Published January 15, 2020 • By Thea Garcia

A third-party risk assessment is an analysis of vendor risk posed by an organization’s third-party relationships along the entire supply chain, including vendors, service providers, and suppliers. Risks to be considered include security risk, business continuity risk, privacy risk, and reputational risk.

 Third-party risk assessments are a crucial part of every third-party risk management program (TPRM). They may be conducted in-house or by an independent safety or cybersecurity professional.

 Not every entity with whom your organization does business will need to undergo the complete third-party risk management process. Some may not have access to your systems, networks, or sensitive information, and may be deemed to pose little or no risk to your business or its information security.

 Determining the extent and nature of risk that each of your third-party relationships poses to your business is the main purpose of a third-party risk assessment.

 The assessor will probably use a risk management framework from the International Organization for Standardization (ISO) or the National Institute for Standards and Technology (NIST) to analyze your third-party risk management program.

 They may consult your third-party management policy for insights into how you determine and manage vendor risk. They also will scrutinize the third-party self-assessment questionnaires you should have sent before signing contracts (as well as every year thereafter), throughout the third-party-relationship lifecycle.

 Steps in the third-party risk assessment process include:

  • Identifying potential risks posed by all your third-party relationships
  • Classifying vendors according to their access to your systems, networks, and data
  • Reviewing service level agreements (SLAs) to ensure that vendors perform as expected
  • Determining compliance requirements for your organization including which regulations and standards they and you must meet
  • Assessing risk for individual vendors according to their importance to your organization, the sensitivity of the information each handles, and access to your digital network 
  • Querying vendors with risk management questionnaires
  • Auditing select vendors according to their answers to the questionnaire, possibly with on-site visits
  • Continuously monitoring for changes in their environment and yours as well as changes in regulations and industry standards.

 Automation can greatly simplify the tasks of assessing and managing third-party risks.