Third-party catalogue

With the increasing dependence on third parties, every organisation should have a complete and consolidated overview of the parties they engage with.

The 3rdRisk third-party catalogue is a central repository that you can use to register all your third parties quickly. Per third-party, you can register different contracts, segment them on different risk profiles, assign ownership, and keep track of risk & compliance events during the time that you do business with them.


One solution
With the 3rdRisk platform, you can manage all your third parties in one module. You no longer need a separate risk/GRC solution for that.

The following graphic provides a conceptual overview of the integrated 3rdRisk third-party management module, which consists of:

  • Third-party catalogue
  • Contract catalogue

This module is tightly integrated with the other platform modules:

High-level concept of the 3rdRisk third-party management module

1. Identify

First, an organisation need to identify the different third parties within your organisation. A third party can be a:

  • Supplier
  • Service provider
  • Business Partner
  • Joint-venture
  • Alliance
  • Distributor
  • Reseller
  • Agent
  • Contractor
  • ...

In most organisations, the procurement department has the most reliable and complete overview of third parties. Although their overview does not commonly contain all third parties, it will give you a good head start for the initial input.

Start simple
Although most organisations have thousands of third parties, start with a limited set and first get a complete understanding of the platform. A good practice is to start with your 10-20 most critical third parties. You can always add and update the number of third parties at a later stage.

2. Register

After you have (partly) identified all your third parties, you can easily register them in the 3rdRisk platform.

Within the third-party catalogue, you can:

  • Search for already registered and known organisations on the platform
  • Leverage the Dutch Chamber of Commerce API to search for official organisations in the commercial register
  • Add ALL your third-parties

Address details
Generic address details are saved in the third-party record. If you have selected a known third-party on the platform (1.) or from the KvK (2.), the system will provide these details and keep automatically up-to-date.

Contact details
The contact details are essential for the assessment module; in this section, you can specify a specific e-mail address for sending 3rdRisk assessments to the third party. This can be, e.g. the mailbox of a security team, account management or legal.

E-mail for 3rdRisk assessments
For efficiency reasons, it is advisable to ask upfront the e-mail preference of the third party for receiving 3rdRisk assessments.

Third-party scope

The organisation model is also used to define the scope of a third party within your organisation.

Third-party risk profile
Once you have established a (complete) inventory of the various third parties, you can segment them by risk level. An effective segmentation will help you determine how to utilise your third-party risk management activities strategically.

The screening process to define the risk profile needs to be well-defined and should provide input on the criticality of the third-party relationship. You can include the type of business, dependency, accessibility of sensitive information, critical VPN/remote network access, compliance requirements, business continuity, spend size and legal as factors on which a third party can be assessed.

Rules-based risk profile
The platform comes with a simple system of critical-, high-, medium-, and low-risk categories, which is already helpful for most organisations. You can also follow a score-based approach whereby you conduct due diligence across different dimensions and use the results to develop a composite risk score. Although very thorough, this approach can be cumbersome and resource-intensive for many organisations. With the rules-based approach, you identify specific rules or criteria for each segment and thereby streamline the process of assigning suppliers to risk categories. This approach is about 50-60 per cent faster than the score-based one.

3. Associated contracts

Within the contract module, you can easily register and associate one or more contracts to a third-party record.

IMPORTANT: Assessments are based on contracts.

Unlike some of our competitors, you perform assessments within 3rdRisk on one or more contracts of third parties, not a third party itself. The reasoning for this is that there can be a significant difference between one or more agreements, including different risk profiles, applicable (local) requirements and involved internal & external contact persons. But you can still assess all contracts of one third party with one assessment.

4. Monitor & respond

During the lifecycle of a third party, you can monitor the third parties in scope by:

  • Performing due-diligence periodic evaluations. As the number of third-parties increases over time, one of the best strategies is to conduct due diligence based on the associated risk profiles and applicable compliance requirements.
  • Monitor and act on evolving risks
  • Monitor and act on incidents that may have an impact on the organisation

5. Reporting

The platform provides advanced and dynamic dashboard- & reporting capabilities which will give you continuous and real-time insights into your third-party landscape.

Add a third-party

To add a new third party to the platform:

  1. Navigate to: Left side menu: Third parties - Catalogue
  2. Click on the [+ Add third-party] button
  3. Provide third-party details:
FieldThe organisation is known on 3rdRisk platformThe organisation is registered at the KvKExplanation
Name *XX

Name of the third party.

The platform will initially search the 3rdRisk platform and the Dutch Chamber of Commerce (KvK) for known organisations:


Search for organisation


If the organisation is already known:

On the 3rdRisk platform: organisations are listed with the green 3rdRisk logo - in the above example: 3rdRisk Solutions B.V.

On the KvK database: organisations are listed with the blue KvK logo - in the above example: 3rdRisk B.V.

You can easily click on the provided entry, and the platform will auto-fill the specific details (see columns).

You can reset the search by clicking on the blue reset icon.

We strongly encourage organisations to avoid creating new organisations when an organisation is already known on the platform. This is primarily for the integration and efficiency between different platform accounts and the accuracy of the central database.

When an organisation is not yet known in the 3rdRisk platform and the KvK, you can easily create a new third-party record by clicking on:
[+ Add Organisation name as a new platform organisation.]

Status *  

Select the status of your third party:

  • Active
  • Inactive
  • Pre-contract
  • Suspended
Type *  

Select the type of this third-party for your organisation:

  • Vendor
  • Supplier
  • Service provider
  • Business Partner
  • Joint-venture
  • Alliance
  • Distributor
  • Reseller
  • Agent
  • Contractor
  • Other

To have a better understanding of the importance and level of dependency on this third-party select one of the following categories:

Category types:

  • Strategic: These third parties provide services or products critical to the organisation. They are expected to have a limited number of competitors within your ecosystem, are considered SMEs in their field of expertise/operation, and the related contracts may have significant financial volumes.
    This group of third parties needs maximum attention.
  • Major: The related contracts of these third parties have large financial volumes, but the service or products they provide are more considered a commodity type. If their service or product fails, it will undoubtedly impact the organisation but not on the same scale as a strategic third party. It is also expected that they can be easily replaced by another third party.
  • Niche: These third parties provide unique services or products that are either not available or alternative solutions are not considered an option for your organisation. The services/products they provide are valuable, but an alternative solution can be implemented when necessary.

  • Minor: All others. These third parties can be easily replaced with another third party providing such services, and the potential organisational impact in case of failure is considered low.
Country *XXThe country where the organisation is located.
Street and number *XXThe official address, street, and a number of the third party.
Apartment, suite, room etc.XXOptional field to provide some additional address information of the organisation.
City *XXThe city where the organisation is located.
Zipcode *XXThe zip code of the organisation.
State/Province/Region *X The state/province/region where the organisation is located.
WebsiteX The website of the organisation. Please include https://

This field can be used to support external reputation and news services.
Contact details   
Telephone numberX The telephone number of the organisation.
E-mail addressX  
E-mail address for 3rdRisk assessments *X A contact e-mail address is associated with the organisation's internal compliance/risk/security department.
Location within the organisation *  

With the organisation model, you define the scope of this third-party:

You can select one or multiple elements/nodes in your organisation model. To deselect, select the element again.

Third-party manager  Select the colleague that is responsible for the third-party relationship with this organisation.

Only users with the role of third-party manager are listed.
Business owner  Select the colleague that is responsible for the business relationship with this organisation.

Only users with the roles of business manager or leadership are listed.
Risk officer *  Select the responsible risk officer for this organisation.

Only users with the roles of a risk manager or risk officer are listed.
Risk profile *  

Assign a risk profile to this third-party (critical / high / medium / low):

Risk profile criteria

Some questions you can take into consideration for defining the risk profile criteria:

1. Will their inability to deliver significantly impact your organisation?
2. Is critical data being shared?
3. Do they have connectivity to your systems/networks?
4. Do they have an essential role in your production process?
5. Are they involved in a highly regulated/compliance-driven process?
6. Are there certain local risks present, e.g. child labour?

Description  Free-format text box to provide some additional context of this organisation.
Tags  You can use the tags-functionality to assign your own specific/internal labels to a third-party record. You can search, filter, and create specific reports based on these tags. E.g. if you want to register all third parties that have VPN access to your network, you can add a tag named “VPN” to these records. At a later stage, you can quickly contact all third parties that have VPN access and send out specific assessments.

Use the tab key on your keyboard to add multiple tags.
External context   
BitSight  Based on the website URL you have entered above, you can use the BitSight search button to find the corresponding organisation. Upon clicking the search button, a new window appears in which you can select the organisation you want to retrieve the BitSight score. 

This field is only visible if you have BitSight activated on the Integrations page.
DUNS number  Enter the DUNS ( Dun & Bradstreet) number. This is optional and can be used to search for a specific third party easily.
Cybersecurity score  Enter the cybersecurity score. E.g. from CyberSecurityScoreCard, BitSight or your TI supplier. This is optional.

Required field *

4. Click [Add third-party] to add the organisation to your catalogue.


5. Click on the [^] - [Add the third party & register the first contract] to add the third party to your catalogue and directly add an associated contract.

Upload multiple third parties at once (mass upload)

To upload multiple third parties at once:

1. Navigate to: Left side menu: Third parties - Catalogue

2. Click on the [Import third-parties] button

3. Click on the [Download] third-parties import template link

4. Open the Excel template and populate the rows. You can use the options as stated in the table below.

Excel columnExplanation and values to select
ThirdPartyName *The full legal name of the third-party
Status *

The current status of the third party:

  • Active
  • Inactive
  • Pre-contract
  • Suspended
Type *

Third-party type:

  • Vendor
  • Supplier
  • Service provider
  • Business Partner
  • Joint-venture
  • Alliance
  • Distributor
  • Reseller
  • Agent
  • Contractor
  • Other

The importance of the third party for your organisation. Values to select:

  • Strategic
  • Major
  • Niche
  • Minor
AddressCountryThe country where the third party is located. Use two-letter code from ISO 3166 (e.g. Netherlands = NL).
AddressStreetNumberThe street address and number of the third-party
AddressApartmentAdditional but optional address options
AddressCityCity where the third party is located
AddressZipcodeZipcode of the third-party
AddressStateState where the third party is located
AddressWebsiteCorporate website of the third-party
ContactTelephoneTelephone number of the third-party
ContactEmailBusiness e-mail address
ContactEmailAssessments *The third-party e-mail address that the platform will use to send the self-assessments
DetailsThirdPartyManagerAssociated third-party manager. Provide the e-mail address of a registered user with the role(s) of the third-party manager on the platform.
DetailsBusinessOwner (*)Associated Business manager. Provide the e-mail address of a registered user with the role(s) Leadership or Business manager on the platform. 

This field is required if you select "Pending" in the RiskProfileScore (column R) or leave column R blank.
DetailsRiskOfficer *Associated Risk officer. Provide the e-mail address of a registered user with the role(s) Risk officer or Risk manager on the platform.

The associated risk profile of the third party:

  • Low
  • Medium
  • High
  • Critical
  • Pending (Virtual officer will request the business owner to fill it in)
DetailsDescriptionAdditional information on this third-party
DetailsTagsAdd a tag to this third party. Can be used to filter within ecosystem view or search grouped third parties quickly.
DetailsDunsOptional DUNS ( Dun & Bradstreet) number
DetailsCybersecurityscoreExternal cybersecurity score. E.g. from CyberSecurityScoreCard, BitSight or your TI supplier.

Required field *

5. Click on the [Browse] button, select the populated Excel file and upload it to the platform

6. If you do not want to add a contract for each third party manually, you need to select "Add a default contract to every imported third party". If you select this option, you must add a default contract name. 

7. If you want to assign each third party to an organisational entity of your organisational model, you need to select "Change the position within the organisation of imported third parties". If you select this open, the organisation model appears, and you can drag and drop each third party to the respective entity.

8. Click on the [Import] button

Update a third-party

To update a third party on the platform:

  1. Navigate to: Left side menu: Third parties - Catalogue
  2. Search for the applicable third-party you would like to update
  3. Click on the sub-menu in the 'Actions column' and click 'Edit third-party'
  4. Update the third-party record and click on [Edit third-party].

Remove a third-party (deactivate)

You cannot remove but only deactivate the third party in your catalogue for archiving and linking purposes. Caution: You can only deactivate the third party when no active contracts are associated in your contract catalogue. After deactivating, you will no longer be able to associate or link any contracts to this third party.

  1. Navigate to: Left side menu: Third parties - Catalogue
  2. Search for the applicable third party you would like to deactivate
  3. Click on the sub-menu in the 'Actions column and click on the [Edit third-party].
  4. Click on the red-coloured 'recycle bin'

View audit log

Data integrity is critical for your third-party catalogue; that is why the third-party management module comes with a protected audit log that registers all mutations in your third-party catalogue; it records:

  • Timestamp
  • Data adjustment (old value and new value)
  • The user account that was used for this update

None of the platform roles (including the platform administrator) can delete or make mutations to this audit log.

To view the audit log of a change in your third-party catalogue:

  1. Navigate to: Left side menu: Third parties - Catalogue
  2. Search for the applicable third-party
  3. Click on the sub-menu in the 'Actions column' and click 'View audit log'

Known module limitations

  • The system will not yet inform you about upcoming contract end dates - this feature is on the roadmap.
  • There is no export function of the data from our platform to other sources such as Excel - this feature is on the roadmap.