With the increasing dependence on third parties, every organisation should have a complete and consolidated overview of the parties they engage with.
The 3rdRisk third-party catalogue is a central repository that you can use to register all your third parties quickly. Per third-party, you can register different contracts, segment them on different risk profiles, assign ownership, and keep track of risk & compliance events during the time that you do business with them.
With the 3rdRisk platform, you can manage all your third parties in one module. You no longer need a separate risk/GRC solution for that.
The following graphic provides a conceptual overview of the integrated 3rdRisk third-party management module, which consists of:
This module is tightly integrated with the other platform modules:
First, an organisation need to identify the different third parties within your organisation. A third party can be a:
In most organisations, the procurement department has the most reliable and complete overview of third parties. Although their overview does not commonly contain all third parties, it will give you a good head start for the initial input.
Although most organisations have thousands of third parties, start with a limited set and first get a complete understanding of the platform. A good practice is to start with your 10-20 most critical third parties. You can always add and update the number of third parties at a later stage.
After you have (partly) identified all your third parties, you can easily register them in the 3rdRisk platform.
Within the third-party catalogue, you can:
Generic address details are saved in the third-party record. If you have selected a known third-party on the platform (1.) or from the KvK (2.), the system will provide these details and keep automatically up-to-date.
The contact details are essential for the assessment module; in this section, you can specify a specific e-mail address for sending 3rdRisk assessments to the third party. This can be, e.g. the mailbox of a security team, account management or legal.
E-mail for 3rdRisk assessments
For efficiency reasons, it is advisable to ask upfront the e-mail preference of the third party for receiving 3rdRisk assessments.
The organisation model is also used to define the scope of a third party within your organisation.
Third-party risk profile
Once you have established a (complete) inventory of the various third parties, you can segment them by risk level. An effective segmentation will help you determine how to utilise your third-party risk management activities strategically.
The screening process to define the risk profile needs to be well-defined and should provide input on the criticality of the third-party relationship. You can include the type of business, dependency, accessibility of sensitive information, critical VPN/remote network access, compliance requirements, business continuity, spend size and legal as factors on which a third party can be assessed.
Rules-based risk profile
The platform comes with a simple system of critical-, high-, medium-, and low-risk categories, which is already helpful for most organisations. You can also follow a score-based approach whereby you conduct due diligence across different dimensions and use the results to develop a composite risk score. Although very thorough, this approach can be cumbersome and resource-intensive for many organisations. With the rules-based approach, you identify specific rules or criteria for each segment and thereby streamline the process of assigning suppliers to risk categories. This approach is about 50-60 per cent faster than the score-based one.
Within the contract module, you can easily register and associate one or more contracts to a third-party record.
IMPORTANT: Assessments are based on contracts.
Unlike some of our competitors, you perform assessments within 3rdRisk on one or more contracts of third parties, not a third party itself. The reasoning for this is that there can be a significant difference between one or more agreements, including different risk profiles, applicable (local) requirements and involved internal & external contact persons. But you can still assess all contracts of one third party with one assessment.
During the lifecycle of a third party, you can monitor the third parties in scope by:
The platform provides advanced and dynamic dashboard- & reporting capabilities which will give you continuous and real-time insights into your third-party landscape.
To add a new third party to the platform:
|The organisation is known on 3rdRisk platform
|The organisation is registered at the KvK
Name of the third party.
If the organisation is already known:
On the 3rdRisk platform: organisations are listed with the green 3rdRisk logo - in the above example: 3rdRisk Solutions B.V.
On the KvK database: organisations are listed with the blue KvK logo - in the above example: 3rdRisk B.V.
You can easily click on the provided entry, and the platform will auto-fill the specific details (see columns).
Select the status of your third party:
Select the type of this third-party for your organisation:
To have a better understanding of the importance and level of dependency on this third-party select one of the following categories:
|The country where the organisation is located.
|Street and number *
|The official address, street, and a number of the third party.
|Apartment, suite, room etc.
|Optional field to provide some additional address information of the organisation.
|The city where the organisation is located.
|The zip code of the organisation.
|The state/province/region where the organisation is located.
|The website of the organisation. Please include https://
This field can be used to support external reputation and news services.
|The telephone number of the organisation.
|E-mail address for 3rdRisk assessments *
|A contact e-mail address is associated with the organisation's internal compliance/risk/security department.
|Location within the organisation *
With the organisation model, you define the scope of this third-party:
You can select one or multiple elements/nodes in your organisation model. To deselect, select the element again.
|Select the colleague that is responsible for the third-party relationship with this organisation.
Only users with the role of third-party manager are listed.
|Select the colleague that is responsible for the business relationship with this organisation.
Only users with the roles of business manager or leadership are listed.
|Risk officer *
|Select the responsible risk officer for this organisation.
Only users with the roles of a risk manager or risk officer are listed.
|Risk profile *
Assign a risk profile to this third-party (critical / high / medium / low):
Risk profile criteria
Some questions you can take into consideration for defining the risk profile criteria:
1. Will their inability to deliver significantly impact your organisation?
|Free-format text box to provide some additional context of this organisation.
|You can use the tags-functionality to assign your own specific/internal labels to a third-party record. You can search, filter, and create specific reports based on these tags. E.g. if you want to register all third parties that have VPN access to your network, you can add a tag named “VPN” to these records. At a later stage, you can quickly contact all third parties that have VPN access and send out specific assessments.
Use the tab key on your keyboard to add multiple tags.
|Based on the website URL you have entered above, you can use the BitSight search button to find the corresponding organisation. Upon clicking the search button, a new window appears in which you can select the organisation you want to retrieve the BitSight score.
This field is only visible if you have BitSight activated on the Integrations page.
|Enter the DUNS ( Dun & Bradstreet) number. This is optional and can be used to search for a specific third party easily.
|Enter the cybersecurity score. E.g. from CyberSecurityScoreCard, BitSight or your TI supplier. This is optional.
Required field *
4. Click [Add third-party] to add the organisation to your catalogue.
5. Click on the [^] - [Add the third party & register the first contract] to add the third party to your catalogue and directly add an associated contract.
To upload multiple third parties at once:
1. Navigate to: Left side menu: Third parties - Catalogue
2. Click on the [Import third-parties] button
3. Click on the [Download] third-parties import template link
4. Open the Excel template and populate the rows. You can use the options as stated in the table below.
|Explanation and values to select
|The full legal name of the third-party
The current status of the third party:
The importance of the third party for your organisation. Values to select:
|The country where the third party is located. Use two-letter code from ISO 3166 (e.g. Netherlands = NL).
|The street address and number of the third-party
|Additional but optional address options
|City where the third party is located
|Zipcode of the third-party
|State where the third party is located
|Corporate website of the third-party
|Telephone number of the third-party
|Business e-mail address
|The third-party e-mail address that the platform will use to send the self-assessments
|Associated third-party manager. Provide the e-mail address of a registered user with the role(s) of the third-party manager on the platform.
|Associated Business manager. Provide the e-mail address of a registered user with the role(s) Leadership or Business manager on the platform.
This field is required if you select "Pending" in the RiskProfileScore (column R) or leave column R blank.
|Associated Risk officer. Provide the e-mail address of a registered user with the role(s) Risk officer or Risk manager on the platform.
The associated risk profile of the third party:
|Additional information on this third-party
|Add a tag to this third party. Can be used to filter within ecosystem view or search grouped third parties quickly.
|Optional DUNS ( Dun & Bradstreet) number
|External cybersecurity score. E.g. from CyberSecurityScoreCard, BitSight or your TI supplier.
Required field *
5. Click on the [Browse] button, select the populated Excel file and upload it to the platform
6. If you do not want to add a contract for each third party manually, you need to select "Add a default contract to every imported third party". If you select this option, you must add a default contract name.
7. If you want to assign each third party to an organisational entity of your organisational model, you need to select "Change the position within the organisation of imported third parties". If you select this open, the organisation model appears, and you can drag and drop each third party to the respective entity.
8. Click on the [Import] button
To update a third party on the platform:
You cannot remove but only deactivate the third party in your catalogue for archiving and linking purposes. Caution: You can only deactivate the third party when no active contracts are associated in your contract catalogue. After deactivating, you will no longer be able to associate or link any contracts to this third party.
Data integrity is critical for your third-party catalogue; that is why the third-party management module comes with a protected audit log that registers all mutations in your third-party catalogue; it records:
None of the platform roles (including the platform administrator) can delete or make mutations to this audit log.
To view the audit log of a change in your third-party catalogue: