Third Party Management

What is Third Party Management in the context of GRC?

Definition

Important use cases

Vendor onboarding

• Verification of corporate identity and integrity (e.g. KYC, anti-corruption checks)

• Assessment of financial stability

• Obtaining and evaluating certificates, e.g. information security, data protection standards

• Contract management including GRC-relevant contractual clauses (e.g. obligation to report security incidents or changes of ownership and reservation of reactions)

Third Party Risk Management (TPRM)

• Risk analysis before concluding a contract (e.g. IT, data protection, reputation or supply chain risks)

• Categorization and classification of risks according to criticality

• Definition of control measures and escalation mechanisms

• Integration of relevant GRC functions (e.g. legal, data protection, information security)

Ongoing monitoring and reassessment

• Continuous assessment of risk exposure through e.g. audits, self-assessments or external monitoring services

• Updating the risk classification in the event of changes (e.g. change of ownership, security incidents)

• Review of contract compliance and key performance indicators (KPIs, SLAs)

• Integration of early warning systems and reporting functions

Vendor offboarding

• Evaluation of the effects (e.g. loss of know-how, contractual disputes)

• Transfer to successor

• Communication to internal and, if applicable, external stakeholders

• Data return and deletion

• Deactivation of user accounts and withdrawal of access rights

A third-party management program as a framework

Overview

• Ensuring compliance with internal guidelines and external laws (e.g. GDPR, Supply Chain Act)

• Avoidance or minimization of operational, financial, legal and reputational risks

• Transparency and traceability in dealings with third parties

• Strengthening accountability, control and trust in business relationships

Typical components of a third party management program

• Guidelines, responsibilities and escalation channels

• Integration into existing GRC or procurement processes

• Pre-engagement due diligence: Review before signing a contract

• Onboarding: Identity verification, contract design, risk assessment

• Monitoring: Ongoing monitoring of risks, performance and compliance

• Offboarding: Secure termination of the business relationship (e.g. data deletion)

• Risk classification (e.g. by business area, region, access to data)

• Action planning and implementation of controls

• Early warning systems and escalation mechanisms

• Internal audits, self-assessments, certificate checks

• External tools (e.g. sanctions lists, reputation checks)

• Reassessments at regular intervals

• Raising awareness among internal stakeholders (e.g. purchasing, IT, specialist departments)

• Training for third parties on compliance requirements

• Traceable documentation of all activities

• KPI/SLA monitoring and reporting for management and supervision

Related topics

• Supply chain diligence (e.g. German LkSG)

• Information security management (e.g. ISO 27001)

• Data protection management for third parties (e.g. DP contracts)

• AI Governance

• ESG and sustainability risks in the supply chain

• Integrity and anti-corruption programs

AI in Third-Party Management / TPRM

• The AI analyzes the supplier's contracts, policies, and certificates and identifies missing or critical content.

• Supporting suppliers/business partners in entering their data into a portal: In addition to uploading documents, third parties are usually expected to answer structured questions. The AI analyzes the uploaded documents and provides answers to structured questions.

• Analysis of uploaded policies and comparison with answers to structured questions: Are there any discrepancies?

• Extraction of metadata from uploaded unstructured documents.

• Risk assessment: AI generates initial risk scores based on location, industry, financial indicators, or cyber exposure.

Standards

• ISO 31000 Risk Management: Basic framework for company-wide risk management, also applicable to third-party risks in selection, contract design and monitoring.

• COSO ERM: Enterprise Risk Management Framework of the Committee of Sponsoring Organizations. Third-party risks as a field of application for the principles of COSO ERM.

• ISO/IEC 27001: Information security management system (ISMS)

• ISO/IEC 27036: Specifically for information security in supplier relationships

• NIST SP 800-161: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

• ISO 37301 Compliance Management Systems. Describes how a company also ensures compliance with third parties. Requires control mechanisms, risk analyses and continuous monitoring

• ISO 37001 Anti-Bribery Management: Guideline for the prevention of corruption - incl. due diligence on third parties. Commitment to integrity checks and standards of conduct

• OECD Guidelines for Multinational Enterprises on Responsible Business Conduct. Due diligence obligations towards third parties with regard to human rights, the environment and corruption. Basis for many ESG and supply chain rules

• SA8000: Social standards for suppliers

• ISO 20400: Sustainable procurement

• GRI: Sustainability reporting incl. third-party risks

• EU CSRD / ESRS

• EBA guidelines on outsourcing (Outsourcing Guidelines): Mandatory requirements for banks in the EU

• FINMA Circular 2018/3 (CH): Swiss Guideline for Outsourcing - with specific requirements for TPRM. Requirements for risk analysis, documentation, auditability

• DORA (EU Digital Operational Resilience Act): Refers to ICT third parties and cloud providers in the financial sector, among others

• SIG Questionnaire (Shared Assessments): Standard questionnaire for TPRM

• Open Compliance and Ethics Group (OCEG): GRC Capability Model. Links TPRM with governance and compliance

• CIS Controls (Center for Internet Security): contains TPRM-relevant controls (e.g. for data access by third parties)

Requirements for a GRC tool

• A list of service providers / suppliers / business partners can be kept

• Suppliers / partners / service providers can be classified

• There is a contract management system

• Possibility to register new suppliers

• Initial assessment of the risk, e.g. based on industry, location, services

• Configurable questionnaires, e.g. on compliance, information security, data protection

• Workflows for onboarding approvals

• Possibility to carry out and document risk analyses

• Risk assessment according to predefined scoring models

• Assignment and tracking of risk-based measures or requirements

• Categorization and classification of third parties according to risk and criticality classes

• Integration of external risk data sources, e.g. sanctions lists, country and industry reports

• Preparation of risk reports

• Reminder and escalation functions for regular reassessments at defined intervals

• Dynamic adjustment of the risk classification based on incidents or audit results

• Historization of risk assessments and courses of action

• Tracking of contract terms and relevant deadlines

• Regular dispatch and evaluation of updated questionnaires or self-disclosures

• Notification of changes in company structure, ownership or risk indicators

• Framework for defining and managing a company-wide TPM program with roles, responsibilities and processes

• Central overview of all third parties including risk profile, status and associated documents

• Linking with other GRC functions, e.g. compliance, audit, BCM or data protection

• Reporting function for program status, KPI tracking and risk trends

• Governance functionalities, e.g. approval processes, revision security, audit trails

• Support for regulatory requirements

• Abstract and concrete risk analysis with regard to human rights and environmental risks

• Appropriateness assessment and prioritization

• Definition and documentation of prevention measures, e.g. training, contractual clauses, codes of conduct

• Evaluation of the effectiveness of the measures

• Templates for supplier agreements and compliance conditions

• Complaints management system

• Documentation and escalation of complaints, tips or violations

• Management of remedial measures

• Key figures

• Preparation of reports in accordance with the appropriate regulations

• Connection of external sources, e.g. according to risk databases

• The software fulfills the requirements of banking regulations with regard to outsourcing

• The software fulfills financial regulations for Risk Management with regard to Outsourcing

• The software meets the requirements of the Digital Operational Resilience Act (DORA - European Union)