Contract catalogue
The contract catalogue The contract catalogue is a central repository on the 3rdRisk platform, fully integrated with the third-party catalogue. With this module, you can easily register all your third-party contracts in one centralised place. Per the contract, you can segment them on different risk profiles, get notifications on nearing end-dates, assign ownership and keep track of risk & compliance events during a contract lifecycle.
Concept
One solution
Within the 3rdRisk platform, you can manage all your third-party contracts in one module. You no longer need a separate vendor risk/GRC solution for that.
The following graphic provides a conceptual overview of the integrated 3rdRisk third-party management module, which consists of:
- Third-party catalogue
- Contract catalogue
This module is closely integrated with the other platform modules:
High-level concept of the 3rdRisk third-party management module
1. Identify
After identifying and adding the initial third parties to your third-party catalogue, you need to identify their contracts. Per third-party, you can have different contracts with a completely different service/product delivery type.
In most organisations, the procurement department has the most reliable and complete overview of all third-party contracts. Although their overview does not commonly contain all contracts, it will give you a good head start for the initial input. You can also reach out to the involved stakeholders (third-party manager, business owner, risk officer) identified in the third-party catalogue.
2 & 3. Register and associate contracts
After you have (partly) identified the related contracts, you can easily register them in the 3rdRisk platform.
Within the contract catalogue, you can:
- Associate any contract to a known third party in your third-party catalogue
- Register contract term dates
- Determine applicable internal & external compliance requirements
- Assign a contract risk profile
- Link internal stakeholders
Scope
Contract scope
The organisation model is also used to define the scope of a contract within your organisation.
In the example, we have vendor #1 with two contracts (data centre services & workplace management) and a completely different scope within the organisation. With the organisation model integrated into the contract catalogue, you can make those distinctions in 3rdRisk.
Contract stakeholders
The platform will, by default, provide the stakeholders that are known on the third-party level, but you can easily change these contact persons as they might differ per contract. You can fill in the following stakeholders:
- Contract manager *
- Business owner
- Risk officer *
Both the contract manager and risk officer are required roles. These roles are necessary for different assessment-, risk- and incident workflows.
Contract risk profile
Once you have established a (complete) inventory of the different contracts, you can segment them by risk level. Effective segmentation will help you determine how to utilize your third-party risk management activities strategically.
The screening process to define the risk profile needs to be well-defined and should provide input on the criticality of the third-party relationship. You can include the type of contract, dependency, accessibility of sensitive information, critical VPN/remote network access, compliance requirements, business continuity, spend size and legal as factors on which a contract can be assessed.
Rules-based risk profile
The platform comes with a simple system of critical-, high-, medium-, and low-risk categories, which is already helpful for most organisations. You can also follow a score-based approach whereby you conduct due diligence across different dimensions and use the results to develop a composite risk score. Although very thorough, this approach can be complex and resource-intensive for many organisations. With the rules-based approach, you identify specific rules or criteria for each segment, thereby streamlining the process of assigning contracts to risk categories. This approach is about 50-60 per cent faster than the score-based one.
Requirements
Requirements and contracts
The platform will automatically inform you when a contract might be in the scope of one or more requirements, as the organisation model is fully integrated into the contract catalogue.
The platform will automatically list the applicable requirements from the requirements module. You to easily deselect the ones that are not applicable.
4. Monitor & respond
IMPORTANT: Assessments are based on contracts.
Unlike some of our competitors, you perform assessments within 3rdRisk on one or more contracts of a third party, not a third party itself. The reasoning is that there can be a significant difference between one or more contacts, including different risk profiles, applicable (local) requirements and involved internal & external contact persons. Whereby you can include multiple, or even all, contracts in one assessment.
During the lifecycle of a third party, you can monitor the third parties in scope by:
- Performing periodic due-diligence assessments. As the number of contracts increases over time, one of the best strategies is to conduct due diligence based on the associated risk profiles and applicable compliance requirements.
- Monitor and act on evolving risks.
- Monitor and act on incidents that may have an impact on the organisation.
5. Reporting
The platform provides advanced and dynamic dashboard- & reporting capabilities which will provide you with continuous and real-time insights into your ecosystem/supply chain.
Add a contract
To add a new contract to the platform:
- Navigate to: Left side menu: Third parties - Contracts
- Click on the [+ Add contract] button
- Provide contact details:
| Field | Explanation |
| Contract Name * | Name of the contract |
| Third-party * | Select the associated third-party from your third-party catalogue. Add the third party first. You first must register the third party before adding a contract. |
| Location within the organisation * | With your organisation model, you define the scope of this contract:
Organisation location field The provided organisation location options are retrieved from the third-party record. If you are missing the correct location, please update the third-party record with this location ( Location within the organisation field). You can select one or multiple active (green coloured) elements/nodes in your organisation model. To deselect, select the element again. |
| Description | Free-format text box to provide some additional context of this contract |
| Internal identifier | Optional field to record the internal contract identifier from, e.g. SAP or your procurement system. 3rdRisk is not a complete replacement for your procurement system We understand procurement is a different ball game and expertise, so we must integrate instead of replacing existing procurement platforms. This is also one of the reasons we do not provide functionalities like storing all legal and contractual documents, offering version management, providing SLA reporting and digital signing workflow options. |
| Start date | The start date of the contract |
| End date * | The end date of the contract. 90 days prior to the end date, the system will inform you about it. |
| Risk profile * | Assign a risk profile to this contract (critical / high / medium / low) Some questions you can take into consideration for defining the risk profile criteria 1. Will their inability to deliver majorly impact your organisation? 2. Is critical data being shared? 3. Do they have connectivity to your systems/networks? 4. Do they have an essential role in your production process? 5. Are they involved in a highly regulated/compliance-driven process? 6. Are there certain local risks present, e.g. child labour? |
| Contract manager * | Select the colleague that is responsible for the contract within your organisation. The platform will, by default, set the third-party manager registered in the third-party catalogue (third-party manager field). You can easily change this if needed. Only users with the role of third-party manager are listed. |
| Business owner | Select the colleague that is responsible for the business relationship with this organisation. The platform will, by default, provide the business owner (if filled in) registered in the third-party catalogue (Business owner field). You can easily change this if needed. Only users with the roles of Business manager and/or leadership are listed. |
| Risk officer * | Select the responsible risk officer for this organisation. The platform will, by default, set the risk officer registered in the third-party catalogue (Business owner field). You can easily change this if needed. Only users with risk officer and/or risk manager roles are listed. |
| Relevant requirements | The platform will automatically list the relevant requirements that might apply to this contract due to its location within the organisation. You can easily deselect any requirements if a contract is not in the scope of a specific requirement due to,e.g. its type of service or product. |
| Tags | You can use the tags-functionality to assign your own specific/internal labels to a contract record. You can search, filter, and create specific reports based on these tags. E.g. if you want to register all contracts that work with privacy-related data, you can add a tag named “PII” to these records. At a later stage, you can quickly contact all third parties that work with privacy-related data and send out specific assessments. Use the tab key on your keyboard to add multiple tags. |
Required field *
4. Click [Add contract] to add the contract to your catalogue.
Update a contract
To update a third party on the platform:
- Navigate to: Left side menu: Third parties - Contracts
- Search for the applicable contract you would like to update
- Click on the sub-menu in the 'Actions column' and click 'Edit contract'
- Update the third-party record and click on [Edit contract].
Remove a contract (deactivate)
You cannot remove but only deactivate a contract in your catalogue for archiving and linking purposes.
- Navigate to: Left side menu: Third parties - Contracts
- Search for the applicable contract you would like to deactivate
- Click on the sub-menu in the 'Actions column' and click on the [Edit contract].
- Click on the red-coloured 'recycle bin'.
View audit log
Data integrity is critical for your contract catalogue; that is why the third-party management module comes with a protected audit log that registers all mutations in your contract catalogue; it records:
- Timestamp
- Data adjustment (old value and new value)
- The user account that was used for this update
None of the platform roles (including the platform administrator) can delete or make mutations to this audit log.
To view the audit log of a change in your contract catalogue:
- Navigate to: Left side menu: Third parties - Contracts
- Search for the applicable contract
- Click on the sub-menu in the 'Actions column' and click 'View audit log.'
Known module limitations
- It is currently impossible to do a mass upload and/or have an API integration with your CRM or existing procurement tooling. On the roadmap, we have a generic API that will facilitate this. Contact Support@3rdRisk.com to discuss mass upload and integration options.is a central repository on the 3rdRisk platform, fully integrated with the third-party catalogue. With this module, you can easily register all your third-party contracts in one centralised place. Per the contract, you can segment them on different risk profiles, get notifications on nearing end-dates, assign ownership and keep track of risk & compliance events during a contract lifecycle.
Concept
One solution
Within the 3rdRisk platform, you can manage all your third-party contracts in one module. You no longer need a separate vendor risk/GRC solution for that.
The following graphic provides a conceptual overview of the integrated 3rdRisk third-party management module, which consists of:
- Third-party catalogue
- Contract catalogue
This module is closely integrated with the other platform modules:
High-level concept of the 3rdRisk third-party management module
1. Identify
After identifying and adding the initial third parties to your third-party catalogue, you need to identify their contracts. Per third-party, you can have different contracts with a completely different service/product delivery type.
In most organisations, the procurement department has the most reliable and complete overview of all third-party contracts. Although their overview does not commonly contain all contracts, it will give you a good head start for the initial input. You can also reach out to the involved stakeholders (third-party manager, business owner, risk officer) identified in the third-party catalogue.
2 & 3. Register and associate contracts
After you have (partly) identified the related contracts, you can easily register them in the 3rdRisk platform.
Within the contract catalogue, you can:
- Associate any contract to a known third party in your third-party catalogue
- Register contract term dates
- Determine applicable internal & external compliance requirements
- Assign a contract risk profile
- Link internal stakeholders
Scope
Contract scope
The organisation model is also used to define the scope of a contract within your organisation.
In the example, we have vendor #1 with two contracts (data centre services & workplace management) and a completely different scope within the organisation. With the organisation model integrated into the contract catalogue, you can make those distinctions in 3rdRisk.
Contract stakeholders
The platform will, by default, provide the stakeholders that are known on the third-party level, but you can easily change these contact persons as they might differ per contract. You can fill in the following stakeholders:
- Contract manager *
- Business owner
- Risk officer *
Both the contract manager and risk officer are required roles. These roles are necessary for different assessment-, risk- and incident workflows.
Contract risk profile
Once you have established a (complete) inventory of the different contracts, you can segment them by risk level. Effective segmentation will help you determine how to utilize your third-party risk management activities strategically.
The screening process to define the risk profile needs to be well-defined and should provide input on the criticality of the third-party relationship. You can include the type of contract, dependency, accessibility of sensitive information, critical VPN/remote network access, compliance requirements, business continuity, spend size and legal as factors on which a contract can be assessed.
Rules-based risk profile
The platform comes with a simple system of critical-, high-, medium-, and low-risk categories, which is already helpful for most organisations. You can also follow a score-based approach whereby you conduct due diligence across different dimensions and use the results to develop a composite risk score. Although very thorough, this approach can be complex and resource-intensive for many organisations. With the rules-based approach, you identify specific rules or criteria for each segment, thereby streamlining the process of assigning contracts to risk categories. This approach is about 50-60 per cent faster than the score-based one.
Requirements
Requirements and contracts
The platform will automatically inform you when a contract might be in the scope of one or more requirements, as the organisation model is fully integrated into the contract catalogue.
The platform will automatically list the applicable requirements from the requirements module. You to easily deselect the ones that are not applicable.
4. Monitor & respond
IMPORTANT: Assessments are based on contracts.
Unlike some of our competitors, you perform assessments within 3rdRisk on one or more contracts of a third party, not a third party itself. The reasoning is that there can be a significant difference between one or more contacts, including different risk profiles, applicable (local) requirements and involved internal & external contact persons. Whereby you can include multiple, or even all, contracts in one assessment.
During the lifecycle of a third party, you can monitor the third parties in scope by:
- Performing periodic due-diligence assessments. As the number of contracts increases over time, one of the best strategies is to conduct due diligence based on the associated risk profiles and applicable compliance requirements.
- Monitor and act on evolving risks.
- Monitor and act on incidents that may have an impact on the organisation.
5. Reporting
The platform provides advanced and dynamic dashboard- & reporting capabilities which will provide you with continuous and real-time insights into your ecosystem/supply chain.
Add a contract
To add a new contract to the platform:
- Navigate to: Left side menu: Third parties - Contracts
- Click on the [+ Add contract] button
- Provide contact details:
| Field | Explanation |
| Contract Name * | Name of the contract |
| Third-party * | Select the associated third-party from your third-party catalogue. Add the third party first. You first must register the third party before adding a contract. |
| Location within the organisation * | With your organisation model, you define the scope of this contract:
Organisation location field The provided organisation location options are retrieved from the third-party record. If you are missing the correct location, please update the third-party record with this location ( Location within the organisation field). You can select one or multiple active (green coloured) elements/nodes in your organisation model. To deselect, select the element again. |
| Description | Free-format text box to provide some additional context of this contract |
| Internal identifier | Optional field to record the internal contract identifier from, e.g. SAP or your procurement system. 3rdRisk is not a complete replacement for your procurement system We understand procurement is a different ball game and expertise, so we must integrate instead of replacing existing procurement platforms. This is also one of the reasons we do not provide functionalities like storing all legal and contractual documents, offering version management, providing SLA reporting and digital signing workflow options. |
| Start date | The start date of the contract |
| End date * | The end date of the contract. 90 days prior to the end date, the system will inform you about it. |
| Risk profile * | Assign a risk profile to this contract (critical / high / medium / low) Some questions you can take into consideration for defining the risk profile criteria 1. Will their inability to deliver majorly impact your organisation? 2. Is critical data being shared? 3. Do they have connectivity to your systems/networks? 4. Do they have an essential role in your production process? 5. Are they involved in a highly regulated/compliance-driven process? 6. Are there certain local risks present, e.g. child labour? |
| Contract manager * | Select the colleague that is responsible for the contract within your organisation. The platform will, by default, set the third-party manager registered in the third-party catalogue (third-party manager field). You can easily change this if needed. Only users with the role of third-party manager are listed. |
| Business owner | Select the colleague that is responsible for the business relationship with this organisation. The platform will, by default, provide the business owner (if filled in) registered in the third-party catalogue (Business owner field). You can easily change this if needed. Only users with the roles of Business manager and/or leadership are listed. |
| Risk officer * | Select the responsible risk officer for this organisation. The platform will, by default, set the risk officer registered in the third-party catalogue (Business owner field). You can easily change this if needed. Only users with risk officer and/or risk manager roles are listed. |
| Relevant requirements | The platform will automatically list the relevant requirements that might apply to this contract due to its location within the organisation. You can easily deselect any requirements if a contract is not in the scope of a specific requirement due to,e.g. its type of service or product. |
| Tags | You can use the tags-functionality to assign your own specific/internal labels to a contract record. You can search, filter, and create specific reports based on these tags. E.g. if you want to register all contracts that work with privacy-related data, you can add a tag named “PII” to these records. At a later stage, you can quickly contact all third parties that work with privacy-related data and send out specific assessments. Use the tab key on your keyboard to add multiple tags. |
Required field *
4. Click [Add contract] to add the contract to your catalogue.
Update a contract
To update a third party on the platform:
- Navigate to: Left side menu: Third parties - Contracts
- Search for the applicable contract you would like to update
- Click on the sub-menu in the 'Actions column' and click 'Edit contract'
- Update the third-party record and click on [Edit contract].
Remove a contract (deactivate)
You cannot remove but only deactivate a contract in your catalogue for archiving and linking purposes.
- Navigate to: Left side menu: Third parties - Contracts
- Search for the applicable contract you would like to deactivate
- Click on the sub-menu in the 'Actions column' and click on the [Edit contract].
- Click on the red-coloured 'recycle bin'.
View audit log
Data integrity is critical for your contract catalogue; that is why the third-party management module comes with a protected audit log that registers all mutations in your contract catalogue; it records:
- Timestamp
- Data adjustment (old value and new value)
- The user account that was used for this update
None of the platform roles (including the platform administrator) can delete or make mutations to this audit log.
To view the audit log of a change in your contract catalogue:
- Navigate to: Left side menu: Third parties - Contracts
- Search for the applicable contract
- Click on the sub-menu in the 'Actions column' and click 'View audit log.'
Known module limitations
- It is currently impossible to do a mass upload and/or have an API integration with your CRM or existing procurement tooling. On the roadmap, we have a generic API that will facilitate this. Contact Support@3rdRisk.com to discuss mass upload and integration options.