherA.I. Bot Summit 3 Opening Keynote - Perry Belcher
A.I. Bot Summit 3 Opening Keynote - Perry Belcher
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detail
 
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdf
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
 
Best Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting PartnershipBest Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting Partnership
 
CATALOG cáp điện Goldcup (bảng giá) 1.4.2024.PDF
CATALOG cáp điện Goldcup (bảng giá) 1.4.2024.PDFCATALOG cáp điện Goldcup (bảng giá) 1.4.2024.PDF
CATALOG cáp điện Goldcup (bảng giá) 1.4.2024.PDF
 
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
 
Islamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in IslamabadIslamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in Islamabad
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage
 
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckPitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
 
Non Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptxNon Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptx
 
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCREnjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
 
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...
 

Do you really know your third party providers?

  • 1. Page 1 of 4 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2020 Do You Really Know Your Third-Party Providers? Almost every organization has at least one if not a multitude of third-party vendors providing various services or goods that are critical to daily operations. Does your organization know: • All of the third-party providers being used? • The services or products being provided? • Key provider contacts? • Key organization liaisons for each provider? • Contractual obligations with each provider? • Service level agreements for each provider? • The financial viability of each provider? • The controls implemented by each provider and the operating effectiveness of those controls? • The risks to the organization? The Definition The simple definition of a third-party provider is any vendor that is performing a service or providing a product that could be performed or produced internally if the required resources were available. Examples would be consultants, contractors, IT services, claims processing, and other outsourced production or services. Products and services such as office supplies and utilities are not considered third-party providers. The Population While it may seem easy to identify all of the third-party providers being used throughout the organization, it can be a challenge. Initially, request a list of third-party providers (using the established definition) from each area of the organization. To make sure all third-party providers are identified, request a listing of all vendor payments for the past twelve (12) months from Accounts Payable. Using the established third-party provider definition, confirm the population of third-party providers being used throughout the organization. Filling in the Details Using the verified population of third-part providers, create a database listing the details for each, such as: • Products or services being provided • Provider contacts • Assigned organization liaison
  • 2. Page 2 of 4 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2020 • Contract terms • Service level agreements • Last risk assessment • Required provider documentation (e.g. SOC reports, Shared Assessment/SIG, Agreed Upon Procedures) • Evaluation frequency The Risk Assessment An effective third-party provider management process includes each provider being evaluated based on a number of key categories. Common risk categories are: • Operational • Financial • Reputational • Regulatory • Security and Privacy • Business Continuity • Geographic Each provider should be assigned a risk ranking based on these categories. A weighted scoring process is typically used to assign a risk ranking. The weighted scoring will vary based on the type of organization and industry. Smaller organizations may be highly dependent on third-party providers and therefore may assign more weight to certain risk categories such as operational and business continuity. Organizations in healthcare and finance will most likely need to assign more weight to regulatory risk, security and privacy. The risk ranking should be used to determine the frequency of subsequent evaluations and required provider documentation (e.g. SOC reports, Shared Assessment/SIG, Agreed Upon Procedures). The risk assessment should result in each third-party provider being assigned to a risk tier. Common risk tiers are: • Critical • High • Medium • Low Since the products or services being provided by the third-party are an extension of the organization, there should be an expectation that the third-party provider will have at least the
  • 3. Page 3 of 4 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2020 same level of controls (operational, financial, reputational, regulatory, security/privacy, business continuity) as if those products or services were produced or performed internally. Re-Evaluation Frequency and Procedures The risk tier assignment from the risk assessment normally determines the re-evaluation frequency; however, unplanned events could accelerate or delay a re-evaluation. Typical re- evaluation frequencies are: • Critical – quarterly or semi-annually • High – semi-annually or annually • Medium – annually or every two years • Low – every two or three years The re-evaluation process should include: • Confirming the products or services being provided • Confirming provider contacts • Confirming the assigned organization liaison • Confirming contract terms and service level agreements • Analyzing financial viability • Obtaining and reviewing required provider documentation (e.g. SOC reports, Shared Assessment/SIG, Agreed Upon Procedures) • Performing a new risk assessment • Reviewing the controls implemented by each provider and the operating effectiveness of those controls New Third-Party Providers The new third-party evaluation process should be rigorous to make sure the organization is not taking unnecessary risks; due diligence is crucial. Ideally, the new third-party evaluation process should be completed before any contractual agreements are executed. Each new third-party provider should be added to the population database along with all pertinent information. A risk assessment and all re-evaluation procedures listed above should be completed as part of the evaluation process and prior to executing any contracts. This provides the organization with the information needed to make a final decision.
  • 4. Page 4 of 4 Crossland Advisors, Inc. http://crosslandadvisors.com/ 610-365-4852 Copyright © 2020 While it may be a prudent to use third-party providers, always remember that YOU OWN THE RISK! Therefore, identifying, understanding and evaluating the third-party provider risks is critical to the organization. Related article: Evaluating Service Organization Control Reports https://www.slideshare.net/JayCrossland/evaluating-service-organization-control-reports-76805927 Crossland Advisors provides IT risk and control services to a number of industries, including: • Manufacturing • Pharmaceuticals • Healthcare • Financial Services • Insurance • Government • Retail • Utilities Our extensive experience allows us to develop real world solutions to complex challenges. We use a process-focused risk-based approach and are able to relate leading practices and improvements to understand, anticipate and address a wide variety of information system risk and process issues. Crossland Advisors is ready to work with you to satisfy your IT risk and control needs.