User management
Our platform has various predefined user roles to ease your implementation efforts while accommodating different types of organisations. We have separate roles for the TPRM and Internal control module. These roles are generic and commonly used within most of today's organisations.
Standardised ecosystem (TPRM) platform roles
Within the 3rdRisk platform ecosystem module, you can assign the following roles:
| Role | Description |
| Administrator ecosystem * | The administrator ecosystem manages your 3rdRisk organisation profile and online environment. This role should be assigned to a limited amount of colleagues. Administrators are commonly part of the buying group(s) of 3rdRisk. It does not have to be a colleague with a technical profile, but knowledge about risk & compliance processes is preferred. |
| Third-party manager * | The third-party manager manages the relationship with one or more third parties. These are commonly colleagues from procurement, strategic buying departments, and third-party teams. |
| Risk officer * | The risk officer performs (third-party) risk management & compliance activities. These are colleagues from ERM, Internal Control, Compliance, Cybersecurity, Privacy, Sustainability, and Quality. |
| Risk manager | The risk manager is responsible for the overall (third-party) risk management & compliance program. These are commonly the manager(s) of the involved risk offers. |
| Ecosystem reviewer | The ecosystem reviewer is an internal employee that is performing reviews on executed assessments. Typically you assign this role to all risk officers. Still, this role can also be used for specific SMEs within your organisation that you might consult for reviewing third-party responses. Typical examples are legal counsels and architects. |
| External reviewer | The external reviewer is an external individual performing reviews on executed assessments. If you work with external SMEs (e.g. lawyers) or an external workforce to support you with reviewing your third-party risk assessments, you can assign them this limited role. |
| External auditor | The external auditor independently reviews and validates the (third-party) risk management program. This role can be used by both your internal and external auditors. Due to the independence and level of rights, this role should not be shared with other roles. |
| Business manager | The business manager is responsible for the business process or product provided by one or more third parties. There are commonly department managers and contract owners/delegates. |
| Leadership | Leadership is ultimately accountable for the organisation and associated third parties. These are commonly your board of management, entity directors, country directors, SVP - anyone that receives aggregated reporting and can be used for escalations. |
Minimum required roles to use the platform are marked with an *
Standardised internal control platform roles
Within the 3rdRisk platform internal control module, you can assign the following roles:
| Role | Description |
| Administrator internal control * | The administrator internal control manages your 3rdRisk organisation profile and online environment. This role should be assigned to a limited amount of colleagues. Administrators are commonly part of the buying group(s) of 3rdRisk. It does not have to be a colleague with a technical profile, but knowledge about internal control processes is preferred. |
| Control executor - 1st line * | The control executor is an internal employee who can perform test activities on a control self assessment. The control executor can also create/modify risks and controls. This are commonly employees of a certain department in an organisation who can be either the control owner, tester or both. |
| Control validator - 2nd line * | The control validator is an internal employee who validates the performed test activities of the control executor. The control validator can also create/modify risks and controls and is able to initiate a controls self assessment. This are commonly employees from controlling departments, risk officers, compliance officers and all other employees with a 2nd line function. |
| Internal auditor - 3rd line * | The control auditor is an internal employee who verifies the performed test activities and validation. The control auditor can also create/modify risks and controls, is able to initiate a controls self assessment, plan assessments and can adjust frameworks. This are commonly employees from audit departments. |
| Internal control manager | The internal control manager is an internal employee with reading rights to all data (controls, risks, assessments etc.) and is able to initiate a control self assessment. |
Minimum required roles to use the platform are marked with an *
Minimum required roles
Based on your functionality needs and the size of your organisation, you will always have the option only to use a selection of those roles whereby you fully leverage the platform's potential with just four roles (marked with * in the table below).
Start simple
Do not try to onboard all your colleagues and have all different roles assigned on day 1. The best practice is to start with a limited set of users with a few roles to understand the platform entirely. You can always add more users and start using additional roles at a later stage.
Initial user
The initial user created during the registration will, by default, receive all the three essential roles (Administrator, Third-party manager, Risk officer). We have done this to make it easier for a single user to explore the entire platform.
Authorisation matrix
Per role, there are different access rights on the platform. A complete overview of the different roles and rights is defined in the 3rdRisk platform authorisation matrix.
Role conflicts
You can assign and combine multiple roles per user on the platform. The system will automatically use the most privileged role and add any additional rights derived from the other role(s). Please be aware that combining multiple user roles can lead to a rights conflict within your environment. Always double-check any role combinations that might lead to a dispute within your 3rdRisk environment.
Single Sign-on (SSO)
Within the 3rdRisk platform, you can easily connect your Azure AD or Okta setup. This provides an additional security layer and allows you to perform user management lifecycle management efficiently.
Add a user
To add a new user to the platform:
1. Navigate to: Left side menu: Configuration - Users
2. Click on the invite button
3. Provide the account details:
| Field | Explanation |
| Name * | Full name (first + last names) of the colleague |
| E-mail * | Business e-mail address. |
| Job title * | Official internal job title(s) of the colleague. Can be multiple. |
| job description | Optional internal field to provide some additional context to this colleague. This field does not have any functionality in the platform. |
| Role * | Assign one or more roles to this colleague. |
Required field *
4. The user receives an e-mail invitation to join the platform.
Update a user
See known module limitations - As a temporary solution, please contact support@3rdRisk.com and let us know the desired change.
To update a new user to the platform:
- Navigate to: Left side menu: Configuration - Users
- Select the applicable user you would like to update
- update the account details
- Click on the Save button
Remove a user (deactivate)
The user will automatically be deactivated when using one of the supported single-sign-on solutions. Contact your local IT team for this kind of change.
Known module limitations
- You cannot add your organisation role - please let us know at support@3rdrisk.com in case you are missing a role, and it will provide value to other customers.
- It is currently not yet possible to update user accounts on the platform - please contact Support@3rdRisk.com for any account updates. This change is on the roadmap and will be launched soon.