Professional Documents
Culture Documents
How To Quantify and Manage Inherent Risk For Third Parties
How To Quantify and Manage Inherent Risk For Third Parties
At the same time, good third-party relationships offer innumerable opportunities for business growth. They can
reduce time-to-market, make your business more efficient and let you tap into resources across the globe.
However, every new vendor adds risk to an organization. With supply chain attacks at an all-time high, it has never
been more important to conduct the necessary due diligence when onboarding new vendors and suppliers and
continue to manage the risk thereafter.
In this paper, we’ll discuss the initial risks involved when onboarding new vendors, and walk through how to track and
manage inherent risk in a way that boosts your ability to build partnerships that add value to the entire organization.
60
NUMBER OF ORGANIZATIONS
40
30
20
10
0
20% 40% 60% 80% 100%
It is even more complicated to meet the demands of • “Sensitive documents for over a hundred manufacturing
compliance in highly-regulated industries like healthcare companies were exposed on a publicly accessible server
because organizations covered by HIPAA may be held belonging to a US-based robotics vendor.” 5
accountable if one of their vendors is in breach of
compliance. In this case, every vendor a covered entity
does business with must also be HIPAA-compliant by
way of a business associate agreement.
Typically, if a vendor’s service is critical to the business, Question to Ask: How difficult would it be to replace this
then the vendor will automatically be flagged as a service with an alternative?
critical vendor and no other inherent risk assessment
is necessary.
Volume of Records
Question to Ask: Is the service essential to the business
The number of records a vendor is expected to process,
operations of our company?
store or transmit, also plays a direct role in the level
of risk taken. Some organizations mitigate this by
Contract Size using multiple vendors rather than having one handle
everything. As with annual contract amount, the optimal
Even if the service isn’t critical to business operations,
threshold can differ between companies. Around 50,000
the annual contract amount also places a heavy burden
is good start for larger enterprises.
on the risk category. Organizations have different
thresholds depending on their size and availability of Question to Ask: What is the expected annual volume
funds. For example, a contract size of $1,000,000 might of records that will be accessed, processed, stored or
add to the risk score in a large enterprise. For smaller transmitted by this third party?
companies, the value might be $100,000 per year or less.
Apply this same logic to build out scores for all risk
levels and then check the math.
What is the expected annual financial contract amount Less Than $500,000
of the third-party service? (0 points)
How difficult would it be to replace this service with an alternative? Easy (0 points)
What is the expected annual volume of records that will Less Than 50,000
be accessed, processed, stored or transmitted by this Third Party? (1 point)
As a part of this service, will any of our data be stored in the cloud? Yes (2 points)
What is the expected annual financial contract amount Less Than $500,000
of the third-party service? (0 points)
How difficult would it be to replace this service with an alternative? Difficult (2 points)
What is the expected annual volume of records that will Greater Than 50,000
be accessed, processed, stored or transmitted by this Third Party? (2 points)
As a part of this service, will any of our data be stored in the cloud? No (0 points)
What is the expected annual financial contract amount Less Than $500,000
of the third-party service? (0 points)
How difficult would it be to replace this service with an alternative? Difficult (2 points)
What is the expected annual volume of records that will Greater Than 50,000
be accessed, processed, stored or transmitted by this Third Party? (2 points)
As a part of this service, will any of our data be stored in the cloud? Yes (2 points)
Click Here
info@processunity.com
978.451.7655
Twitter: @processunity
LinkedIn: ProcessUnity
ProcessUnity
33 Bradford Street
Concord, MA 01742
United States
200309